Exchange data streams (ADS) and IIS past and present

For more information about the concept of alternate data streams, see the bigworm translation article "unfavorable NTFS". This article only describes how to access ADS on IIS.

Let's take a look at a very old vulnerability: Microsoft IIS 3.0/4.0: $ DATA Request leakage ASP source code vulnerability. This is probably the earliest report of ADS and IIS.

$ DATA is one of the attributes for storing DATA streams in the NTFS file system, that is, the main DATA stream of the file (NTFS file system allows a file to have multiple streams, but at least one unnamed stream is the mainstream.) When we access. asp: $ DATA is the request. asp data, if. asp also contains other data streams, such as. asp: lake2.asp, request. asp: lake2.asp: $ DATA is. the stream data content of lake2.asp in asp. Microsoft's patch seems to solve the problem of IIS leaking mainstream data, but what if I request additional stream data? The problem has become interesting!

The IIS3 and IIS4 times have passed. For this test, the IIS version is 5.1 and the system is Windows XP SP1.

TIPS: cmd. asp (haha, you can't look at things with your eyes, please be careful ). Now let's take a look at the results of a.txt: pai.aspand a.txt: cmd. asp: $ DATA in iis.

Figure 1: Execute the asp file! (Note url)

[Figure 2] asp source code Leakage

In IIS, we can not only access non-mainstream file content, but also execute streaming script files! Haha, do you want to use this to create a hidden webshell. Well, I was very excited at the time, but soon I started from the cold to the cold, because this is only the result of XP-no one uses XP as a server ......

In 2000 and 2003, it is not that interesting. They do not execute stream scripts (the page cannot be found ). However, in version 2000 SERVER, you can access streams that do not need to be interpreted by IIS (for example, jpg files; you can use them to create a hidden static homepage ); 2000 the Advance SERVER will see the error "Not enough storage is available to process this command"; 2003 I tried it before, but forgot the result. In addition, several files such as stm are also interpreted and executed by the server. You can try it. Hey, maybe there is something happy.

Well, I should say something about it. I 'd like to thank bigworm at last. Without his translation, I'm afraid I still don't know what ADS is. From Internet, For Interner!