Full IIS registry version leakage user path and FTP User Name Vulnerability

 

This hole was discovered by faker and Ah diming! And do the test!

 

The title is pretty long! Haha ~

 

This vulnerability seems to be a weakness, but it is also very useful. But knowing how to use him depends on myself. I just want to give a little thought.

 

Enter the topic!

 

Important registry:

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ MSFtpsvc \ Parameters \ Virtual Roots \

The ControlSet002 directory can be ControlSet001 ControlSet003.

 

Note: ftp users not allocated by third-party software must be allocated by iis. The system will generate the ftp user name and user path in this directory.

 

Example: 1. You can use the ftp user information to obtain the target ftp password through the social engineering staff or by guessing the password!

 

2. If the command can be directly executed, or the cmd has sufficient permissions. We can use the for command to obtain the database configuration file of the target site. Other independent tests.

 

And cross-site. This method can completely replace aspxspy's function of obtaining iis information. Very powerful.

 

3. If the information cannot be displayed, it turns out that the third-party ftp server software is used. Then, we can obtain the third through the Registry and other methods.

 

Party ftp server software information and path for elevation of permission. Everyone is free to use.

 

4. Use the exclusive VBS!