High-risk IIS6.0 file name resolution vulnerability Solution

Www.2cto.com

I have discovered this vulnerability before, And I am helpless. Later I thought of rewrite, which can be processed by matching URLs with regular expressions.
 
Http://www.bkjia.com/dir. asp/diy.jpg
 
For example, this is a diy. asp file that is changed to an image.
 
IIS6.0 vulnerabilities can be run.
 
My solution:
 
On
 
Http://www.bkjia.com/
 
Get an image, and the warning information is shown above.
 
Http://www.bkjia.com/no.jpg
 
I installed the ISAPI Rewrite in IIS6.0.
 
Download ISAPIrewrite cracked version click to download this file
 
After the installation, replace ISAPI_Rewrite.dll in the Cracked with ISAPI_Rewrite.dll in the installation directory.
 
Note: Stop IIS and replace it!
 
Added the following rules to httpd. ini:
 
RewriteRule (. *). asp/(. *)/No. GIF
 
RewriteRule (. *). Asp/(. *)/No. GIF
 
RewriteRule (. *). aSp/(. *)/No. GIF
 
RewriteRule (. *). asP/(. *)/No. GIF
 
RewriteRule (. *). ASp/(. *)/No. GIF
 
RewriteRule (. *). AsP/(. *)/No. GIF
 
RewriteRule (. *). aSP/(. *)/No. GIF
 
RewriteRule (. *). ASP/(. *)/No. GIF
 
In this way, all URLs with ". asp/" are overwritten to the http://webshell.cc/no.jpg.
 
Visit http://webshell.cc/dir.asp/diy.jpgits actual website http://webshell.cc/no.jpg
 
In this example, we screen all the clips with. asp' and display the warning image No. JPG in all parts.
 
Visit this URL.
 
Http://webshell.cc/fff.asp/
 
Http://webshell.cc/ff342431321vcedf.asp/fwfwe.efwfffr223u8f0000f
 
In front of. asp, You can randomly write only ". asp/" in the URL. Note that there is a slash /!
 
Windows 2003 IIS6.0 folder Parsing Vulnerability (high risk)
 
Win2003 has a file parsing Path Vulnerability, when the folder name is similar to hack. asp (the folder name looks like the name of an ASP file). In this case, all text files in this folder can be executed as ASP programs in IIS. In this way, a hacker can upload a trojan file with the extension jpg or gif, and access the file to run the Trojan. Microsoft has not released patches for this vulnerability, so almost all websites will have this vulnerability.
 
An error occurs when Windows 2003 IIS6 processes the folder extension. As a result, the jpg image in the directory automatically executes the ASP code. All ASP code contained in JPG files will be executed. Of course, it is not just a JPG post-upload.
 
If Windows 2000 IIS5 processes JPG images that contain Html and ASP code, only Html code is executed, and ASP code in JPG images is not executed. Therefore, this vulnerability does not exist in Windows 2000 iis5. This vulnerability is obviously caused by the name of the file ending with. asp, which is a design defect of IIS6.
 
Vulnerability exploitation methods include:
 
In aspxuexi. in a folder like asp, you can use the upload permission of the website to rename various asp Trojans (such as marine Trojans) to jpg/gif files and upload them to the server, when these files are opened, the trojan is parsed by IIS.
 
Preventive measures:
 
1. You can name folders by yourself. Check the validity of folder names or disable the upload function.
 
2. Set the script permission to "NONE" in the user-controlled folder ".
 
Currently, Microsoft has not released patches for this vulnerability.
 
[Original] IIS6.0 vulnerability-files in the. ASP Directory will be treated as ASP files.
 
IIS6.0 exposed a vulnerability in February this year, that is, files under the. ASP Directory will be executed as ASP files. This vulnerability is very serious. Think about the consequences of putting a trojan image file into a. ASP Directory.
 
Severe consequences: hackers can directly master webshells.
 
At the beginning, I learned the message from the ease of operation, and later I released a patch for the program. It should be okay. However, whether websites using other programs will be affected by this vulnerability may leave the webmasters unconcerned. Microsoft does not seem to have provided any patch, so we have to solve it on our own.
 
Speaking of this, I can't help but boast that I will buy coffee. "My dear, I bought coffee. You are so easy to use! This is not a serious vulnerability. You only need to create a rule to buy coffee. Webmasters no longer have to worry about this vulnerability.
 
The method is simple. when ASP executes files under the ASP Directory, We will block you from reading and executing files. files in the ASP Directory are not allowed in. create and write any files under the ASP Directory!
 
For example, you only need to add this rule to buy coffee!
 
 
 
 
 
Classic IIS 6.0 Vulnerability
 
 
 
Any file in the xxx. asp folder will be parsed into an asp file?
 
 
 
Anything in the folder xxx. php will also be parsed into a php file ??
 
 
 
The files in the xxx.txt folder will also be parsed into txt files ??
 
 
 
However, my local test showed that only folders in xxx. asp can exploit this vulnerability!
 
 
 
Neither xxx.php nor xxx.jpgnor xxx.txt can work ??
 
 
 

 

 
Author: WebShell's Blog