Old Article Now I have read it as a classic. I recommend it to you.
When it comes to Microsoft's IIS Web server security issues, many people will immediately think of the critical vulnerabilities that are hailed by people: Unicode, CGI parsing ,. ida, idq ,. printer remote overflow.
Remotely determine Directory Permissions
Open an IIS server. In the IIS Service Manager, select a directory to view its properties.
There are some options in the directory attribute items (Log Access and indexing of this resource is not counted ):
Script resource access: the script for the website can read the original file.
Read the static Resources in the directory.
Write users can create and delete Resources
Directory browsing users can browse the directory content.
ApplicationProgramThe set execution license has three options:
None
Only scripts such as ASP scripts are allowed.
Various file types can be accessed and executed by scripts and executable programs
So, how can we determine the switch settings on the server? Don't worry. Come one by one.
Execution permission:
How can I determine whether the execution permission is enabled for a directory? Send the following request to the server:
Http: // IIS-server/DIR/no-such-file.dll
/DIR/to determine the directory, the no-such-file.dll is to get a name, the server does not have this file. The server returns a message for our request. If a 500 error is returned:
HTTP 500-internal server error (internal server error)
The execution permission of this directory is open. For servers, do not grant the execution permission. Especially for the execution permissions of virtual directories, you can understand the exploitation process of Unicode and secondary Decoding Vulnerabilities.
If a 404 error is returned by the server:
HTTP 404-file not found
The execution permission of this directory is not enabled.
Write Permission:
To test whether a directory has write permissions for a Web user, telnet to the Web port (80) of the server and send the following request:
Put/DIR/my_file.txt HTTP/1.1
HOST: IIS-Server
Content-Length: 10 <enter>
At this time, the server will return a 100 (CONTINUE) message:
HTTP/1.1 100 continue
Server: Microsoft-Microsoft IIS/5.0
Date: Thu, 28 Feb 2002 15:56:00 GMT
Then, we enter 10 letters:
Aaaaaaaaaa
After sending this request, check the server's returned information. If the request is a 201 created response:
HTTP/1.1 201 created
Server: Microsoft-Microsoft IIS/5.0
Date: Thu, 28 Feb 2002 15:56:08 GMT
Location: http: // IIS-server/DIR/my_file.txt
Content-Length: 0
Allow: Options, Trace, get, Head, delete, put, copy, move, PROPFIND,
Proppatch, search, lock, unlock
It indicates that the write permission for this directory is open. Otherwise, if a 403 error is returned, the write permission is not enabled. If you need to authenticate, if a 401 (Forbidden) response is returned, the write permission is enabled, but anonymous users are not allowed. If "write" and "script and executable program" are enabled in a directory, web users can upload a program and execute it !~
Script-only execution permission:
There are too many directories. Many directories that do not need execution permissions are also granted the script execution permission by the Administrator. I remember in an article in shotgun, he said: minimum permissions + least services = maximum security; no error at all. It is unnecessary to grant any excessive permissions to the directory. It is also easy to determine whether a directory can execute a pure script file, and send a request such as the following:
Http: // IIS-server/DIR/no-such-file.asp
If the returned 404 file does not exist, the execution permission is granted. If the returned 403 file does not exist, the execution permission is disabled.
View directory permissions:
It may take a little bit of tips to determine whether a directory allows browsing. However, if the default homepage (for example, default. asp) of a website does not exist, it will be much simpler. Enter:
Http: // IIS-server/DIR/
If the permission is on, the system will return a 200 response and list the content in the current directory. Otherwise, the system will turn off if the directory is not listed. However, what if default. asp exists on the default page? Click the address above to open the page. Don't worry, there is a request method in WebDAV called profind. This method allows us to obtain some information from the server resources, such as the file name, Creation Time, and last modification time. We can also use the default. asp Method to Determine the directory browsing permission. telnet to the Web port of IIS-server and send the following request:
PROPFIND/DIR/HTTP/1.1
HOST: IIS-Server
Content-Length: 0
In this case, the server returns a 207 multi status response. If the directory is accessible, resources in the directory and their attributes are listed. If directory browsing is not allowed, more information will be returned. In general, directory browsing can only be regarded as a low-risk vulnerability. For example, if an images directory contains nothing but images, it does not pose any harm to server security. However, if the directory contains an admin page. ASP or some database connection information files may cause your server to be handed over to intruders.
Read Permission:
It is easy to determine this. You can send a request with a TXT file:
Http: // IIS-server/DIR/no-such-file.txt
If a response indicating that the 404 file does not exist is returned, the read permission is open. If the 403 error is returned, the read permission is disabled. People who have been exposed to security several years ago must know: $ Data leaks ASPSource codeIn fact, if an ASP script is in the directory, the read permission is not required. asp only requires the script execution permission.
IIS authentication method judgment
This vulnerability was recently announced. the IIS server supports anonymous access, basic authentication, and Windows integrated authentication using NTLM. If the client sends a request containing authentication information, IIS will forcibly try to use the authentication information for authentication, and return the response that does not respond. In this way, we can determine the IIS Authentication configuration.
To determine whether IIS supports basic authentication, telnet to port 80 on the server and send the following request:
Get, HTTP, 1.1
HOST: IIS-Server
Authorization: Basic c3lzdgvtom1hbmfnzxia
This is a basic authentication request, which contains a Base 64-encoded user ID and pass. The string following basic is system: manager after Base 64 decoding. If the server returns a 401 message, the basic authentication option is on. If 200 information is returned, there are two possibilities: the basic authentication option is not enabled or a user name on the server is
The username and password of the system are Manager (if you guess it is correct, it will be a huge success ).
To determine whether the NTLM option is enabled, you can send the following request to IIS:
Get, HTTP, 1.1
HOST: IIS-Server
Authorization: negotiatetlrmtvntuaabaaaab4iaoaaaaaaaaaaaaaaaaaaaa =
Similarly, if 401 messages are returned, NTLM is supported. If 200 is returned, the NTLM authentication option is disabled.
For most websites, these two authentication methods do not need to be enabled. They may leak important information about servers.
Leakage of internal IP address information
If the IIS server is in a NAT firewall, there is usually an internal address such as 10. x.
If the basic authentication option is enabled for IIS, you can obtain the internal IP address of the server by sending a simple request:
Get, HTTP, 1.1
Host:
Authorization: Basic c3lzdgvtom1hbmfnzxia
The server returns the following response:
HTTP/1.1 401 Access Denied
Server: Microsoft-Microsoft IIS/5.0
Date: Fri, 01 Mar 2002 15:45:32 GMT
WWW-Authenticate: Basic realm = "10.1.1.2"
Connection: Close
Content-Length: 3245
Content-Type: text/html
10.1.1.2 is the internal IP address of the machine. Originally, the value of realm is a Host Header provided by the client, but it is null here. Therefore, IIS uses the local IP address instead. Similarly, the returned information of requests such as PROPFIND, write, and mkcol can also leak some host information. For example, we submit the following request to the server:
PROPFIND/HTTP/1.1
Host:
Content-Length: 0
When IIS is configured to use the host name (see later), the IP address of the host is not exposed, but the NetBIOS name is exposed. In fact, we can use IIS authentication to obtain more information, such as the domain name, by sending the following NTLM authentication request to the server:
Get, HTTP, 1.1
HOST: IIS-Server
Authorization: negotiatetlrmtvntuaabaaaab4iaoaaaaaaaaaaaaaaaaaaaa
The server returns a message:
HTTP/1.1 401 Access Denied
Server: Microsoft-Microsoft IIS/5.0
Date: Fri, 01 Mar 2002 16:24:58 GMT
WWW-Authenticate: negotiate tlmtvntuaacaaaadaamadaaaaafgokgegvyvuvy67u
Aaaaaaaaaaeqaraa8aaaauwbdafkatabmaeeaagamafmaqwbzaewatabbaaea
Dabtaemawqbmaewaqqaeaawauwbdafkatabmaeeaawamafmaqwbzaewatabb
Aaaaaaa =
Content-Length: 3245
Content-Type: text/html
The long string contains the Base 64 encoding of the host name and the name of the domain where the NT is located.
Temporary solution: Go to the C: "inetpub" adminscripts or administs directory under CMD and run the command adsutil set w3svc/UseHostName True.
Net stop IISADMIN/y
Net start w3svc
Default Application ing judgment
It is relatively easy to determine whether the default ing exists. Here, only the response to the corresponding request is provided when the ing exists:
Extension:. Printer
Request: http: // IIS-server/Foo. Printer
Response: HTTP 500-Internal Server Error
Extension:. idc
Request: http: // IIS-server/Foo. idc
Response: Code 500 Internal Server Error
Extension:. idq
Request: http: // IIS-server/Foo. idq
Response Code: 200 OK
Response: The IDQ file D: "dir" "foo. idq is not found.
Extension:. Ida
Request: http: // IIS-server/Foo. Ida
Response Code: 200 OK
Response: The IDQ file D: "dir" foo. IDA is not found.
Extension:. htr
Request: http: // IIS-server/Foo. htr
Response: HTTP 404-file not found
Extension:. HTW
Request: http: // IIS-server/Foo. HTW
Response Code: 200 OK
Response: The format of QUERY_STRING is invalid.
Extension:. stm
Request: http: // IIS-server/Foo. stm
Response: HTTP 404-file not found
Extension:. shtm
Request: http: // IIS-server/Foo. shtm
Response: HTTP 404-file not found
Extension:. shtml
Request: http: // IIS-server/Foo. Ida
Response: HTTP 404-file not found
Determine whether the operating system is a personal version (Professional/workstation)
When IIS is installed on Windows2000 Professional Edition and NT Workstation, the maximum number of connections is 10 at the same time. With this, we can simply determine the operating system version: create 10 HTTP 1.1 persistent connections, 11th connection requests are returned with error 403.
The old article is now classic. We recommend it to you.
When it comes to Microsoft's IIS Web server security issues, many people will immediately think of the critical vulnerabilities that are hailed by people: Unicode, CGI parsing ,. ida, idq ,. printer remote overflow.
Remotely determine Directory Permissions
Open an IIS server. In the IIS Service Manager, select a directory to view its properties.
There are some options in the directory attribute items (Log Access and indexing of this resource is not counted ):
Script resource access: the script for the website can read the original file.
Read the static Resources in the directory.
Write users can create and delete Resources
Directory browsing users can browse the directory content.
There are three options for the execution license set by the application:
None
Only scripts such as ASP scripts are allowed.
Various file types can be accessed and executed by scripts and executable programs
So, how can we determine the switch settings on the server? Don't worry. Come one by one.
Execution permission:
How can I determine whether the execution permission is enabled for a directory? Send the following request to the server:
Http: // IIS-server/DIR/no-such-file.dll
/DIR/to determine the directory, the no-such-file.dll is to get a name, the server does not have this file. The server returns a message for our request. If a 500 error is returned:
HTTP 500-internal server error (internal server error)
The execution permission of this directory is open. For servers, do not grant the execution permission. Especially for the execution permissions of virtual directories, you can understand the exploitation process of Unicode and secondary Decoding Vulnerabilities.
If a 404 error is returned by the server:
HTTP 404-file not found
The execution permission of this directory is not enabled.
Write Permission:
To test whether a directory has write permissions for a Web user, telnet to the Web port (80) of the server and send the following request:
Put/DIR/my_file.txt HTTP/1.1
HOST: IIS-Server
Content-Length: 10 <enter>
At this time, the server will return a 100 (CONTINUE) message:
HTTP/1.1 100 continue
Server: Microsoft-Microsoft IIS/5.0
Date: Thu, 28 Feb 2002 15:56:00 GMT
Then, we enter 10 letters:
Aaaaaaaaaa
After sending this request, check the server's returned information. If the request is a 201 created response:
HTTP/1.1 201 created
Server: Microsoft-Microsoft IIS/5.0
Date: Thu, 28 Feb 2002 15:56:08 GMT
Location: http: // IIS-server/DIR/my_file.txt
Content-Length: 0
Allow: Options, Trace, get, Head, delete, put, copy, move, PROPFIND,
Proppatch, search, lock, unlock
It indicates that the write permission for this directory is open. Otherwise, if a 403 error is returned, the write permission is not enabled. If you need to authenticate, if a 401 (Forbidden) response is returned, the write permission is enabled, but anonymous users are not allowed. If "write" and "script and executable program" are enabled in a directory, web users can upload a program and execute it !~
Script-only execution permission:
There are too many directories. Many directories that do not need execution permissions are also granted script execution permissions by the Administrator. I remember in an article in shotgun, he said: Minimum permissions + minimum services = maximum security; no error at all. It is unnecessary to grant any excessive permissions to the directory. It is also easy to determine whether a directory can execute a pure script file, and send a request such as the following:
Http: // IIS-server/DIR/no-such-file.asp
If the returned 404 file does not exist, the execution permission is granted. If the returned 403 file does not exist, the execution permission is disabled.
View directory permissions:
It may take a little bit of tips to determine whether a directory allows browsing. However, if the default homepage (for example, default. asp) of a website does not exist, it will be much simpler. Enter:
Http: // IIS-server/DIR/
If the permission is on, the system will return a 200 response and list the content in the current directory. Otherwise, the system will turn off if the directory is not listed. However, what if default. asp exists on the default page? Click the address above to open the page. Don't worry, there is a request method in WebDAV called profind. This method allows us to obtain some information from the server resources, such as the file name, Creation Time, and last modification time. We can also use the default. asp Method to Determine the directory browsing permission. telnet to the Web port of IIS-server and send the following request:
PROPFIND/DIR/HTTP/1.1
HOST: IIS-Server
Content-Length: 0
In this case, the server returns a 207 multi status response. If the directory is accessible, resources in the directory and their attributes are listed. If directory browsing is not allowed, more information will be returned. In general, directory browsing can only be regarded as a low-risk vulnerability. For example, if an images directory contains nothing but images, it does not pose any harm to server security. However, if the directory contains an admin page. ASP or some database connection information files may cause your server to be handed over to intruders.
Read Permission:
It is easy to determine this. You can send a request with a TXT file:
Http: // IIS-server/DIR/no-such-file.txt
If a response indicating that the 404 file does not exist is returned, the read permission is open. If the 403 error is returned, the read permission is disabled. People who have been exposed to security several years ago must know: $ Data leaks ASP SourceCodeIn fact, if an ASP script is in the directory, the read permission is not required. asp only requires the script execution permission.
IIS authentication method judgment
This vulnerability was recently announced. the IIS server supports anonymous access, basic authentication, and Windows integrated authentication using NTLM. If the client sends a request containing authentication information, IIS will forcibly try to use the authentication information for authentication, and return the response that does not respond. In this way, we can determine the IIS Authentication configuration.
To determine whether IIS supports basic authentication, telnet to port 80 on the server and send the following request:
Get, HTTP, 1.1
HOST: IIS-Server
Authorization: Basic c3lzdgvtom1hbmfnzxia
This is a basic authentication request, which contains a Base 64-encoded user ID and pass. The string following basic is system: manager after Base 64 decoding. If the server returns a 401 message, the basic authentication option is on. If 200 information is returned, there are two possibilities: the basic authentication option is not enabled or a user name on the server is
The username and password of the system are Manager (if you guess it is correct, it will be a huge success ).
To determine whether the NTLM option is enabled, you can send the following request to IIS:
Get, HTTP, 1.1
HOST: IIS-Server
Authorization: negotiatetlrmtvntuaabaaaab4iaoaaaaaaaaaaaaaaaaaaaa =
Similarly, if 401 messages are returned, NTLM is supported. If 200 is returned, the NTLM authentication option is disabled.
For most websites, these two authentication methods do not need to be enabled. They may leak important information about servers.
Leakage of internal IP address information
If the IIS server is in a NAT firewall, there is usually an internal address such as 10. x.
If the basic authentication option is enabled for IIS, you can obtain the internal IP address of the server by sending a simple request:
Get, HTTP, 1.1
Host:
Authorization: Basic c3lzdgvtom1hbmfnzxia
The server returns the following response:
HTTP/1.1 401 Access Denied
Server: Microsoft-Microsoft IIS/5.0
Date: Fri, 01 Mar 2002 15:45:32 GMT
WWW-Authenticate: Basic realm = "10.1.1.2"
Connection: Close
Content-Length: 3245
Content-Type: text/html
10.1.1.2 is the internal IP address of the machine. Originally, the value of realm is a Host Header provided by the client, but it is null here. Therefore, IIS uses the local IP address instead. Similarly, the returned information of requests such as PROPFIND, write, and mkcol can also leak some host information. For example, we submit the following request to the server:
PROPFIND/HTTP/1.1
Host:
Content-Length: 0
When IIS is configured to use the host name (see later), the IP address of the host is not exposed, but the NetBIOS name is exposed. In fact, we can use IIS authentication to obtain more information, such as the domain name, by sending the following NTLM authentication request to the server:
Get, HTTP, 1.1
HOST: IIS-Server
Authorization: negotiatetlrmtvntuaabaaaab4iaoaaaaaaaaaaaaaaaaaaaa
The server returns a message:
HTTP/1.1 401 Access Denied
Server: Microsoft-Microsoft IIS/5.0
Date: Fri, 01 Mar 2002 16:24:58 GMT
WWW-Authenticate: negotiate tlmtvntuaacaaaadaamadaaaaafgokgegvyvuvy67u
Aaaaaaaaaaeqaraa8aaaauwbdafkatabmaeeaagamafmaqwbzaewatabbaaea
Dabtaemawqbmaewaqqaeaawauwbdafkatabmaeeaawamafmaqwbzaewatabb
Aaaaaaa =
Content-Length: 3245
Content-Type: text/html
The long string contains the Base 64 encoding of the host name and the name of the domain where the NT is located.
Temporary solution: Go to the C: "inetpub" adminscripts or administs directory under CMD and run the command adsutil set w3svc/UseHostName True.
Net stop IISADMIN/y
Net start w3svc
Default Application ing judgment
It is relatively easy to determine whether the default ing exists. Here, only the response to the corresponding request is provided when the ing exists:
Extension:. Printer
Request: http: // IIS-server/Foo. Printer
Response: HTTP 500-Internal Server Error
Extension:. idc
Request: http: // IIS-server/Foo. idc
Response: Code 500 Internal Server Error
Extension:. idq
Request: http: // IIS-server/Foo. idq
Response Code: 200 OK
Response: The IDQ file D: "dir" "foo. idq is not found.
Extension:. Ida
Request: http: // IIS-server/Foo. Ida
Response Code: 200 OK
Response: The IDQ file D: "dir" foo. IDA is not found.
Extension:. htr
Request: http: // IIS-server/Foo. htr
Response: HTTP 404-file not found
Extension:. HTW
Request: http: // IIS-server/Foo. HTW
Response Code: 200 OK
Response: The format of QUERY_STRING is invalid.
Extension:. stm
Request: http: // IIS-server/Foo. stm
Response: HTTP 404-file not found
Extension:. shtm
Request: http: // IIS-server/Foo. shtm
Response: HTTP 404-file not found
Extension:. shtml
Request: http: // IIS-server/Foo. Ida
Response: HTTP 404-file not found
Determine whether the operating system is a personal version (Professional/workstation)
When IIS is installed on Windows2000 Professional Edition and NT Workstation, the maximum number of connections is 10 at the same time. With this, we can simply determine the operating system version: create 10 HTTP 1.1 persistent connections, 11th connection requests will be placed back 403 error http://netadmin.77169.com/HTML/20040824004500.html