IIS6 colon Upload Vulnerability

Test conditions:
 
Asp script
 
The uploaded file will not be renamed.
 
Only files with the suffix .jpg can be uploaded.
 
Exploitation:
 
Upload a jpg Trojan file named cs. asp:. jpg. Note: by default, files in windows are not allowed to contain the following characters: (colon), so you need to capture the package and change it !!
 
After the upload is successful, iis ignores the following characters, that is, cs. asp., but the suffix of the received photo file is still accessible. jpg, which bypasses the suffix detection.
 
Supplement:
 
The data intercepted by iis is complete cs. asp :. jpg files uploaded in the past should be removed directly from iis because windows does not allow: File Name: This and % 00 truncation should not be the same, % 00 truncation directly truncates the following parts. If there is a previous check, the detection will fail.
 
More exploitation is still waiting for you to come up with ideas !!!
 
Test asp source code
01. <form action = "1.asp? S = ys "method =" post"
02.
03. enctype = "multipart/form-data" name = "form1">
04. file: <input name = "FormNameItem" type = "file"/>
05. <button class = "button2" type = "submit"> submit </button>
06.
07. </form>
08. <%
09.
10.
11. if len (Request ("s")> 0 then
12. Set oFileObj = New UpFileClass
13. oFileObj. GetData
14.
15. For Each FormNameItem in oFileObj. File
16.
17. FileName = oFileObj. File (FormNameItem). FileName
18. FileExtName = oFileObj. File (FormNameItem). FileExt
19. FileContent = oFileObj. File (FormNameItem). FileData
20. oFileObj. File (FormNameItem). SaveToFile server. MapPath ("\") & "\ 0.asp:. jpg"
21. Response. Write server. MapPath ("\") & "\ 0.asp:. jpg OK! "
22. 23. Next
24.
25. end if
26. Dim UpFileStream
27. Class UpFileClass
28. Dim Form, File, Err
29. Private Sub Class_Initialize
30. Err =-1
31. End Sub
32. Private Sub Class_Terminate
33. 'clear variables and maps www.2cto.com
34. If Err <0 Then
35. Form. RemoveAll
36. Set Form = Nothing
37. File. RemoveAll
38. Set File = Nothing
39. UpFileStream. Close 40.Set UpFileStream = Nothing
41. End If 42.End Sub
43.
44. Public Property Get ErrNum ()
45. ErrErrNum = Err 46.End Property
47.
48. Public Sub GetData ()
49. 'define variables
50. Dim RequestBinData, sSpace, bCrLf, sObj, iObjStart, iObjEnd, tStream, iStart, oFileObj
51. Dim iFileSize, sFilePath, sFileType, sFormValue, sFileName
52. Dim iFindStart, iFindEnd
53. Dim iFormStart, iFormEnd, sFormName
54.
55. 'Code starts 56.If Request. TotalBytes <1 then' if no data is uploaded
57. Err = 1
58. Exit Sub
59. End If
60. Set Form = CreateObject ("Scripting. Dictionary ")
61. Form. CompareMode = 1
62. Set File = CreateObject ("Scripting. Dictionary ")
63. File. CompareMode = 1
64. Set tStream = CreateObject ("ADODB. Stream ")
65. Set UpFileStream = CreateObject ("ADODB. Stream ")
66. UpFileStream. Type = 1
67. UpFileStream. Mode = 3
68. UpFileStream. Open
69. dim ReadedBytes, ChunkBytes
70. ReadedBytes = 0
71. ChunkBytes = 1024*100 '100k multipart upload Scheme
72. Do While ReadedBytes <Request. TotalBytes
73. UpFileStream. Write Request. BinaryRead (ChunkBytes)
74. ReadedBytesReadedBytes = ReadedBytes + ChunkBytes
75. If ReadedBytes> Request. TotalBytes Then ReadedBytes = Request. TotalBytes
76. Loop
77.
78. 'upfilestream. Write (Request. BinaryRead (Request. TotalBytes ))
79. UpFileStream. Position = 0
80. RequestBinData = UpFileStream. Read
81. iFormEnd = UpFileStream. Size
82. bCrLf = ChrB (13) & ChrB (10)
83. 'Get the separator 84. sSpace = MidB (RequestBinData, 1, Region B (1, RequestBinData, bCrLf)-1) 85. iStart = LenB (sSpace) between each project)
86. iFormStart = iStart + 2 87. 'break down the project
88. Do
89. iObjEnd = InStrB (iFormStart, RequestBinData, bCrLf & bCrLf) + 3
90. tStream. Type = 1
91. tStream. Mode = 3
92. tStream. Open 93. UpFileStream. Position = iFormStart
94. UpFileStream. CopyTo tStream, iObjEnd-iFormStart
95. tStream. Position = 0
96. tStream. Type = 2 97. tStream. CharSet = "gb2312"
98. sObj = tStream. ReadText
99. 'Get the form project name 100. iFormStart = required B (iObjEnd, RequestBinData, sSpace)-1 101. iFindStart = InStr (22, sObj, "name =", 1) + 6
102. iFindEnd = InStr (iFindStart, sObj, ", 1)
103. sFormName = Mid (sObj, iFindStart, iFindEnd-iFindStart)
104. 'If the file is 105.If InStr (45, sObj, "filename =", 1)> 0 Then 106.Set oFileObj = new FileObj_Class
107. 'Get File Attributes
108. iFindStart = InStr (iFindEnd, sObj, "filename =", 1) + 10
109. iFindEnd = InStr (iFindStart, sObj, ", 1)
110. sFileName = Mid (sObj, iFindStart, iFindEnd-iFindStart)
111. oFileObj. FileName = Mid (sFileName, limit Rev (sFileName, "\") + 1)
112. oFileObj. FilePath = Left (sFileName, limit Rev (sFileName ,"\"))
113. oFileObj. FileExt = Mid (sFileName, limit Rev (sFileName, ".") + 1)
114. iFindStart = InStr (iFindEnd, sObj, "Content-Type:", 1) + 14
115. iFindEnd = InStr (iFindStart, sObj, vbCr)
116. oFileObj. FileType = Mid (sObj, iFindStart, iFindEnd-iFindStart)
117. oFileObj. FileStart = iObjEnd
118. oFileObj. FileSize = iFormStart-iObjEnd-2
119. oFileObj. FormName = sFormName
120. File. add sFormName, oFileObj
121. else
122. 'For a Form Project
123. tStream. Close
124. tStream. Type = 1
125. tStream. Mode = 3
126. tStream. Open
127. UpFileStream. Position = iObjEnd
128. UpFileStream. CopyTo tStream, iFormStart-iObjEnd-2
129. tStream. Position = 0
130. tStream. Type = 2
131. tStream. CharSet = "gb2312"
132. sFormValue = tStream. ReadText
133. If Form. Exists (sFormName) Then
134. Form (sFormName) = Form (sFormName) & "," & sFormValue
135. else
136. form. Add sFormName, sFormValue
137. End If
138. End If
139. tStream. Close
140. iFormStartiFormStart = iFormStart + iStart + 2
141. 'exit if the end of the file is reached.
142. Loop Until (iFormStart + 2)> = iFormEnd
143. RequestBinData = ""

144. Set tStream = Nothing
145. Set KS = Nothing
146. End Sub
147. End Class
148.
149 .'---------------------------------------------------------------
150. 'File Attribute Class
151. Class FileObj_Class
152. Dim FormName, FileName, FilePath, FileSize, FileType, FileStart, FileExt
153. 'Method of saving the file 154. Public Function SaveToFile (Path)
155. 'On Error Resume Next
156.
157. Dim oFileStream
158. Set oFileStream = CreateObject ("ADODB. Stream ")
159. oFileStream. Type = 1
160. oFileStream. Mode = 3
161. oFileStream. Open
162. UpFileStream. Position = FileStart
163. UpFileStream. CopyTo oFileStream, FileSize
164. oFileStream. SaveToFile Path, 2
165. oFileStream. Close
166. Set oFileStream = Nothing
167. Set KS = Nothing
168. End Function
169. 'Get file data
170. Public Function FileData
171. UpFileStream. Position = FileStart
172.
173. FileData = UpFileStream. Read (FileSize)
174. End Function
175. End Class
176.
177. %>

 
Author: www.rootnull.com