Compiling: Schnang
The vulnerabilities of IIS in the second half of last year are endless, given the current widespread use of IIS, it is necessary to summarize the information collected.
1. Introduced
The method described here is mainly done through Port 80来, which is very threatening because it is always open as a network server 80 ports. If you want to facilitate some, download some www, CGI scanners to assist the inspection.
And to know what service program the target machine is running, you can use the following command:
Telnet < target machine > 80
Get head/http/1.0
You can return some domain names and Web service versions, and if some servers run the Web service at the 8080,81,8000,8001 port, you telnet to the corresponding port.
2. Common Vulnerabilities
(1), NULL.HTW
If IIS runs the index server, it contains an NULL.HTW-related vulnerability that does not exist on the server at the end of this. htw file. This vulnerability will result in the display of the source code for the ASP script, which contains sensitive information such as user accounts and Global.asa. If an attacker provides a special URL request to IIS, it can jump out of the virtual directory limit and access the logical partition and root directory. This "hit-highlighting" feature does not adequately prevent requests for various types of files in the index server, causing an attacker to access arbitrary files on the server. The NULL.HTW feature can get 3 variables from user input:
CiWebHitsFile
Cirestriction
Cihilitetype
You can pass variables to obtain source code such as Default.asp in the following ways:
http://www. Target machine. com/null.htw? Ciwebhitsfile=/default.asp%20&%20
Cirestriction=none%20&%20&cihilitetype=full There is no need for a valid. htw file because the virtual file is already stored in memory.
(2), msadc-execute local Command vulnerability
This vulnerability appears early, but there are probably a lot of IIS Web servers around the world that are vulnerable, as there are many people using Windows3.2 today. There is a vulnerability in the MDAC component of IIS that could cause an attacker to remotely execute commands on the target system. The main core issue is the presence of rdsdatafactory, which, by default, allows remote commands to be sent to the IIS server, which runs as a device user and by default is the system user. We can test the existence of this vulnerability in the following ways:
C:>NC-NW-W 2 < target machine > 80
Get/msadc/msadcs.dll HTTP
If you get the following information:
Application/x_varg
There is a good chance that this vulnerability will not be patched and you can use the rain Forest Puppy Web site's two programs to measure (WWW.WIRETRIP.NET/RFP) ==>mdac.pl and msadc2.pl.
(3), ASP Dot Bug
This vulnerability appears earlier, is the LOPHT team found in 1997, the flaw is also leaking ASP source code to the attacker, generally on the IIS3.0 on this vulnerability, the URL at the end of the request to append one or more points to reveal the ASP source code. http://www. Target machine. com/sample.asp.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.