找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2887|回复: 0
打印 上一主题 下一主题

微软IIS 6.0和7.5的多个漏洞及利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2013-3-14 20:16:48 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
微软的IIS 6.0安装PHP绕过认证漏洞
, K, s( r# i2 U3 H2 K+ l2 c( C+ D; W3 q( D; A+ L3 L8 x
微软IIS与PHP 6.0(这是对PHP5中的Windows Server 2003 SP1的测试)详细说明:, j0 \8 ~; x% z$ D
攻击者可以发送一个特殊的请求发送到IIS 6.0服务,成功绕过访问限制
; s# H, j3 }/ l# R: B) u攻击者可以访问有密码保护的文件
1 D& [0 P" g. ?+ ?0 d例:–>. v# d' p) g7 N) g
Example request (path to the file): /admin:INDEX_ALLOCATION/index.php8 g) c- Z  j$ h1 B' _# L# J& Z
1 Example request (path to the file): /admin:INDEX_ALLOCATION/index.php6 L, [% w" m' ~: S" T
(暂时没有翻译,怕影响精确度)
1 Y+ B( N+ Y% P0 Wif theINDEX_ALLOCATION postfix is appended to directory name.
7 c5 s+ P' ~7 n9 B- {- s; MThis can result in accessing administrative files and under special circumstances execute arbirary code remotely( y% ~8 T6 C7 _$ M9 `- Q
* ^# f/ d8 J. f1 V' z9 B; M
微软IIS 7.5经典的ASP验证绕过; R& U) b& G0 X9 h! w* q
受影响的软件:.NET Framework 4.0(.NET框架2.0是不受影响,其他.NET框架尚未进行测试)(在Windows 7测试)
- F  f6 F+ z$ N 详细说明:
3 q' u7 `: Q6 {5 ?" \  b5 i* `7 @通过添加 [ "i30INDEX_ALLOCATION"  ] to the directory serving (便可成功绕过)
9 @$ C5 w6 _. n$ m 例:1 U% i  h1 ]6 A* k4 f. [( x
There is a password protected directory configured that has administrative asp scripts inside An attacker requests the directory with i30INDEX_ALLOCATION appended to the directory name IIS/7.5 gracefully executes the ASP script without asking for proper credentials
0 j$ i% p7 E9 K1 N
8 G1 L) e( m" D$ @. V0 lIIS 7.5 NET源代码泄露和身份验证漏洞3 f# j7 m: r1 W& \; J8 I: `
(.NET 2.0和.NET 4.0中测试)
$ D, H" U  v$ I5 o& X 例:–>( H, a* j1 B, m+ q% {0 S3 R
http://<victimIIS75>/admini30INDEX_ALLOCATION/admin.php" M: ]& G- w% D$ r! Z
1 http://<victimIIS75>/admini30:$INDEX_ALLOCATION/admin.php
% a4 L. n$ F% s4 ~$ bwill run the PHP script without asking for proper credentials.(暂时没有翻译)
' E, o% @, T. a6 FBy appending /.php to an ASPX file (or any other file using the .NET framework that is not blocked through the request filtering rules,like misconfigured: .CS,.VB files) IIS/7.5 responds with the full source code of the file and executes it as PHP code. This means that by using an upload feature it might be possible (under special circumstances) to execute arbitrary PHP code. Example: Default.aspx/.php# N) x/ G0 O9 j* P# \; U2 X

: A- j8 {" t; n/ {9 x" F1 e" G
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表