微软IIS 6.0和7.5的多个漏洞及利用方法

admin

微软的IIS 6.0安装PHP绕过认证漏洞
" H8 i  y; y" e, U( z; k) \% n
/ v, @$ Z7 {9 F7 D" |; u" P微软IIS与PHP 6.0（这是对PHP5中的Windows Server 2003 SP1的测试）详细说明：
5 \. h4 n  q+ U- q" k攻击者可以发送一个特殊的请求发送到IIS 6.0服务，成功绕过访问限制
攻击者可以访问有密码保护的文件
例：–>
Example request (path to the file): /admin:INDEX_ALLOCATION/index.php
1 Example request (path to the file): /admin:INDEX_ALLOCATION/index.php
(暂时没有翻译，怕影响精确度)
3 f% Y4 Z, z8 t& _if theINDEX_ALLOCATION postfix is appended to directory name.
% s' j  @6 `. X8 U" o, I" R7 `# XThis can result in accessing administrative files and under special circumstances execute arbirary code remotely
/ y9 m: m, h, k( V4 s
微软IIS 7.5经典的ASP验证绕过
% q8 ^: g  b1 o9 b! X5 j受影响的软件：.NET Framework 4.0（.NET框架2.0是不受影响，其他.NET框架尚未进行测试）（在Windows 7测试）
2 x( Y, Z( n* v0 q" r) j 详细说明：
( A4 Q# ~% L8 M) v' j2 R通过添加 [ "i30INDEX_ALLOCATION"  ] to the directory serving (便可成功绕过)
例：
There is a password protected directory configured that has administrative asp scripts inside An attacker requests the directory with i30INDEX_ALLOCATION appended to the directory name IIS/7.5 gracefully executes the ASP script without asking for proper credentials

* ?3 U. D6 L2 K% ^2 q8 UIIS 7.5 NET源代码泄露和身份验证漏洞
0 Y6 Y9 ]) y( c& X( D (.NET 2.0和.NET 4.0中测试)
: N- s# h6 j* j% K1 g* Y% ~ 例：–>
http://<victimIIS75>/admini30INDEX_ALLOCATION/admin.php
3 t. A/ Y: Y: ~) U1 http://<victimIIS75>/admini30:$INDEX_ALLOCATION/admin.php
will run the PHP script without asking for proper credentials.（暂时没有翻译）
$ {) m1 J4 @! g: o# PBy appending /.php to an ASPX file (or any other file using the .NET framework that is not blocked through the request filtering rules,like misconfigured: .CS,.VB files) IIS/7.5 responds with the full source code of the file and executes it as PHP code. This means that by using an upload feature it might be possible (under special circumstances) to execute arbitrary PHP code. Example: Default.aspx/.php

. W4 Q) g! u8 }  F' E* Y6 B, {: _