[转载]Microsoft Internet Information Server Assessment Guide
文章作者:Johnny Long - [email]Johnny@ihackstuff.com[/email]Information Gathering (IG)
Standard IG techniques can be employed against IIS including web crawling and data mining. Web crawling software such as Web Snake and Black Widow provide a means for automated link traversal, and site mirroring. Automated site traversal simply loads a starting page (index.html,default.htm) and recursively follows all links found on the main page, keeping a record of all returned information. Site mirroring works in a similar fashion, the exception being that a mirror will make a local copy of all references on a site. These techniques can be used to:
Collect keywords from a site, and feed those keywords into a database for a larger scale Internet IG session including HTTP, SMTP, FTP and InterNIC services
Determine what CGI scripts are being used on a site without “read” access to the scripts directory
Determine the complete directory structure of a site
When IIS is installed, several “sample” programs are installed by default. Generally, these files are not removed, even if a site has implemented an entirely new web presence. These “sample” files can be called by using direct URL references, even if the sample pages are not linked to the new site. Some of these files can be used to gather information about the site, while others provide other interesting features.
[url]http://www.0wned.org/samples/isapi/srch.htm[/url]
This sample search engine searches the entire web site, including both the default IIS directories, as well as any files which were installed after IIS was stood up. This allows you to search for non-public html documents, and even backup files. Use this engine to discover documents to use as new web crawling sources. Note that the default configuration of this engine will not return any data for searches resulting in more than 250 hits.
[url]http://www.0wned.org/iisadmin/default.htm:[/url]
This is the URL for the IIS Internet Service Manager. This enables remote control of all the IIS services including WWW, Gopher and FTP. In order to select a service to administer, you must first authenticate against the server. I am still investigating how the authentication works. Simply having the iisadmin utility there may not be enough, as Administratrator can not allways log in remotely.
[url]http://www.0wned.org/default.htm[/url]
This is the default page for IIS. Generally, sites will stand up an “index.html” document as the default, so this page will still be accessible through direct URL reference. All of the sample html pages, and the iisadmin utility can be referenced from this page if it exists.
[url]http://www.0wned.org/samples/isapi/favlist.htm[/url]
This is one of the default “Programming Ideas” applications IIS installs for you. This particular page presents a “guestbook” type of input for with fields for a URL, a description, and your name. Once the text is entered, and processed by [url]http://www.0wned.org/scripts/samples/favlist.dll[/url] the user has the option of viewing their entry in the appended “logbook” which sits by default at [url]http://www.0wned.org/samples/isapi/drop.htm.[/url] The favlist.dll application is interesting in that it will gleefully insert your text into an HTML document in the following fashion:
<b>Description:</b>Your text here<br>
Using the favlist.htm front-end to favlist.dll, a user can simply insert their own HTML tags and text into the the fields, and the drop.htm screen will display them as HTML, not text. For example, if the user were to enter ‘<A HREF=”[url]www.playboy.com[/url]”>Click Here For Cool Stuff</A>’ into the description field, the drop.htm would show a link, which if clicked, would take the user to [url]www.playboy.com.[/url] This simple manipulation allows the user to create entire web pages which could be accessed through the drop.htm reference.
IIS 3.0 WWW Server Default Files and Directories:
Volume in drive D has no label.
Volume Serial Number is 906C-EA32
Directory of D:\InetPub\wwwroot
01/19/99 08:24a <DIR> .
01/19/99 08:24a <DIR> ..
10/13/96 08:38p 4,051 default.htm
01/08/99 07:58a <DIR> samples
4 File(s) 4,051 bytes
Directory of D:\InetPub\wwwroot\samples
01/08/99 07:58a <DIR> .
01/08/99 07:58a <DIR> ..
01/08/99 07:58a <DIR> dbsamp
10/13/96 08:38p 4,051 default.htm
10/13/96 08:38p 838 disclaim.htm
01/08/99 07:58a <DIR> gbook
01/08/99 07:58a <DIR> htmlsamp
01/08/99 07:58a <DIR> images
01/08/99 07:58a <DIR> isapi
01/08/99 07:58a <DIR> sampsite
10 File(s) 4,889 bytes
Directory of D:\InetPub\wwwroot\samples\dbsamp
01/08/99 07:58a <DIR> .
01/08/99 07:58a <DIR> ..
10/13/96 08:38p 5,150 dbsamp.htm
10/13/96 08:38p 583 dbsamp1.htm
10/13/96 08:38p 743 dbsamp2.htm
10/13/96 08:38p 762 dbsamp3.htm
6 File(s) 7,238 bytes
Directory of D:\InetPub\wwwroot\samples\gbook
01/08/99 07:58a <DIR> .
01/08/99 07:58a <DIR> ..
10/13/96 08:38p 1,547 query.htm
10/13/96 08:38p 1,643 register.htm
4 File(s) 3,190 bytes
Directory of D:\InetPub\wwwroot\samples\htmlsamp
01/08/99 07:58a <DIR> .
01/08/99 07:58a <DIR> ..
10/13/96 08:38p 1,598 htmlsamp.htm
10/13/96 08:38p 2,084 styles.htm
10/13/96 08:38p 1,483 styles2.htm
10/13/96 08:38p 1,393 tables.htm
6 File(s) 6,558 bytes
Directory of D:\InetPub\wwwroot\samples\images
01/08/99 07:58a <DIR> .
01/08/99 07:58a <DIR> ..
10/13/96 08:38p 10,282 backgrnd.gif
10/13/96 08:38p 982 bullet_d.gif
10/13/96 08:38p 972 bullet_h.gif
10/13/96 08:38p 978 bullet_p.gif
10/13/96 08:38p 987 bullet_s.gif
10/13/96 08:38p 983 bullet_t.gif
10/13/96 08:38p 4,244 db_mh.gif
10/13/96 08:38p 174 db_mh.map
10/13/96 08:38p 2,893 docs.gif
10/13/96 08:38p 4,048 html_mh.gif
10/13/96 08:38p 182 html_mh.map
10/13/96 08:38p 3,037 h_browse.gif
10/13/96 08:38p 5,081 h_logo.gif
10/13/96 08:38p 6,060 h_samp.gif
10/13/96 08:38p 239 h_samp.map
10/13/96 08:38p 3,256 mh2.gif
10/13/96 08:38p 5,701 mh_data.gif
10/13/96 08:38p 201 mh_data.map
10/13/96 08:38p 5,834 mh_html.gif
10/13/96 08:38p 197 mh_html.map
10/13/96 08:38p 5,530 mh_prog.gif
10/13/96 08:38p 203 mh_prog.map
10/13/96 08:38p 5,556 mh_sampl.gif
10/13/96 08:38p 282 mh_sampl.map
10/13/96 08:38p 2,758 powered.gif
10/13/96 08:38p 4,406 p_mh.gif
10/13/96 08:38p 170 p_mh.map
10/13/96 08:38p 844 space.gif
10/13/96 08:38p 824 space2.gif
10/13/96 08:38p 2,513 tools.gif
10/13/96 08:38p 3,990 t_mh.gif
10/13/96 08:38p 134 t_mh.map
34 File(s) 83,541 bytes
Directory of D:\InetPub\wwwroot\samples\isapi
01/08/99 07:58a <DIR> .
01/08/99 07:58a <DIR> ..
01/13/99 04:54p 2,541 drop.htm
10/13/96 08:38p 1,065 favlist.htm
10/13/96 08:38p 1,249 isapi.htm
10/13/96 08:38p 634 srch.htm
6 File(s) 5,489 bytes
Directory of D:\InetPub\wwwroot\samples\sampsite
01/08/99 07:58a <DIR> .
01/08/99 07:58a <DIR> ..
10/13/96 08:38p 2,729 about.htm
01/08/99 07:58a <DIR> avi
10/13/96 08:38p 15,768 balo.wav
10/13/96 08:38p 2,522 catalog.htm
10/13/96 08:38p 3,039 default.htm
10/13/96 08:38p 70,916 drums.wav
01/08/99 07:58a <DIR> images
10/13/96 08:38p 1,602 process.htm
10/13/96 08:38p 1,517 results.htm
10/13/96 08:38p 1,066 sampsite.htm
10/13/96 08:38p 1,567 sendme.htm
10/13/96 08:38p 2,061 taste.htm
14 File(s) 102,787 bytes
Directory of D:\InetPub\wwwroot\samples\sampsite\avi
01/08/99 07:58a <DIR> .
01/08/99 07:58a <DIR> ..
10/13/96 08:38p 58,094 cup.avi
10/13/96 08:38p 6,039 cupalt.gif
10/13/96 08:38p 4,799 grindalt.gif
10/13/96 08:38p 88,828 grinder.avi
10/13/96 08:38p 4,688 sampalt.gif
10/13/96 08:38p 88,522 sample.avi
8 File(s) 250,970 bytes
Directory of D:\InetPub\wwwroot\samples\sampsite\images
01/08/99 07:58a <DIR> .
01/08/99 07:58a <DIR> ..
10/13/96 08:38p 2,833 aboutsm.gif
10/13/96 08:38p 5,857 bag2.gif
10/13/96 08:38p 2,693 catsm.gif
10/13/96 08:38p 3,899 cup.gif
10/13/96 08:38p 6,563 gift2.gif
10/13/96 08:38p 7,983 habout.gif
10/13/96 08:38p 7,800 hcatalog.gif
10/13/96 08:38p 32,777 headersm.gif
10/13/96 08:38p 8,312 hproc.gif
10/13/96 08:38p 9,605 hsend.gif
10/13/96 08:38p 7,251 htaste.gif
10/13/96 08:38p 1,330 location.gif
10/13/96 08:38p 2,660 mainsm.gif
10/13/96 08:38p 5,893 mug2.gif
10/13/96 08:38p 3,190 procsm.gif
10/13/96 08:38p 2,192 search.gif
10/13/96 08:38p 4,503 sendsm.gif
10/13/96 08:38p 2,267 tastesm.gif
10/13/96 08:38p 14,772 tiled.gif
10/13/96 08:38p 657 time.gif
10/13/96 08:38p 3,273 voltiny.gif
23 File(s) 136,310 bytes
Total Files Listed:
116 File(s) 605,023 bytes
534,112,256 bytes free
IIS 3.0 WWW Default Service Properties
Services
TCP Port 80
Conection Timeout 900
Maximum Connections 100000
Anonymous Username IUSR_<MACHINENAME>
Anonymous Password <RANDOM>
Allow Anonymous <Selected>
Basic (Clear Text) <Unselected>
Windows NT Challenge/Response <Selected>
Comment <NONE>
Directories
Directory Alias
\InetPub\wwwroot <HOME> (Read)
\InetPub\scripts /scripts (Execute)
\WINNT\System32\inetsrv\iisadmin /iisadmin (Read)
Enable Default Document <Selected>
Default Document Default.htm
Directory Browsing Allowed <Unselected>
Logging
Enable Logging <Selected>
Log to File <Selected>
Log Format Standard Format
Automatically open new log <Selected> (Daily)
Log File Directory \WINNT\System32\LogFiles
Log to SQL Database <Unselected>
Log File Name INyymmdd.log
Advanced
By Default, all computers will be Granted Access
Except those listed below <BLANK>
Limit Network Use by all Internet Services on this computer <Unselected>
IIS 3.0 FTP Default Service Properties
Services
TCP Port 21
Conection Timeout 900
Maximum Connections 1000
Allow Anonymous Connections <Selected>
Anonymous Username IUSR_<MACHINENAME>
Anonymous Password <RANDOM>
Allow Only Anonymous Connections <Selected>
Comment <NONE>
Messages
Welcome Message <NONE>
Exit Message <NONE>
Maximum Connections Message <NONE>
Directories
Directory Alias
\InetPub\ftproot <HOME> (Read)
Directory Listing Style <UNIX>
Logging
Enable Logging <Selected>
Log to File <Selected>
Log Format Standard Format
Automatically open new log <Selected> (Daily)
Log File Directory \WINNT\System32\LogFiles
Log to SQL Database <Unselected>
Log File Name INyymmdd.log
Advanced
By Default, all computers will be Granted Access
Except those listed below <BLANK>
Limit Network Use by all Internet Services on this computer <Unselected>
IIS 3.0 Gopher Default Service Properties
Services
TCP Port 70
Conection Timeout 900
Maximum Connections 1000
Service Administrator Administrator
Email [email]Admin@corp.com[/email]
Anonymous Username IUSR_<MACHINENAME>
Anonymous Password <RANDOM>
Comment <NONE>
Directories
Directory Alias
\InetPub\gophroot <HOME>
Logging
Enable Logging <Selected>
Log to File <Selected>
Log Format Standard Format
Automatically open new log <Selected> (Daily)
Log File Directory \WINNT\System32\LogFiles
Log to SQL Database <Unselected>
Log File Name INyymmdd.log
Advanced
By Default, all computers will be Granted Access
Except those listed below <BLANK>
Limit Network Use by all Internet Services on this computer <Unselected>
IIS 4.0
IIS 4.0 WWW Server
Just like release 3.0 of IIS, several “sample” programs are installed by default. Generally, these files are not removed, even if a site has implemented an entirely new web presence. These “sample” files can be called by using direct URL references, even if the sample pages are not linked to the new site. Some of these files can be used to gather information about the site, while others provide other interesting features.
[url]http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp[/url]
Showcode.asp is a utility that shows the source code of an asp file. An attacker can implement this utility with the “..” style attack to view any file on the server. Standard ACL’s still apply, and the web user will be allowed to view any file that his ACL allows him to. This is all covered in a L0pht advisory ([url]http://www.l0pht.com/advisories.html[/url]).
?source=/msadc/Samples/../../../../../boot.ini
This parameter appended to the URL above will show the boot.ini file.
?source=/msadc/Samples/../../../../../winnt/repair/setup.log
This parameter appended to the showcode.asp command will show the setup.log file.
Several other nuances of this command can be leveraged to gather information from the server. While the showcode.asp will not show directory listings, the error codes seem to indicate an avenue for testing the existence of a directory:
?source=/msadc/Samples/../../../../../winnt/repaire
This parameter will elicit an error code of “Server object error 'ASP 0177 : 800a0035'” (The directory doesn’t exist)
?source=/msadc/Samples/../../../../../winnt/repair
This parameter will elicit an error code of “Server object error 'ASP 0177 : 800a0046'” (The directory exists)
IIS 4.0 WWW Server Default Files and Directories:
Volume in drive C has no label.
Volume Serial Number is EA37-8613
Directory of C:\INETPUB
05/12/99 03:07p <DIR> .
05/12/99 03:07p <DIR> ..
05/12/99 03:07p <DIR> Mailroot
05/12/99 03:08p <DIR> wwwroot
05/12/99 03:09p <DIR> iissamples
05/12/99 03:14p <DIR> Mail
05/12/99 03:17p <DIR> scripts
05/12/99 03:18p <DIR> ftproot
05/12/99 03:18p <DIR> Catalog.wci
05/14/99 03:38p 0 dirlist.txt
10 File(s) 0 bytes
Directory of C:\INETPUB\Mailroot
05/12/99 03:07p <DIR> .
05/12/99 03:07p <DIR> ..
05/12/99 03:18p <DIR> Queue
05/12/99 03:18p <DIR> Badmail
05/12/99 03:18p <DIR> Drop
05/12/99 03:18p <DIR> Pickup
05/12/99 03:18p <DIR> SortTemp
05/12/99 03:18p <DIR> Route
05/12/99 03:18p <DIR> Mailbox
9 File(s) 0 bytes
Directory of C:\INETPUB\Mailroot\Queue
05/12/99 03:18p <DIR> .
05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\Mailroot\Badmail
05/12/99 03:18p <DIR> .
05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\Mailroot\Drop
05/12/99 03:18p <DIR> .
05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\Mailroot\Pickup
05/12/99 03:18p <DIR> .
05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\Mailroot\SortTemp
05/12/99 03:18p <DIR> .
05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\Mailroot\Route
05/12/99 03:18p <DIR> .
05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\Mailroot\Mailbox
05/12/99 03:18p <DIR> .
05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\wwwroot
05/12/99 03:08p <DIR> .
05/12/99 03:08p <DIR> ..
05/12/99 03:23p 4,663 default.asp
05/12/99 03:23p 2,504 postinfo.html
05/12/99 03:23p <DIR> _private
05/12/99 03:23p <DIR> cgi-bin
05/12/99 03:23p <DIR> images
05/12/99 03:23p 1,759 _vti_inf.html
8 File(s) 8,926 bytes
Directory of C:\INETPUB\wwwroot\_vti_pvt
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
05/12/99 03:23p 0 service.lck
05/12/99 03:23p 582 service.cnf
05/12/99 03:23p 25 access.cnf
05/12/99 03:23p 3 services.cnf
05/12/99 03:23p 25 bots.cnf
05/12/99 03:23p 25 botinfs.cnf
05/12/99 03:23p 5,616 doctodep.btr
05/12/99 03:23p 324 deptodoc.btr
05/12/99 03:23p 25 writeto.cnf
05/12/99 03:23p 600 linkinfo.cnf
12 File(s) 7,225 bytes
Directory of C:\INETPUB\wwwroot\_vti_log
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\wwwroot\_private
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\wwwroot\_vti_txt
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\wwwroot\_vti_cnf
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
05/12/99 03:23p 985 default.asp
3 File(s) 985 bytes
Directory of C:\INETPUB\wwwroot\_vti_bin
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
05/12/99 03:23p 107,008 fpcount.exe
05/12/99 03:23p 14,608 shtml.dll
4 File(s) 121,616 bytes
Directory of C:\INETPUB\wwwroot\_vti_bin\_vti_adm
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
05/12/99 03:23p 15,120 admin.dll
3 File(s) 15,120 bytes
Directory of C:\INETPUB\wwwroot\_vti_bin\_vti_aut
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
05/12/99 03:23p 6,416 dvwssr.dll
05/12/99 03:23p 15,120 author.dll
4 File(s) 21,536 bytes
Directory of C:\INETPUB\wwwroot\cgi-bin
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
05/12/99 03:23p 7,952 htimage.exe
05/12/99 03:23p 6,416 imagemap.exe
4 File(s) 14,368 bytes
Directory of C:\INETPUB\wwwroot\cgi-bin\_vti_cnf
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
05/12/99 03:23p 216 htimage.exe
05/12/99 03:23p 216 imagemap.exe
4 File(s) 432 bytes
Directory of C:\INETPUB\wwwroot\images
05/12/99 03:23p <DIR> .
05/12/99 03:23p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\iissamples
05/12/99 03:09p <DIR> .
05/12/99 03:09p <DIR> ..
05/12/99 03:09p <DIR> default
05/12/99 03:14p <DIR> ISSamples
4 File(s) 0 bytes
Directory of C:\INETPUB\iissamples\default
05/12/99 03:09p <DIR> .
05/12/99 03:09p <DIR> ..
08/07/97 04:10p 8,609 ie.gif
08/07/97 04:10p 388 msft.gif
09/05/97 09:16a 15,076 iisnav.gif
10/12/97 07:17a 14,687 IISSide.gif
09/08/97 07:31a 21,318 iistitle.gif
10/25/97 08:31a 10,170 learn.asp
09/05/97 09:16a 1,911 nav2.gif
10/25/97 08:31a 6,001 samples.asp
09/05/97 09:16a 2,471 squiggle.gif
11 File(s) 80,631 bytes
Directory of C:\INETPUB\iissamples\ISSamples
05/12/99 03:14p <DIR> .
05/12/99 03:14p <DIR> ..
10/14/97 07:06a 11,264 ixgerman.doc
10/14/97 07:06a 16,384 ixserver.doc
10/14/97 07:06a 56,320 ixserver.ppt
10/14/97 07:06a 40,960 ixserver.xls
10/09/97 12:57p 7,438 adovbs.inc
10/14/97 07:06a 18,636 advquery.asp
10/14/97 07:06a 18,431 advsqlq.asp
10/09/97 12:57p 252 default.htm
10/09/97 12:57p 594 deferror.htx
10/14/97 04:48p 3,727 fastq.htm
10/14/97 07:06a 4,521 fastq.htx
10/14/97 04:48p 4,153 fastq.idq
10/14/97 07:06a 902 hilight.gif
10/09/97 12:57p 579 htxerror.htx
10/09/97 12:57p 576 idqerror.htx
10/14/97 07:06a 1,131 is2bkgnd.gif
10/14/97 04:48p 883 is2foot.inc
10/14/97 07:06a 14,830 is2logo.gif
10/14/97 07:06a 17,824 is2side.gif
10/14/97 07:06a 1,953 is2style.css
10/14/97 07:06a 8,609 ie.gif
10/21/97 03:09a 42,069 ixqlang.htm
10/21/97 03:09a 4,314 ixtiphlp.htm
10/14/97 07:06a 4,496 ixtipsql.htm
10/09/97 12:57p 8,276 ixtrasp.asp
10/09/97 12:57p 1,279 navbar.htm
10/14/97 07:06a 10,646 nts_iis.gif
05/12/99 03:14p <DIR> oop
10/21/97 03:09a 14,749 query.asp
10/21/97 03:09a 4,301 query.htm
10/14/97 07:06a 11,458 query.htx
10/14/97 07:06a 3,520 query.idq
10/14/97 07:06a 998 rankbtn1.gif
10/14/97 07:06a 1,088 rankbtn2.gif
10/14/97 07:06a 1,165 rankbtn3.gif
10/14/97 07:06a 1,230 rankbtn4.gif
10/14/97 07:06a 1,301 rankbtn5.gif
10/09/97 12:57p 597 reserror.htx
10/14/97 07:06a 3,633 sqlqhit.asp
10/14/97 07:06a 5,984 sqlqhit.htm
42 File(s) 351,071 bytes
Directory of C:\INETPUB\iissamples\ISSamples\oop
05/12/99 03:14p <DIR> .
05/12/99 03:14p <DIR> ..
10/14/97 04:48p 2,600 qfullhit.htw
10/14/97 04:48p 2,249 qsumrhit.htw
4 File(s) 4,849 bytes
Directory of C:\INETPUB\Mail
05/12/99 03:14p <DIR> .
05/12/99 03:14p <DIR> ..
05/12/99 03:14p <DIR> Smtp
3 File(s) 0 bytes
Directory of C:\INETPUB\Mail\Smtp
05/12/99 03:14p <DIR> .
05/12/99 03:14p <DIR> ..
05/12/99 03:14p <DIR> Admin
3 File(s) 0 bytes
Directory of C:\INETPUB\Mail\Smtp\Admin
05/12/99 03:14p <DIR> .
05/12/99 03:14p <DIR> ..
10/05/97 04:27a 12,001 smtpread.txt
05/12/99 03:14p <DIR> Help
10/12/97 06:40a 286 global.asa
10/12/97 06:40a 58 blank.htm
10/12/97 06:40a 142 default.htm
10/12/97 06:40a 2,400 nre.asp
10/12/97 06:40a 159 nyi.htm
10/20/97 02:26a 1,444 smabout.asp
10/15/97 03:07a 10,019 smaccess.asp
10/12/97 06:40a 1,089 smadv.asp
10/12/97 06:40a 1,632 smadvbd.asp
10/12/97 06:40a 7,697 smadved.asp
10/22/97 06:31a 16,876 smadvhd.asp
10/20/97 02:26a 16,942 smadvhd.asp.2
10/12/97 06:40a 7,860 smadvls.asp
10/16/97 02:53a 8,686 smau.asp
10/12/97 06:40a 5,799 smbld.asp
10/12/97 06:40a 498 smchklen.htm
10/12/97 06:40a 7,528 smcomm.asp
10/12/97 06:40a 1,645 smcon.asp
10/12/97 06:40a 3,533 smconn.asp
10/20/97 02:26a 12,683 smdel.asp
10/12/97 06:40a 4,080 smdistb.asp
10/12/97 06:40a 716 smdom.asp
10/20/97 02:26a 35,570 smdomed.asp
10/19/97 02:26a 11,149 smdomhd.asp
10/12/97 06:40a 1,485 smdomls.asp
10/12/97 06:40a 389 smeredir.asp
10/12/97 06:40a 4,702 smerrors.asp
10/12/97 06:40a 829 smfpop.asp
10/12/97 06:40a 358 smgetval.htm
10/20/97 02:26a 3,033 smhd.asp
10/12/97 06:40a 253 smisfull.htm
10/12/97 06:40a 361 smisnum.htm
10/12/97 06:40a 592 smlist.asp
10/18/97 02:17a 13,696 smmes.asp
10/16/97 02:53a 21,510 smmnu.asp
10/12/97 06:40a 2,263 smmnums.asp
10/12/97 06:40a 2,053 smmnuns.asp
10/12/97 06:40a 595 smmnus.asp
10/20/97 02:26a 12,805 smosec.asp
10/12/97 06:40a 230 smpop.asp
10/12/97 06:40a 225 smpophd.asp
10/12/97 06:40a 1,594 smredir.asp
10/15/97 03:07a 3,397 smsec.asp
10/17/97 02:20a 16,833 smser.asp
10/12/97 06:40a 712 smses.asp
10/12/97 06:40a 8,168 smseshd.asp
10/12/97 06:40a 2,282 smsesls.asp
10/12/97 06:40a 390 smsetval.htm
10/12/97 06:40a 938 smslist.asp
10/12/97 06:40a 4,380 smsrv.asp
10/12/97 06:40a 734 smstat.asp
10/12/97 06:40a 10,954 smtl.asp
10/19/97 02:26a 3,344 smtp.asp
10/15/97 03:07a 7,995 smtree.asp
10/12/97 06:40a 10,528 smvs.asp
10/12/97 06:40a 2,060 srtb.asp
10/12/97 06:40a 60 version.htm
10/12/97 06:40a 338 _cnst.asp
05/12/99 03:14p <DIR> Images
63 File(s) 310,578 bytes
Directory of C:\INETPUB\Mail\Smtp\Admin\Help
05/12/99 03:14p <DIR> .
05/12/99 03:14p <DIR> ..
10/18/97 02:14a 63,029 smtpsnap.hlp
10/07/97 02:56a 344 smtpsnap.cnt
10/07/97 02:56a 29,331 smtpcfg.hlp
10/12/97 06:40a 1,681 sec128.htm
10/12/97 06:40a 1,525 secchan.htm
10/12/97 06:40a 1,115 sesdall.htm
10/12/97 06:40a 1,151 sesdisc.htm
10/12/97 06:40a 931 sesfrom.htm
10/12/97 06:40a 937 sesnext.htm
10/12/97 06:40a 952 sesprev.htm
10/12/97 06:40a 1,103 sesrfrsh.htm
10/12/97 06:40a 958 sestime.htm
10/12/97 06:40a 978 sesuser.htm
10/18/97 02:17a 4,131 smadvh.htm
10/18/97 02:17a 4,206 smauh.htm
10/12/97 06:40a 2,292 smcommh.htm
10/12/97 06:40a 4,972 smdelh.htm
10/12/97 06:40a 3,623 smdomedh.htm
10/12/97 06:40a 3,081 smdomh.htm
10/12/97 06:40a 4,261 smmesh.htm
10/12/97 06:40a 1,785 smsech.htm
10/12/97 06:40a 3,930 smserh.htm
10/12/97 06:40a 3,870 smsesh.htm
10/18/97 02:17a 1,411 smsrvh.htm
10/12/97 06:40a 947 start.htm
10/12/97 06:40a 946 stop.htm
10/12/97 06:40a 1,060 temp.htm
10/12/97 06:40a 1,001 testfr.htm
10/12/97 06:40a 1,084 title.htm
10/12/97 06:40a 4,496 toc.htm
10/12/97 06:40a 1,099 tocframe.htm
10/12/97 06:40a 1,131 vsdesc.htm
10/12/97 06:40a 1,165 vsipaddr.htm
10/12/97 06:40a 2,400 welcome.htm
10/12/97 06:40a 1,055 dmremv.htm
10/12/97 06:40a 1,158 dmroute.htm
10/12/97 06:40a 2,045 dmtype.htm
10/12/97 06:40a 1,690 dmusessl.htm
10/12/97 06:40a 1,771 mbaddir.htm
10/12/97 06:40a 1,349 mbadto.htm
10/12/97 06:40a 1,436 mlimcon.htm
10/12/97 06:40a 2,318 mlimit.htm
10/12/97 06:40a 1,831 mmsgsize.htm
10/12/97 06:40a 1,325 mndrto.htm
10/12/97 06:40a 983 mreset.htm
10/12/97 06:40a 987 msave.htm
10/12/97 06:40a 1,671 msessize.htm
10/12/97 06:40a 960 pause.htm
10/12/97 06:40a 2,551 props.htm
10/12/97 06:40a 1,120 refresh.htm
10/12/97 06:40a 964 resume.htm
10/12/97 06:40a 1,762 dlmaxhop.htm
10/12/97 06:40a 1,579 dlmaxrt.htm
10/12/97 06:40a 1,710 dlqual.htm
10/12/97 06:40a 1,207 dlretint.htm
10/12/97 06:40a 1,451 dlrev.htm
10/12/97 06:40a 1,812 dlsmart.htm
10/12/97 06:40a 1,253 dlssl.htm
10/12/97 06:40a 1,271 dltype.htm
10/12/97 06:40a 3,533 dmadd.htm
10/12/97 06:40a 1,266 dmalias.htm
10/12/97 06:40a 1,957 dmaloc.htm
10/12/97 06:40a 1,570 dmaname.htm
10/12/97 06:40a 1,289 dmdefloc.htm
10/12/97 06:40a 1,469 dmdrop.htm
10/12/97 06:40a 2,785 dmedit.htm
10/12/97 06:40a 1,715 dmlocdom.htm
10/12/97 06:40a 1,941 dmname.htm
10/12/97 06:40a 1,675 dmremote.htm
10/12/97 06:40a 1,444 conlimit.htm
10/12/97 06:40a 1,118 connect.htm
10/12/97 06:40a 1,050 conport.htm
10/12/97 06:40a 1,242 contout.htm
10/18/97 02:17a 993 delete.htm
10/12/97 06:40a 1,652 dlattmpt.htm
10/12/97 06:40a 1,279 dlmasq.htm
10/18/97 02:17a 1,280 autls.htm
10/18/97 02:17a 1,144 auacct.htm
10/18/97 02:17a 1,480 auchacct.htm
10/18/97 02:17a 1,502 auchnt.htm
10/18/97 02:17a 1,276 auclear.htm
10/18/97 02:17a 1,086 aunoauth.htm
10/18/97 02:17a 1,177 auntacct.htm
10/18/97 02:17a 1,307 auntcr.htm
10/12/97 06:40a 1,337 condir.htm
10/12/97 06:40a 2,962 colegal.htm
88 File(s) 236,714 bytes
Directory of C:\INETPUB\Mail\Smtp\Admin\Images
05/12/99 03:14p <DIR> .
05/12/99 03:14p <DIR> ..
10/12/97 06:39a 1,018 mailbox.gif
10/12/97 06:40a 81 plus.gif
10/12/97 06:40a 82 plusl.gif
10/12/97 06:40a 883 popup.gif
10/12/97 06:40a 82 radiooff.gif
10/12/97 06:40a 84 radioon.gif
10/12/97 06:40a 880 refr.gif
10/12/97 06:40a 881 remv.gif
10/12/97 06:40a 899 roll.gif
10/12/97 06:40a 300 rte.gif
10/12/97 06:40a 888 save.gif
10/12/97 06:40a 148 slideron.gif
10/12/97 06:40a 166 slidersp.gif
10/12/97 06:40a 176 slidrend.gif
10/12/97 06:40a 182 slidroff.gif
10/12/97 06:40a 126 smallkey.gif
10/12/97 06:40a 49 space.gif
10/12/97 06:40a 869 stop.gif
10/12/97 06:39a 818 tablcor.gif
10/12/97 06:40a 49 tabline.gif
10/12/97 06:40a 49 tabottom.gif
10/12/97 06:39a 817 tabrcor.gif
10/12/97 06:39a 800 tabrline.gif
10/12/97 06:40a 583 tabs.gif
10/12/97 06:39a 800 tabwdot.gif
10/12/97 06:40a 269 tbasp.gif
10/12/97 06:40a 273 tbasp0.gif
10/12/97 06:40a 251 tbisapi.gif
10/12/97 06:40a 157 tbother.gif
10/12/97 06:40a 149 updir.gif
10/12/97 06:40a 1,600 vbscript.gif
10/12/97 06:40a 165 vdir0.gif
10/12/97 06:40a 163 vdir2.gif
10/12/97 06:40a 163 vdir4.gif
10/12/97 06:39a 7,667 vrsvrwiz.gif
10/12/97 06:40a 225 www0.gif
10/12/97 06:40a 167 www2.gif
10/12/97 06:40a 224 www4.gif
10/12/97 06:40a 1,515 wwwprop.gif
10/12/97 06:40a 369 mime.gif
10/12/97 06:40a 75 minus.gif
10/12/97 06:40a 76 minusl.gif
10/12/97 06:40a 869 new.gif
10/12/97 06:40a 874 next.gif
10/12/97 06:40a 205 off.gif
10/12/97 06:40a 897 ok.gif
10/12/97 06:40a 202 on.gif
10/12/97 06:40a 880 open.gif
10/12/97 06:40a 877 pause.gif
10/12/97 06:40a 1,929 ism.gif
10/12/97 06:40a 3,187 ismhd.gif
10/12/97 06:40a 224 key.gif
10/12/97 06:40a 62 line.gif
10/12/97 06:40a 2,609 loading.gif
10/12/97 06:40a 139 lock.gif
10/12/97 06:40a 1,231 logo.gif
10/12/97 06:40a 869 gnicnew.gif
10/12/97 06:40a 874 gnicnext.gif
10/12/97 06:40a 904 gnicok.gif
10/12/97 06:40a 877 gnicprev.gif
10/12/97 06:40a 880 gnicrefr.gif
10/12/97 06:40a 908 gnicremv.gif
10/12/97 06:40a 906 gnicroll.gif
10/12/97 06:40a 888 gnicsave.gif
10/12/97 06:40a 47 gnictoc0.gif
10/12/97 06:40a 64 gnictoc1.gif
10/12/97 06:40a 64 gnictoc2.gif
10/12/97 06:40a 837 gnicttl.gif
10/12/97 06:40a 860 gnicup.gif
10/12/97 06:40a 267 handshk.gif
10/12/97 06:40a 893 help.gif
10/12/97 06:40a 130 helpnote.gif
10/12/97 06:40a 15,076 iisnav.gif
10/20/97 02:26a 13,033 iisttl.gif
10/12/97 06:40a 173 ftp4.gif
10/12/97 06:40a 1,373 ftpprop.gif
10/12/97 06:40a 919 globe.gif
10/12/97 06:40a 9,920 gnback.gif
10/12/97 06:40a 229 gnicabou.gif
10/12/97 06:40a 98 gniccncl.gif
10/12/97 06:40a 152 gniccomg.gif
10/12/97 06:40a 156 gniccoms.gif
10/12/97 06:40a 170 gnicdis.gif
10/12/97 06:40a 879 gnicdoc.gif
10/12/97 06:40a 862 gnicdown.gif
10/12/97 06:40a 871 gnicdsal.gif
10/12/97 06:40a 149 gnicedit.gif
10/12/97 06:40a 904 gnichelp.gif
10/12/97 06:40a 877 gnickey.gif
10/12/97 06:40a 145 gniclock.gif
10/12/97 06:40a 1,231 gniclogo.gif
10/12/97 06:40a 914 about.gif
10/12/97 06:40a 242 access.gif
10/12/97 06:40a 1,010 back.gif
10/12/97 06:40a 909 bkclos.gif
10/12/97 06:40a 932 bkopen.gif
10/12/97 06:40a 832 black.gif
10/12/97 06:40a 65 blank.gif
10/12/97 06:40a 66 blankl.gif
10/12/97 06:40a 880 brws.gif
10/12/97 06:40a 156 cert.gif
10/12/97 06:40a 80 checkoff.gif
10/12/97 06:40a 89 checkon.gif
10/12/97 06:40a 880 cncl.gif
10/12/97 06:40a 129 comp.gif
10/12/97 06:40a 158 comp0.gif
10/12/97 06:40a 158 comp1.gif
10/12/97 06:40a 158 comp2.gif
10/12/97 06:40a 127 comp3.gif
10/12/97 06:40a 131 comp4.gif
10/12/97 06:40a 882 cont.gif
10/12/97 06:39a 1,133 custrecp.gif
10/12/97 06:40a 165 dir0.gif
10/12/97 06:40a 165 dir2.gif
10/12/97 06:40a 165 dir4.gif
10/12/97 06:39a 1,117 distlist.gif
10/12/97 06:40a 879 doc.gif
10/12/97 06:40a 159 drct.gif
10/12/97 06:40a 879 edit.gif
10/12/97 06:40a 152 folder.gif
10/12/97 06:40a 175 ftp0.gif
10/12/97 06:40a 173 ftp2.gif
124 File(s) 110,848 bytes
Directory of C:\INETPUB\scripts
05/12/99 03:17p <DIR> .
05/12/99 03:17p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\ftproot
05/12/99 03:18p <DIR> .
05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes
Directory of C:\INETPUB\Catalog.wci
05/12/99 03:18p <DIR> .
05/12/99 03:18p <DIR> ..
05/12/99 03:24p 240 CiSP0000.000
05/12/99 03:24p 65,536 CiSP0000.001
05/12/99 03:24p 65,536 CiSP0000.002
05/12/99 03:24p 240 CiPS0000.000
05/12/99 03:24p 65,536 CiPS0000.001
05/12/99 03:24p 65,536 CiPS0000.002
05/12/99 03:24p 240 CiPT0000.000
05/12/99 03:24p 65,536 CiPT0000.001
05/12/99 03:24p 65,536 CiPT0000.002
05/12/99 03:24p 240 CiST0000.000
05/12/99 03:25p 65,536 CiST0000.001
05/12/99 03:25p 65,536 CiST0000.002
05/13/99 06:27a 4,198,912 propstor.bkp
05/12/99 03:24p 131,072 cicat.hsh
05/12/99 03:24p 240 CiVP0000.000
05/12/99 03:24p 65,536 CiVP0000.001
05/12/99 03:24p 65,536 CiVP0000.002
05/12/99 03:24p 240 INDEX.000
05/12/99 03:24p 65,536 INDEX.001
05/12/99 03:24p 65,536 INDEX.002
05/12/99 03:24p 240 CiCL0001.000
05/12/99 03:24p 131,072 CiCL0001.001
05/12/99 03:24p 131,072 CiCL0001.002
05/12/99 03:24p 240 CiSL0001.000
05/12/99 03:24p 0 CiSL0001.001
05/12/99 03:24p 0 CiSL0001.002
05/12/99 03:24p 2,162,688 00000002.prp
05/14/99 12:06a 3,051,520 00010001.ci
05/14/99 12:06a 24,415 00010001.dir
05/14/99 12:06a 240 CiFLfffc.000
05/14/99 12:06a 65,536 CiFLfffc.001
05/14/99 12:06a 65,536 CiFLfffc.002
34 File(s) 10,750,415 bytes
Total Files Listed:
463 File(s) 12,035,314 bytes
590,512,128 bytes free
IIS 3.0 WWW Server Hidden Files and Directories:
Volume in drive C has no label.
Volume Serial Number is EA37-8613
Directory of C:\INETPUB\wwwroot
05/12/99 03:23p <DIR> _vti_pvt
05/12/99 03:23p <DIR> _vti_log
05/12/99 03:23p <DIR> _vti_txt
05/12/99 03:23p <DIR> _vti_cnf
05/12/99 03:23p <DIR> _vti_bin
5 File(s) 0 bytes
Directory of C:\INETPUB\wwwroot\_vti_bin
05/12/99 03:23p <DIR> _vti_adm
05/12/99 03:23p <DIR> _vti_aut
2 File(s) 0 bytes
Directory of C:\INETPUB\wwwroot\cgi-bin
05/12/99 03:23p <DIR> _vti_cnf
1 File(s) 0 bytes
Total Files Listed:
8 File(s) 0 bytes
590,479,360 bytes free
ColdFusion
ColdFusion (Alaire, Inc) allows database-to-web interaction, and runs on many platforms. However, it commonly runs on Winodws NT due to the ease of administration as well as Access’ ease of use. Several vulnerabilities exist for the program.
[url]http://XXX.XXX.XXX.XXX/cfdocs/expeval/exprcalc.cfm?OpenFilePath=d:[/url]\winnt\repair\setup.log
This will show you any file on the system.
L0pht has released an advisory on ColdFusion. This is included from the advisory verbatim:
“By default, the Cold Fusion application server install program installs
sample code as well as online documentation. As part of this collection
is a utility called the "Expression Evaluator". The purpose of this
utility is to allow developers to easily experiment with Cold Fusion
expressions. It is even allows you to create a text file on your local
machine and then upload it to the application server in order to
evaluate it. This utility is supposed to be limited to the localhost.
There are basically 3 important files in this exploit that any web user
can access by default: "/cfdocs/expeval/openfile.cfm",
"/cfdocs/expeval/displayopenedfile.cfm" and "/cfdocs/expeval/exprcalc.cfm".
The first one lets you upload a file via a web form. The second one saves
the file to the server. The last file reads the uploaded file, displays
the contents of the file in a web form and then deletes the uploaded file.
The Phrack article and the advisory from Allaire relate to "exprcalc.cfm".
A web user can choose to view and delete any file they want. To view and
delete a file like "c:\winnt\repair\setup.log" you would use a URL like:
[url]http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:[/url]\winnt\repair\setup.log
This exploit can be taken a step further. First go to:
[url]http://www.server.com/cfdocs/expeval/openfile.cfm[/url]
Select a file to upload from your local machine and submit it. You will
then be forwarded to a web page displaying the contents of the file you
uploaded. The URL will look something like:
[url]http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:[/url]\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt
Now replace the end of the URL where it shows ".\myfile.txt" with
"ExprCalc.cfm". Going to this URL will delete "ExprCalc.cfm" so that web
users can now use "openfile.cfm" to upload files to the web server
without them being deleted. With some knowledge of Cold Fusion a web user
can upload a Cold Fusion page that allows them to browse directories on
the server as well as upload, download and delete files. Arbitrary
executable files could placed anywhere the Cold Fusion service has
access. Web users are not restricted to the web root.
Frequently, Cold Fusion developers use Microsoft Access databases to
store information for their web applications. If the described
vulnerability exists on your server, these database files could
potentially be downloaded and even overwritten with modified copies.
The most concerning aspect of this vulnerability is that with a text
editor and a web browser, web users are able to download password files,
other confidential information and even upload executable files to a web
server.
III. Solution
Allaire has posted a patch to this vulnerability. This is currently
available at:
[url]http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full[/url]
In addition to this, it is recommended that the documentation and
example code not be stored on production servers.
“
页:
[1]