Remember the Alma Mater of a non-marginalia attack-vulnerability warning-the black bar safety net

2005-12-18T00:00:00
ID MYHACK58:6220055541
Type myhack58
Reporter 佚名
Modified 2005-12-18T00:00:00

Description

Editor's note: a very old article, The author has also not been released, I steal it out for everyone to draw on the following ideas.

A. Causes. School of the FAI says he sent the on-campus DV reviews old deleted, so they want to test the forum security, then on the use side note got the shell,Upload a HTML file. I these days in the learn to step on the point, The want to learn about after school site do times full ofsecurity testingand assessment, looked good brother FAI suffer I also can not sit it is not ideal, so also go look at the forum security. The whoise side note, though FAI has been achieved. I get a thinking look. II. Scan. Since it is the school's Standing, the more understanding you do not step on the point. First with xscan3. 1.. 6 5. 1 9 6 scan, multiple scans after the draw results are as follows: Warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/_private> warning www (8 0/tcp) CGIvulnerability: <http://. .65.196/_vti_bin/_vti_aut/author.dll> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/_vti_bin> warning www (8 0/tcp) CGIvulnerability: <http://. .65.196/_vti_bin/fpcount.exe> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/_vti_bin/fpcount. exe? Page=default. htm|Image=2|Digits=1> warning www (8 0/tcp) CGIvulnerability: <http://. .65.196/_vti_bin/shtml.exe> warning www (8 0/tcp) CGIvulnerability: <http://. .65.196/_vti_inf.html> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/_vti_bin/_vti_aut> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/_vti_bin/_vti_adm> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/_vti_pvt/doctodep. btr> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/_vti_log> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/abczxv. htw> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/null. ida> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/null. idq> warning www (8 0/tcp) CGIvulnerability: <http://. .65.196/_vti_bin/shtml.dll> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/scripts> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/scripts/samples/search/qsumrhit. htw> warning www (8 0/tcp) CGIvulnerability: <http://.. 6 5. 1 9 6/scripts/samples/search/qfullhit. htw> warning www (8 0/tcp) CGIvulnerability: <http://. .65.196/filemanager/filemanager_forms.php> warning www (8 0/tcp) CGIvulnerability: <http://. .65.196/phorum/admin/actions/del.php> warning www (8 0/tcp) CGIvulnerability: <http://. .65.196/phorum/plugin/replace/admin.php> warning www (8 0/tcp) CGIvulnerability: <http://. .65.196/phorum/plugin/replace/plugin.php> warning www (8 0/tcp) CGIvulnerability: <http://. .65.196/b2/b2-include/b2edit.showposts.php> III. Analysis and try to A lot of people on this scan information is not to analyze the use, in fact, is not anti-keyword to focus and the green Alliance, check the information, and then careful analysis will certainly have a harvest. The following is my collation analysis and try. 1. <http://.. 6 5. 1 9 6/_private> Analysis: the _private is a FrontPageautoat the site location under the new folder, one is“images”the other is“_private”, edit the site in“image”folder to place the site with the pictures.) Hazards:“private”folder is special, wherein the file for the viewer that is implied, may put some don't want to let the viewer see the page file in this folder, for example: we can in this folder to store a registered user's personal information. Try: 403.14 directory listing is denied Directory Listing Denied This Virtual Directory does not allow contents to be listed. Directory not found in the home file. There's nothing to use.

2. <http://. .65.196/_vti_bin/_vti_aut/author.dll> Analysis: the author. dll is installed FrontPage Server Extensions after the generation of the binary file that is used for the creation features of FrontPage serviceis the extension of executable files. Hazards: WIN2K+IIS5 for some special isapi and want to the system identity is loaded, 比如ISAPI筛选器fpexedll.dll that can be used to enhance the permissions. Try: temporarily not, first take the SHELL :) 3. <http://. .65.196/_vti_bin/shtml.dll> Analysis: shtml. dll is also is to install the FrontPage Server Extensions after the generation of the binary file, the design used to browse the smart HTML file and run in real time that is, to achieve the management of the FrontPage serviceis the extension of executable files. In theserviceon the controller to install the FrontPage Server Extensions after 可以 看 到 它 包括 三 个 二进制 文件 --admin.dll that author.dll that 和 shtml.exe, respectively, to achieve the management, creation, operation, support. FrontPage Server Extensions version is different, these three file extensions may be different, 例如.dll可能变成.exe the. exe 可能 变成 .dll the. On the other hand, IIS allows you to specify any extension, as IIS has a named fpexedll. dll ISAPI filter, it will put the request to point to the correct location. The three binary files reside in the _vti_bin virtual directory, the _vti_bin virtual directory is mapped to the physical directory\program files\common files\microsoft shared\web serverextensions\4 0\isapi or, for FrontPage Server Extensions 2 0 0 2, The physical directory is\program files\common files\microsoft shared\web server extensions\5 0\isapi and. All of the FrontPage Web site that refers to installing and enabling FrontPage Server Extensions web site has a virtual directory mapping to the path. FrontPage by to these binary files, send a HTTP POST request with a Webservicecontroller of communication, the POST request body contains some special commands, called vti_rpc command, indicate theserviceto perform some specific operation. Hazards:above it there is avulnerabilitycan be exposed to the web directory local path and DOS of<http://www.cnns.net/article/db/276.htm> to Try: exposed web directory local path is unsuccessful, DOS does not try. 4. <http://.. 6 5. 1 9 6/_vti_bin> <http://.. 6 5. 1 9 6/scripts> Analysis: the IIS installation, the default virtual directory for the IIS installation to the default"scripts","IISHelp","IISAdmin","IISSamples","MSADC","_vti_bin"virtual directories Try: a. 4 0 3. 1 4 The directory listing is denied Directory Listing Denied This Virtual Directory does not allow contents to be listed. Directory not found in the home file. There's nothing to use. b. Visit<http://.. 6 5. 1 9 6/IISAdmin> Tips HTTP 4 0 3 - to the Internet serviceManager (HTML) access is limited to LocalhostInternet InformationService c. Visit<http://.. 6 5. 1 9 6/> IISHelp <http://.. 6 5. 1 9 6/> IISSamples <http://.. 6 5. 1 9 6/MSADC> HTTP 403.6 - forbidden: IP address rejected Guess: estimate is the default IIS install to the C drive. 5. <http://. .65.196/_vti_bin/fpcount.exe> Analysis: fpcount. exe is run the FrontPage HitCounter component part of IIS a website visit counter. Hazards:nt4. 0 when there is a buffer overflowexploit,but is now 2 0 0 0 of the machine, estimated to be false positives. Try: not now. 6. <http://. .65.196/_vti_inf.html> Analysis: _vti_inf. html which is located in the web root directory,the file is a Frontpage extention server feature, contains the client application and run the SharePoint Team Servicesservicebetween the controller communicating the desired information,such as version number and path to the script, is usually the FrontPage client and theserviceto AC when used. Hazard:the attacker can get a URL to access this file so that the leakage of the version number and the path to the script,some of the password file. Try: open the display“FrontPage configuration information to this web page the HTML comments containing the configuration information, the configuration information that the FrontPage Explorer and the FrontPage Editor with this siteserviceis installed on the FrontPage serviceextension communication when needed. Please do not delete this page”to view the source file to get the following information: <!-- FrontPage Configuration Information FPVersion="4.0.2.3406" FPShtmlScriptUrl="_vti_bin/shtml. dll/_vti_rpc" FPAuthorScriptUrl="_vti_bin/_vti_aut/author.dll" FPAdminScriptUrl="_vti_bin/_vti_adm/admin.dll" --> Get the FP extensions version number 4. 0. 2. 3 4 0 6 Try to have no MS0351 Microsoft FrontPage ExtensionServicea buffer overflowexploit-the attack is unsuccessful. 7. http://.. 6 5. 1 9 6/_vti_bin/_vti_aut <http://.. 6 5. 1 9 6/_vti_bin/_vti_adm> analysis: the _vti_aut and _vti_adm is a FrontPage Web to establish virtual directory, mark include FrontPageserviceis the extension of executable Dynamic-Link Library and not read hidden directories. (FrontPage for each sub-Web to establish the following virtual directories: • _vti_bin _vti_bin\_vti_aut • _vti_bin\_vti_adm • _vti_pvt _vti_cnf _vti_txt) Hazards:information disclosure Try: 403.14 directory listing is denied Directory Listing Denied This Virtual Directory does not allow contents to be listed. Directory not found in the home file. There's nothing to use.

  1. http://.. 6 5. 1 9 6/_vti_pvt/doctodep. btr Analysis: a Web of protectiondatalibrary FrontPage tree index file Hazards: information disclosure. Try: to Notepad to open you can get some of the sensitive path.
  2. http://.. 6 5. 1 9 6/_vti_log Analysis: for the storage contains a FrontPage extended Web site information related to the log file. Hazards:information disclosure Try: 403.14 directory listing is denied Directory Listing Denied This Virtual Directory does not allow contents to be listed. Directory not found in the home file. There's nothing to use.

1 0. <http://.. 6 5. 1 9 6/scripts/samples/search/qsumrhit. htw> <http://.. 6 5. 1 9 6/scripts/samples/search/qfullhit. htw> Analysis with try: try to submit<http://.. 6 5. 1 9 6/scripts/samples/search/nosuchfile. htw> <http://.. 6 5. 1 9 6/null. htw>fromserviceController end to get the following information: format of the QUERY_STRING is invalidQUERY_STRING format is invalid. Indicates the presence of thevulnerability---- Microsoft Windows Index Server remote directory traversalvulnerability(http://www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=2 7 0&keyword=qsumrhit. htw) to. Webhits. the dll is an ISAPI application to handle the request, opens the file and returns the result. When the user control of the CiWebhitsfile argument passed to the. htw, they can request any file, the result is lead to view the ASP source code and other script files content. It is said IIS is installed by default on any one to hit a patch after the windows System also have thisvulnerability. That is even if you hit the sp4 will still use thisvulnerabilityseeserviceon the other file of the source code possible. Submitted: http://.. 6 5. 1 9 6/scripts/samples/search/nosuchfile. htw? ciwebhitsfile=/../../winnt/iis5. log&cirestriction=none&cihilitetype=fullfails, because they do not know each other's directory structure a few times.

1 1. <http://.. 6 5. 1 9 6/null. ida> <http://.. 6 5. 1 9 6/null. idq> Analysis: IISIndexServerISAPI extension remote overflowexploit(/NULL. ida) IISIndexServerISAPI extension remote overflowexploit(/NULL. idq) Not much to say long time ago the hole. Try: unsuccessful. In the scan results in only 8 0 port, the PING fails--apparently there is a firewall. Directly to the URL to access the prompt file is not found if return a physical path is very possibly the presence of thevulnerability - the---There is no use of the possibility to give up.

1 2. http://. .65.196/filemanager/filemanager_forms.php Analysis: PHPprojekt remote file inclusion to execute arbitrary commandsvulnerability(<http://www.xfocus.net/vuls/200203/2065.html>) 1 3. http://. .65.196/phorum/admin/actions/del.php <http://. .65.196/phorum/plugin/replace/plugin.php> <http://. .65.196/phorum/plugin/replace/admin.php> Analysis: Phorm any command executableexploit(<http://www.xfocus.net/vuls/200205/2479.html>) with PHP-based WEB forum application Phorum? 1 4. <http://. .65.196/b2/b2-include/b2edit.showposts.php> Analysis: b2 php the presence of a remote command executableexploit(<http://www.xfocus.net/vuls/200205/2410.html>)isn't equipped with a lower version to allow the administrator to quickly in the FRONTPAGE Published News PHP script B2? Note: about 1 2. 1 3. 1 4 CGIvulnerabilitysome difficulty, because the source code is not good looking, own script know not much, andvulnerabilitythe data is less, use more difficult. (Hindsight also proves that this is a scanner error message)

IV. Breakthrough: In this case, I will focus on the Web of protectiondatalibrary, FrontPage tree index files leaked. Try: Download<http://.. 6 5. 1 9 6/_vti_pvt/doctodep. btr>opened with Notepad, and got some sensitive path. Patience looking for, upfile the path of the leak. See there is no uploadvulnerability to find/kuaijifuwu/admin/bbs/upfile. asp (Figure 1) Submitted<http://.. 6 5. 1 9 6/kuaijifuwu/admin/bbs/>cannot be accessed, the prompt directory listing denied Directory Listing Denied This Virtual Directory does not allow contents to be listed. Directory not found in the home file. Submitted<http://.. 6 5. 1 9 6/kuaijifuwu/admin/bbs/index. asp>a normal visit, Khan is“dvbbs6. 0”to see if there is no uploadvulnerability. Take out the veterans of“General-purpose WEB upload PATH variable to use the program,”according to themoving webthe forum series by way of example, the success of the Get a shell. 2. Figure 3 does not,want to also can see. then the sea pass-up, elevation of Privilege, no longer to say it. Come back to see the default administrator password is not modified。。。。。 Oh, in the FAI page of sub-add sentence。。。。 Notify the administrator after all is his own school.) Unfortunately in theserviceto bind a lot of the presence of the injected page. You want to completely repair it is very difficult to do, hard administrator. V. Summary In fact, this Station is on the hole lot, next to the note is also very easy. I guess the good, the Administrators in the c drive default installation of the IIS and the FP extensions. It is from the default install FP extensions FrontPage tree index file in the leak of the information found in the the use deep no bindingdomainon the site of the DV uploadvulnerability.