Moving-2 0 0 6 file upload vulnerability principle and the attack implemented-vulnerability warning-the black bar safety net

ID MYHACK58:62200714755
Type myhack58
Reporter 佚名
Modified 2007-03-28T00:00:00



This article is only to let everyone know about this vulnerability, please do not attack others!

Action-the recent explosion of a vulnerability, much noise uproar, a lot of big stations have hung up. The use of 2 0 0 3 year of a vulnerability, the very old, in front of a burst of popular“iis write permissions using the”old hole new. Action-this time an announcement of the action is also very fast, is estimated to be vulnerability too large sake. Although there is no patch but gives a temporary solution, the estimates are on holiday, in recent days the patch a little overhang.

Below is the move-the official announcement:

Moving-2 0 0 6 latest vulnerability announcement

Vulnerability ID: PEAS20070215

Degree of hazard: extremely serious. Hackers can use this vulnerability to obtain WebShell permissions.

Affected versions:

Moving-2 0 0 6 all versions including the free version, business the SQL version and the Access version, the official version, SP1, SP2, SP3, SP4, SP5 are affected by this.

Vulnerability description:

Because Win2003 there is a file to resolve the path of vulnerability, when the folder named similar to hack. asp when that folder name looks like an ASP file, the file name, then this folder under the text file type in IIS is used as the ASP program to execute. This hack can be uploaded with the extension jpg or gif and the like look like Is the picture file of the Trojan file, by accessing this file to run the Trojan. Because Microsoft has not yet released this vulnerability patch, so almost all sites will have this vulnerability. On the vulnerability of the articles, and you can see here:

Moving-2 0 0 6 some of the features because the design does not take into account this attack, causing hackers can bypass the Upload file extension checking, Upload a normal extension of Trojan file to get the WebShell permissions. With advanced permissions in the backend the administrator can also use this vulnerability to obtain WebShell permissions.

Solemnly declare:

In the understanding of this vulnerability, please do not attack others! Otherwise you will likely be subject to legal punishment!

Temporary workaround:

Delete Space folder temporarily, and deleted User/User_Space. the asp file.

Patch files:


Please head check in addition to move easily outside of the system all of the system, where the user can independently rename the folder permissions feature in Microsoft's patch appeared before all recommendations closed, so as not to cause greater losses.

Small experience:

With the extension of jpg/gif of the Trojan inspection method:

In Explorer to use details mode, press the category view. The point of the“View”menu - “choose details”--the tick on the“size”, is determined. In this case, the normal picture files will show the picture size, there is no display, the 9 9% can be sure is the Trojan file. With the Notepad program open to 1 0 0% OK.

The following is related to vulnerability, the author's name has been found:

Windows 2 0 0 3 Enterprise Edition and IIS6 . ASP directory to perform defect

Writing this article a few days ago I found a IIS6 greater vulnerability,to make me happy for a whole 2 to 4 hours. It is a pity that vulnerability is my manual configuration. Method to achieve is the ASP drop out instead of JPG drop out,the JPG is copied to IIS publish directory,find JPG in the ASP code will execute correctly. See how I configured the error, this method can also be used to configure the back door.

Windows 2 0 0 3 Enterprise Edition is Microsoft a newoperating system. Windows 2 0 0 3 IIS6 processing folder extension of the time of the error, the result placed in the directory of JPG images will automatically execute the ASP code. When the JPG drop out of the file containing the ASP code will be executed. Of course, not just JPG drop out.

IIS6 in the treatment containing a special symbol of URL will be masked by default does not support ASP script to run,relative to the WIN2000 to safety. After a few days of effort to find a new one. asp drop out of the folder, the asp Trojan file in the folder, the asp file can use the JPG drop out of. Does not affect the JPG in the ASP code to run.

Windows 2 0 0 0 IIS5 process JPG images as contains the Html and ASP code that will only execute the Html code, and does not perform the JPG in the ASP code. So Windows 2 0 0 0 IIS5 does not have this vulnerability. This vulnerability is clearly made. asp at the end of the file name for the lead, belonging to the IIS6 design defects.

Manually enable the ASP script as follows:click Internet Information Services(IIS)Manager àWEB services à enable Active Server Pages after you've enabled your server can run ASP scripts.

Welcome more friends to communicate with me, thank Haiyang top network Write of the asp Trojan.

The following is the use of the method(for reference only):

Reference to the animation:

Source: Black Hawk honker base

Action-newest vulnerabilities 0day of:

Reference article:

Move easy latest use of the method

Source: shadow of the Eagle-secure network

  1. Register for a das. asp user name will be the system to automatically build a user name for the name of the directory
  2. Pass pictures of horses Mainly use the 0 3 for. asp directory support, 0 3. asp directory of the characteristics caused. Official also the existence of this vulnerability
  3. Registration. asp and then back to the Main Station user/Upload. asp? dialogtype=UserBlogPic&size=5 Only in the 0 3 server if you can~otherwise resolve not asp And this vulnerability is 0 6 version includes the sp5 through the kill


The text of the information from the Black angels move-official(, the Black Eagle honker base, the shadow of the Eagle-secure network“Windows 2 0 0 3 Enterprise Edition and IIS6 . ASP directory to perform defect”in this article The author unknown.