The newly discovered IIS a bunch of vulnerabilities, and talk about the application. Need a virtual executable Directory,WINDOWS common /scripts,/cgi-bin,/_vti_bin, General/_vti_bin directory is mapped to the“program files”directory, usually in the system tray above, and the SCRIPTS sometimes not in the system tray. You can also find the page to view the source files to find some counter directory.
For example, test a does not have a/SCRIPTS directory, can http://www. xxx. com/scripts/,now generally does not allow directory browsing in a directory it will return 4 0 3 error No is 4 0 4 It. With. ida,. idq,idc, etc way can also try. Try whether the executable can be http://www. xxx. com/scripts/&cmd.exe if it is the executable directory will return 5 0 0 Internal Server error, not execution returns 4 0 4 File Not Found error.
As long as there is an executable directory can be used to encode the../into that disk to any directory, run any executable file, the encoding method is the../of any one character with%2 5+1 6-ary code, such as“.” Can be expressed as“%252e”, if you go back and level more, you can use encoding“../..”“/”efficiency is relatively high.“..% 255c..”for“../..”.
For example, to perform a dir d:\ :
要 重定向 的话 输入 里面 不能 有 字符串 cmd.exe 或者 command.com such as to perform a dir d:\ /a /s can:
http://192.168.8.48/scripts/..%255c../..%255c../winnt/system32/cmd". exe?/ c+dir+d:\+/a+/s+>>+d:\dir.txt
Is the command CMD. EXE write into a cme". exe, the same a“?” Back parameters also have to pay attention to, and sometimes can be a reasonable use of the“*.”
This must require the executable directory and execute the command in a pan.
Another method may not require the CMD. EXE with the executable directory in a disc, but requires a not 0 Byte, not really. exe file format. BAT file:
IIS executable directory can execute the executable EXE file, if the BAT file did not do the mapping, the executable directory The BAT is not performed. But through a special way may make the BAT file gets executed, awsome when executing BAT file When you can use the pipe character, etc. For example, my virtual directory“/BAT”is mapped to“E:\”, have executable permissions, not the script,my lines System directory"d:\winnt",e disk has the file“cc. bat”, cc. bat the actual content is not an executable file it points You must, or make executable file is executed, behind the pipe character after the command will not be executed, it may not be a A normal BAT file. Then the following connection:
http://192.168.8.48/bat/cc.bat"%2 0+|+copy+d:\winnt\system32\cmd.+ e:\. exe
The actual implementation of the copy d:\winnt\system32\cmd. e:\. exe.
Note that IIS in order to prevent the mapping of the BAT to CMD, to explain the BAT file when passing special characters, find the command line there "cmd.exe"or"command.com"string, then have the character“& amp;|(,;%<>”in a it will message“HTTP 5 0 0 - Internal Server error”. Inside the registry can set the "AllowSpecialCharsInShell", do not let The detection of these special characters, the default is to be detected.
In fact the surface of the HTTP is to call the CreateProcessA(“"e:\cc.bat" | copy d:\winnt\system32\cmd. e:\. exe"”,..),IIS in the executable file before and after the addition of the“"”, which is CreateProcessA a function, which IIS not error. But my file name inside a“"”,the actual execution Line CreateProcessA this API when it is truncated into execution“e:\cc.bat”this IIS an error that Does not detect the file name inside the special characters here“"”in. While CreateProcessA this API will dry very Many IIS do not know. If found is an executable file, then loads and executes if not executable then The prefix is the BAT will automatically call the CMD. EXE interpreted. Then behind the pipe character after the command is executed. This point needs to a virtual executable directory, the executable directory is the same disc inside there is a suffix named“. bat” Non-executable in General. EXE file file, does not need to be the real BAT file. This point can break the executable virtual The proposed directory where the disk without system files. As far as this BAT file it would have to rely on luck or try with directory The“autoexec. bat”or some page with a counter, the counter can specify a counter to the file name, not the text Member to automatically establish one.