asp. net virtual host path disclosure issue-vulnerability warning-the black bar safety net

2009-12-14T00:00:00
ID MYHACK58:62200925608
Type myhack58
Reporter 佚名
Modified 2009-12-14T00:00:00

Description

Learn asp. net when found,asp. net the site asp. net code for temporary compilation(I so understood,could such an argument not a pair)put in the WINDOWS\Microsoft. NET\Framework\v1. 1. 4 3 2 2\Temporary ASP.NET Files (if you are using 2. 0 of the frameworks,then it is the WINDOWS\Microsoft. NET\Framework \v2. 0. 5 0 7 2 7\Temporary ASP.NET Files),which caused a problem:if the host is a virtual host,the virtual host all using the asp. net site path information will be leaked!

First with VS2005 just create a website,write a hello world like in the aspx file,the execution bit,then just said the directory,find the website1(assuming your new site is website1),and then into the two layer directory,you can see the suffix. cs or. xml file,use Notepad to open,you can find compiled information:

pragma checksum "E:\Liswa\WebSites\WebSite1\App_Code\db_class.cs" "{406ea660-64cf-4c82-b6f0-42d48172a799}" "A233AE738DF284277D8E2E285EEE4D93"

Then you've leaked the file from E:\liswa\website1.

For pure asp virtual host to say,the leak path may cause less of a problem,because each site can be used independent of the user starts,so between the various sites is not the exchange of visits,but asp. net host because the site directory should have the network services permissions,and asp. net application is using this user to perform,and therefore the Inter-site cannot do to each other isolated. (I configured the asp. net virtual host for asp. net permissions have been relatively confused,do not know these complex relationships should be how to do the best,but according to the online articles means,asp. net virtual host mostly there is a problem,can not be inter-site effective isolation). Because as long as you know the other site of the true path,asp. net Trojan can access to another site.

In the actual test,found this problem does exist,in a virtual host on our article mentioned at the beginning of the directory,you can see almost all the sites there is a separate directory. (There are no separate directory,but in root directory sequentially follow,as can be found in the relative Directory sites. For an intruder,a possible approach is to give a site the asp. net of the webshell,and if support asp,then upload a sea of Trojans,the use of marine Trojan search file function,to search the target site for the file name. For example, on the target site there is one called liswa. aspx file, then you can search the liswa,in order to find the file corresponding to the compiled files where the path(of course you can also the directory one by one in turn,but can tell you,if the virtual host on the site more,then you need to pick up the garbage personnel as careful it may be found in the corresponding directory),and then casually find a name suffix. cs or. xml,open it,you can get the target site of the true path. Then in the webshell in the input to get the true path,then the target site's permission is obtained.

Since for asp. net the permission demand is also not very clear,temporarily can not think of effective solutions,can only pray to God to reduce the virtual host on the site of the vulnerability.