Part of the middleware vulnerability summary-vulnerability warning-the black bar safety net

! [](/Article/UploadPic/2018-11/20181128231052767. png)
Do the spectators for a long time, found that there has been no better middleware vulnerability of the summary of the article, just recently doing this to learn, this only summarizes a small portion of the middleware common vulnerabilities for learning reference, follow-up will complement the other portion of the common vulnerabilities. If there is an error also please bigwigs correct me.
A, IIS file parsing vulnerability
IIS file parsing vulnerability exists in two versions, one is IIS6. 0 file parsing vulnerability, one is IIS7. 5 file parsing vulnerabilities, the IIS7. 5 file parsing vulnerability principles and IIS6. 0 similarly, because there is a logical problem, this is only for IIS6. 0 file parsing vulnerability analysis. In the Supplement will be on IIS7. 5 file parsing vulnerability differences section for additional instructions.
A vulnerability principles
IIS6. 0 in the treatment containing a special symbol of the path to the file occurs when the logical file name of the directory to test. asp, files in the directory will be used as an asp implementation; suffix. asp;. jpg, when the asp file is executed, the resulting file parsing vulnerability.
II vulnerability presentation and the use of
When the website upload point limit extension when IIS the main and asp mix, you can use file parsing vulnerability upload as test. asp;. jpg file, bypassing after the execution. As shown in Figure 1. 1
! [](/Article/UploadPic/2018-11/20181128231052271. png)
Figure 1. 1
When allowed to create a new directory and not the directory name limit, you can use file parsing vulnerability new named test. asp folder, and in which the structure is required to perform the file iisstart. jpg be bypassed. As shown in Figure 1. 2
! [](/Article/UploadPic/2018-11/20181128231052184. png)
Figure 1. 2

• Bug fixes
  1, the new catalog file name to be filtered, and do not allow New include. The folder even prohibit new directory
  2, limit upload file execute permission, not allowed to perform
  3, the filtering. asp/xm. jpg, etc., in the httpd. ini was added to the filtered rules, this method of network solution, but in the Server 2003 does not search the files.
  4, upgrade the IIS version
  IV Supplement
  IIS6. 0 parsing vulnerability also exists in IIS 5. x version, and IIS7. 5 deformity parsing vulnerability attack method is also applicable to IIS7. 0 and Nginx
  IIS7.5文件解析漏洞出现是因为url中只要看到后缀.php regardless of the presence or absence are handed over to the php processing, and php and turned on by default“cgi. fix_pathinfo”,the file path to sort from back to front is determined whether the presence, not the presence of the deletion, the presence of it as a php file to perform it.

Second, the IIS command execution vulnerability
IIS6. 0 command execution vulnerability number CVE-2017-7269, in the open WebDav service in the case there may be a remote execution vulnerability.
A vulnerability principles
In IIS6. 0 processing PROPFIND command when, due to the length of the url without the effective length of the control and inspection lead to the implementation of memcpy on a virtual path configuration when the trigger Stack Overflow, this vulnerability can lead to remote code execution. As shown in Figure 2. 1
! [](/Article/UploadPic/2018-11/20181128231052174. png)
Figure 2. 1
II vulnerability presentation and the use of
On Github, an open source exp:https://github. com/edwardz246003/IIS_exploit
Modify the IP address not corresponding to the target address, as shown in Figure 2. 2
! [](/Article/UploadPic/2018-11/20181128231052963. png)
Figure 2. 2
Run the script, the attack target machine. As shown in Figure 2. 3
! [](/Article/UploadPic/2018-11/20181128231053587. png)
Figure 2. 3

• Bug fixes
  Will IIS Manager, web service extensions, webDAV is disabled, you can repair, after the repair then this script is run, it does not appear pop-UPS. As shown in Figure 2. 4
  ! [](/Article/UploadPic/2018-11/20181128231053940. png)
  Figure 2. 4
  IV Supplement
  If the pop-up calculator calc,and the permissions have been sufficient to complete getshell of the entire operation.

Third, IIS short file name
IIS short file name vulnerability, by IIS short file name of the mechanism, the violence include the short file name, try to guess the background address, sensitive documents and even directly download the corresponding file. But limited you can only guess the long file name before the 6-bit and the extension prior to 3 bits, while the need for IIS and. net two conditions are met.
A vulnerability principles
The use of IIS short file name of the mechanism, that is, a compatible 16-bit MS-DOS program, Windows for a file name longer-compute a suffix after the file name length is greater than 9 files and folders generated corresponding to the windows 8.3 short file name. You can use this vulnerability to guess the solution of the background address, sensitive documents, etc. As shown in Figure 3. 1
! [](/Article/UploadPic/2018-11/20181128231053697. png)
Figure 3. 1
II vulnerability presentation and the use of
On winserver2003 virtual machine, in the c:/Inetpub/wwwroot directory under the new comparative folder 12345678 and 123456789, comparative file aaaaaa. asp. On the host open the virtual machine IP URL below
Try 10. 10. 10. 132/122~1**/a. asp and 10. 10. 10. 132/123~1/a. asp; to give a different result as shown in Figure 3. 2, Figure 3. 3. the
! [](/Article/UploadPic/2018-11/20181128231053148. png)
Figure 3. 2
! [](/Article/UploadPic/2018-11/20181128231053198. png)
Figure 3. 3
Through the above two figure we can see that, according to the return result can be different one by one guess the short file name.
Then try again 10. 10. 10. 132/aaaaaa~1/a. asp（guess no suffix, the normal return for the folder and 10. 10. 10. 132/aaaaaa~1/a. asp（guess for the file. As shown in Figure 3. 4, Figure 3. 5。
! [](/Article/UploadPic/2018-11/20181128231053399. png)

[1] [2] [3] [4] next