IIS 5.1 allows for remote viewing of source code..

最新推荐文章于 2024-09-23 15:56:09 发布
最新推荐文章于 2024-09-23 15:56:09 发布
阅读量1.8k 收藏
点赞数
分类专栏: Fun&TipS New Skill 文章标签: iis windows server internet header processing
Submitted by zwell on Sun, 2006-04-02 17:52.

Origin: http://www.fr33d0m.net/content-2947.html 

It is possible to remotely view the source code of web script files though a specially crafted WebDAV HTTP request. Only IIS 5.1 seems to be vulnerable. The web script file must be on a FAT or a FAT32 volume, web scripts located on NTFS volumes are not vulnerable.

Confirmed vulnerable
-Mcft® Internet Information Server® V5.1:
a. Mcft® windows® XP Pro. with SP2(English)
b. Mcft® windows® XP Pro. with SP2(Norwegian)
c. Mcft® windows® XP Pro. with SP1(Swedish)

Confimed not vulnerable
-Mcft® Internet Information Server® V5.0:
a. Mcft® windows® 2000 Server with SP4(English)
-Mcft® Internet Information Server® V6.0:
a. Mcft® windows® 2003 Standard(English)

Vendor status
Notified

Solution
Don't use FAT or FAT32 with IIS 5.1

Techical description
WebDAV allows for retrieving streams using the "Translate: f" HTTP header, the processing of this header has logic built into it so that web script files are not processed, this logic can be avoided by using Unicode characters instead in one of the letters of the file.The file must be on a FAT or FAT32 volume to be viewed, a NTFS volume will return a"Forbidden" HTTP response instead.

Proof of Concept:
I have used the server "www.server.net" here, replace with your own server name.
1. Format a volume as FAT or FAT32, or use an existing one
2. Create a folder called "www"
3. Add a new ASP file called "test.asp" in "www"
4. Add this code line "<%=Response.write("Hello World"%>" in "test.asp"
5. Create a new virtual folder in IIS 5.1 and map it agains the folder you made in step 2
6. Open a browser and navigate to "http://www.server.net/www/test.asp" and confirm
that the text "Hello world" is returned and not the script code.
7. Open a MSDOS console
8. Type "telnet www.server.net 80" and hit ENTER
9. Paste the following text block or type it manually:
GET /www/test.as%CF%80 HTTP/1.1
Translate: f
Host: www.server.net
Connection: Close
10. Hit ENTER twize to signal end of HTTP request
11. You should see "<%=Response.write("Hello World"%>" beeing returned

Thanks,

freexploit
关注
专栏目录
[转贴]Ultimate List of Free Windows Software from Microsoft
weixin_33758863的博客
01-08 589
[原文连接]http://bhandler.spaces.live.com/blog/cns!70F64BC910C9F7F3!1231.entry Ultimate List of Free Windows Software from Microsoft Microsoft has over 150 FREE Windows Programs available for download...
【资源大全】.NET资源大全中文版(Awesome最新版)
weixin_33738555的博客
03-03 1736
算法与数据结构(Algorithms and Data structures) 应用程序接口(API) 应用程序框架(Application Frameworks) 模板引擎(Application Templates) 人工智能(Artificial Intelligence) 程序集与装配件(Assembly Manipulation) 资源(Assets) 验证与授权(...
DotNet 资源大全中文版(Awesome最新版)
学习笔记
03-16 5836
Awesome系列的.Net资源整理。awesome-dotnet是由quozd发起和维护。内容包括:编译器、压缩、应用框架、应用模板、加密、数据库、反编译、IDE、日志、风格指南等。 算法与数据结构(Algorithms and Data structures) Algorithmia - Algorithm and data-structure library for .NET 3.5
Awesome .NET!
mysouling的专栏
05-26 2287
Awesome .NET!    A collection of awesome .NET libraries, tools, frameworks, and software. Inspired by awesome-ruby, awesome-php, awesome-python, frontend-dev-bookmarks and ruby-bookmarks.
Slimming Down Windows XP: The Complete Guide 【 10章完整版 】
热门推荐
FreeXploiT
09-03 3万+
  网上有一个汉化好的 压榨XP手册 是基于他的汉化版 现在我贴出的是英文原版你还可以向作者捐献15$以便获得一个自动优化XP的脚本原文:http://www.bold-fortune.com/forums/index.php?showforum=13Thanks go out to Fred Langa for his acknowledgment of Slimming Down
REST论文原文
weixin_30552811的博客
06-23 362
CHAPTER 5 Representational State Transfer (REST) This chapter introduces and elaborates the Representational State Transfer (REST) architectural style for distributed hypermedia systems, describi...
REST Representational State Transfer (REST)
rocLv的专栏
12-08 1212
Representational State Transfer (REST) 原文位置:http://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm This chapter introduces and elaborates the Representational State Transfer (REST) a
Representational State Transfer (REST)
luoshenFU的专栏
07-12 853
<br />This chapter introduces and elaborates the Representational State Transfer (REST) architectural style for distributed hypermedia systems, describing the software engineering principles guiding REST and the interaction constraints chosen to retain tho
Understanding CGI with C#
weixin_30606669的博客
10-29 358
http://www.codeproject.com/csharp/cgi_csharp.asp email address. Download source files - 7.87 Kb Download demo project - 10.5 Kb Contents Introduction Why you might want ...
uue_sourcecode_uudecode_uue_uuencode_
10-02
UUEncode allows to convert any file into a text stream enabling to pass an executable or compressed file by File-Type filters.Includes C code for both encoder and decoder.
NativeExcel 3.1.0.D4-XE10.2 Full Source
10-18
NativeExcel v3.x is a high-performance solution for Delphi Developers that allows writing of new Excel spreadsheets and reading of existing ones. This upload contails NativeExcel v3.1 incl. Full ...
HBase source code. Cell
为这个世界贡献几行代码 ~woo hoo!
01-24 2313
一个学期过去, 看了不少HBase的source code. 趁假期稍作总结, 加深理解. 看得source code版本是0.98.9 stable version中最新的了. (其实已经有0.99了, 估计还在测试...题外话, 实验室学长很厉害, 修了HBase的一个bug, 下个version的contributors应该有他, 羡慕!! 向他学习! 不会贴代码. 有
python value out of range_ValueError:day超出了月python的范围(ValueError: day is out of range for month pyth...
weixin_39694838的博客
12-22 2289
ValueError:day超出了月python的范围(ValueError: day is out of range for month python)我正在编写代码,让用户可以记下他们所拥有的日期和时间。 它包括它开始的日期,开始时间和结束时间。 它还允许用户指定他们是否希望它延续到多个星期(例如每个星期一,一个月)我使用for循环来执行此操作,并且由于不同的月份有不同的日子我显然想要(如果例...
Linux下root用户共享conda环境给其他用户
JJ-Li的博客
09-17 400
然后在newuser下查看conda环境列表,也可以看到root下的环境了。然后我们需要给新用户添加conda环境变量,并且初始化。在root下先给环境添文件夹加普通用户的权限。比如我的root用户的base环境。首先可以先用命令查看环境存储位置。接下来新建一个用户,设置密码。下面是完整操作流程图。
java 递归读取前10个匹配的文件所在的全路径
高山仰止,景行行止
09-18 223
有个需求:在连接ftp成功后,读取指定目录下匹配正则表达式的前10个文件。很显然这个需要使用递归,因为会有不同层级的文件目录,不能写死来处理。
Java-数据结构-二叉树-习题(三)  ̄へ ̄
2303_80388948的博客
09-17 1112
OK,我们的这个关于我们的二叉树的习题三但这里就结束了,同时到这里呢,我们的数据结构 ——二叉树 也就结束了,之后呢我们进入到新的章节了,欲知后事如何,且听下回分说拜拜啦~~~我们下篇博客再见。
python自学笔记
最新发布
weixin_45814538的博客
09-23 1574
首字母大写: name.title()删除右边空格(暂时):name.rstrip()删除左边空格(暂时):name.lstrip()删除前缀(暂时):name.removeprefix()在列表末尾处添加:list.append('1')在任意位置进行插入元素:list.insert(0,'A')删除元素(永久):del list[0]删除尾端元素并将其弹出(也可根据下标进行删除):last = list.pop()根据列表中的值删除元素:list.remove('A')
C++11新增特性:lambda表达式、function包装器、bind绑定
Zhenyu_Coder的博客
09-17 1642
在c++98中,我们使用sort对一段自定义类型进行排序的时候,每次都需要传一个仿函数,即手写一个完整的类。甚至有时需要同时实现排升序和降序,就需要各自手写一个类,非常不方便!所以C++11引入了lambda表达式!lamaba是一个匿名函数对象,是一个可调用对象,表达式本质上也是一个类(vs中类名为lambda_),并实现了operator()。
翻译 java.sql.SQLException: HXTT Access Version 5.1 For Evaluation Purpose allows executing not more than 50 queries once
07-11
在你提供的异常信息中,"HXTT Access Version 5.1 For Evaluation Purpose allows executing not more than 50 queries once" 是异常的具体消息。 这个异常消息的意思是:"HXTT Access Version 5.1 For Evaluation ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值