作者声明:
1.任何组织和个人不得利用此漏洞进行非法行为,否者产生的一切后果与本人(T5)无关
2.各大站长与个人转载、复制、传阅时请保留此声明,否者引发的一切纠纷由传播者承担
微软的IIS 6.0安装PHP绕过认证漏洞
微软IIS与PHP 6.0
(这是对PHP5中的Windows Server 2003 SP1的测试)
详细说明:
攻击者可以发送一个特殊的请求发送到IIS 6.0服务,成功绕过访问限制
攻击者可以访问有密码保护的文件
例:–>
Example request (path to the file): /admin::$INDEX_ALLOCATION/index.php
(暂时没有翻译,怕影响精确度)
if the:$INDEX_ALLOCATION postfix is appended to directory name.
This can result in accessing administrative files and under special circumstances execute arbirary code remotely
微软IIS 7.5经典的ASP验证绕过
受影响的软件:.NET Framework 4.0(.NET框架2.0是不受影响,其他.NET框架尚未进行测试)(在Windows 7测试)
详细说明:
通过添加 [ ":$i30:$INDEX_ALLOCATION" ] to the directory serving (便可成功绕过)
例:
There is a password protected directory configured that has administrative asp scripts inside An attacker requests the directory with :$i30:$INDEX_ALLOCATION appended to the directory name IIS/7.5 gracefully executes the ASP script without asking for proper credentials
IIS 7.5 NET源代码泄露和身份验证漏洞
(.NET 2.0和.NET 4.0中测试)
例:
–>
http://<victimIIS75>/admin:$i30:$INDEX_ALLOCATION/admin.php
will run the PHP script without asking for proper credentials.(暂时没有翻译)
By appending /.php to an ASPX file (or any other file using the .NET framework that is not blocked through the request filtering rules,like misconfigured: .CS,.VB files) IIS/7.5 responds with the full source code of the file and executes it as PHP code. This means that by using an upload feature it might be possible (under special circumstances) to execute arbitrary PHP code.
Example: Default.aspx/.php
