Shulou(Shulou.com)05/31 Report--

What is the role of Web.config in infiltration, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Preface

The following mainly introduces the role of web.config files in infiltration, that is, you can upload a web.config when the idea, not to say much, to start the topic. First of all, let's take a look at what web.config is, quoting Baidu encyclopedia:

The Web.config file is an XML text file that stores the configuration information of the ASP.NETWeb application, and it can appear in every directory of the application. Changes to the Web.config file at runtime do not need to restart the service to take effect.

Keywords: xml text,. Net configuration, no need to restart, these features determine its role in penetration, let's take a look at the specific operation.

The following experimental environments are:

Windows server 2008

Iis 7

.net 3.5

Specific utilization

(1) use web.config to redirect fishing

First of all, learn what redirection is through experiments: data stream redirection

Experiment: data stream redirection (Hetian Network Security Laboratory)

(data stream redirection is the transfer of data that should appear on the screen after an instruction is executed. )

There is an item called url redirect in iis, which is used for url redirection. When we can send a long web.config, we can use this method to conduct phishing attacks. Note here that the configuration of different versions of iis is slightly different. Take iis7 in this environment as an example, if we want the target website to jump to baidu, we only need to write our web.config like this:

In the middle, we specifically implement the code, that is, turn on the redirect and redirect to Baidu, and the rest are included by default in the service, which is equivalent to a template. When we visit the target site, we will jump to baidu.

Versions greater than or equal to iis7 are slightly more complicated, because there is a url write feature after that, which includes url redirection, so many developers choose to use this feature to operate. Let's take a look at what to do for url write. Suppose we define a rule in url write that automatically adds a slash (/) for all URLs without a slash (/), as shown in the following figure:

Then our web.config will automatically generate the following:

It seems a little difficult to understand. First of all, url write is divided into inbound rules () and outbound rules () they need to be written in the elements. Generally, we only consider inbound rules. AddTrailingSlashRule1 is a new rule name, which can be defined at will. If stopProcessing is specified as true, if the current request matches the rule, it will no longer match other requests. For matching url, regular expressions are generally used, and elements tell IIS how to handle requests that match the pattern, using the type attribute to handle them. There are generally the following:

None:

Rewrite: rewrites the request to another URL.

Redirect: redirects the request to another URL.

CustomResponse: returns a custom response to the customer.

AbortRequest: deletes the requested HTTP connection.

The redirectType property specifies whether to use permanent or temporary redirection. The rest of you can refer to the manual above msdn, which is written in great detail. Having said so much, it is estimated that everyone will be able to understand how to write web.config, and give you a url write web.config fishing template, which can be modified by yourself:

Because web.config does not need to restart the service, when we can upload a web.config, we have achieved our goal, and it is also possible that the operation and maintenance staff have written some rules, and we do not want to alarm the manager hastily, if we can upload .shtm or .shtml files at this time, and use the following code to read the contents of web.config.

And carry on the follow-up operation according to the read content.

(2) use web.config for xss

This is an ancient technology that relies on the name attribute of web.config to construct a xss, provided that iis6 or lower versions do not support such attacks. Suppose the web.config content we upload is as follows:

Then xss pops up when we access the file

(3) use web.config to run asp code

This kind of attack method is not a very unusual technology, because web.config can manipulate the iis server, so we can call the system32\ inetsrv\ asp.dll file to run arbitrary asp code. Such as the following:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.