Shulou(Shulou.com)06/01 Report--

This article mainly shows you "IIS short file name vulnerability example analysis", the content is simple and easy to understand, organized clearly, I hope to help you solve doubts, let Xiaobian lead you to study and learn "IIS short file name vulnerability example analysis" this article bar.

I. Vulnerability Description

The vulnerability is actually caused by the tilde (~) in HTTP requests for the old DOS 8.3 naming convention (SFN). It allows remote attackers to expose file and folder names (which should not be accessible) under the Web root directory. An attacker could locate critical files that are not normally directly accessible from the outside and gain information about the application infrastructure.

II. Principle of loopholes

IIS short file name mechanism, you can brute force guess short file name, access to a short file name that exists in the structure, will return 404, access to a short file name that does not exist in the structure, return 400.

Causes of vulnerability:

To be compatible with 16-bit MS-DOS programs,Windows generates corresponding Windows 8.3 short filenames for files (and folders) with longer filenames.

To see the corresponding short file name under Windows, use dir /x

Short file name characteristics:

1. Only the first 6 characters are displayed, and the subsequent characters are replaced by ~1. The number 1 can be incremented. If there is a file with a similar file name, the first 6 characters are the same, and the following numbers are incremented.

2. Suffix names can be up to 3 digits long. Anything longer than 3 digits will result in a short filename, and the extra suffix will be truncated.

3. All lowercase letters are converted to capital letters

4. Long file names contain multiple ". "The time to file the last one". "Suffix as a short filename

5. Long file name prefix/folder name character length conforms to the range of 0-9 and A-Z, a-z and needs to be greater than or equal to 9 digits to generate short file name. If it contains spaces or other special characters, short file will be generated regardless of length.

Third, vulnerability environment building and vulnerability recurrence

1. The test environment is Windows Server 2003 R2, and the webdav service and net service are enabled.

2. Use payload to verify whether the target has IIS short filename vulnerability. The 404 shown in the figure below indicates that the target has this short filename.

Payload: http://192.168.10.130 /*~1*/a.aspx

http://192.168.10.130/ttt*~1*/a.aspx

Note:* can match n characters,n can be 0

3. The browser accesses a short file name that does not exist and returns "Bad Request(400)", indicating that the short file name does not exist in the target.

4. Access the above two payloads through a browser. According to the returned results, it can be explained that the target has an IIS short file vulnerability.

5. After judging that the vulnerability exists, the next manual detailed analysis guesses the IIS short file name principle

5.1 Create an abcdef123456.txt file in the root directory of the website (C:\Inetpub\wwwroot)

5.2, browser respectively visit http://192.168.10.130/a <$<$<$$><$/a. aspx, http://192.168.10.130/b*~1*/a.aspx

5.3 From the above two pictures, you can see that there is a short file name starting with a

5.4 According to the above method, guess in turn to get http://192.168.10.130/abcdef <$<$/a. aspx. At this point, you have guessed the short file name. At this step, you need to consider two cases. Is it a folder or a file that starts with abcdef?

If abcdef starts with a folder, then the browser visits http://192.168.10.130/abcdef $><$<$<$<$1/a. aspx and returns 404. If abcdef starts with a file, you need to guess the suffix.

5.5. The browser accesses http://192.168.10.130/abcdef <$<$$><$1/a. aspx. According to the following figure, the returned result shows that what starts with abcdef is not a folder, but a file.

5.6. The browser accesses http://192.168.10.130/abcdef <$<$1.a <$/a. aspx, and returns the explanation that the first digit of the suffix of this short file is not a according to the following figure.

5.7 Replace the position of the above a with the 26 letters of a-z in turn. When replaced with t, return to the 404 page, indicating that the first suffix of the short file is t.

5.8 According to the above method, guess the suffix of the short file name is txt

5.9 So far, I have guessed that the short file name is abcdef~1.txt

6. According to the short file name abcdef~1.txt that has been guessed, continue to guess that the full file name of the short file name is abcdef123456.txt

7. Use IIS short file name scanning software to obtain which short file names exist in the target.

IV. Vulnerability Defense

1. Upgrade the. net framework

2. Modify the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Change NtfsDisable8dot3NameCreation to 1. After the modification is complete, you need to restart the system to take effect.

Note: This method can only prohibit the creation of NTFS 8.3 format file names. Short file names of existing files cannot be removed and need to be copied again to disappear. Short filenames that already exist are ones that won't disappear unless they are copied again.

2.1 After restarting your system, create h.txt in the site root directory (C:\Inetpub\wwwroot) and see if short file names are generated. As you can see in the figure below, no short file name is generated, indicating that the defense is in effect.

2.2 Copy the file under wwwroot directory to another back file, and then delete all the contents under the original wwwroot directory, and then copy the contents under back to wwwroot directory again. At this time, check again, then there is no short file name.

V. Summary

Meaning of the vulnerability:

1. Guess the background address

2, guess sensitive files, such as backup rar, zip,.bak,.sql files, etc.

3. In some cases, it is even possible to download the corresponding file directly through the short filename web.

Limitations of the vulnerability:

1, can only guess the first six digits, and the first three digits of the extension.

2, the name of the short file is no corresponding short file name.

3. Chinese file names are not supported

4. If the first 6 digits of the file name have spaces, the short file name in 8.3 format will be added, and the real file name does not match.

Both IIS and. net conditions are required.

The above is "IIS short file name vulnerability sample analysis" all the content of this article, thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.