(Ok, it's an old bug but since a lot of non-geeks seem to hate updating their IIS, there still are plenty of valid targets for this exploit.)
-- SCRIPT KIDDIE COMPATIBLE EXPLOIT ATTACHED --
The attached file IISexploere.php is my "SCRIPT KIDDIE COMPATIBLE" exploit for the double urldecoding bug in IIS. (It's a modified version of PHPexplorer, also written by yours truly ;)
-- HOW TO INSTALL --
Simply put all the icons in the RAR file and the file IISexplorer.php on your PHP enabled webserver. The icons should go into the /icons2/ directory, the IISexplorer.php file can be put anywere.
-- HOW TO USE --
Browse to http://your-server/path/IISexplorer.php?host=[ip of vulnerable target] and you can browse the target system using an explorer style interface.
Please remember, this is version 0.1 beta! So don't expect it to handle errors well.
-- WHERE TO FIND TARGETS TO EXPLORE --
Scan your webserver's logfiles for "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" to get a list of vulnerable IIS's that have been infected with a worm that propagates through this vulnerability.
-- NOTES --
The left frame takes some time to load, since it requires 1 http request for each directory in the list. Make sure to have a decent connection to the internet because this migth use quite some bandwidth ;)
-- FUTURE VERSIONS --
I'm probably not gonna invest more time, since it works. Maybe I'm gonna put in a upload/download facility but that would make stuff a bit too easy for them 14 year olds, wouldn't it ?
-- YOURS TRULY --
Berend-Jan Wever aka SkyLined
http:/spoor12.edup.tudelft.nl
.
-- SCRIPT KIDDIE COMPATIBLE EXPLOIT ATTACHED --
The attached file IISexploere.php is my "SCRIPT KIDDIE COMPATIBLE" exploit for the double urldecoding bug in IIS. (It's a modified version of PHPexplorer, also written by yours truly ;)
-- HOW TO INSTALL --
Simply put all the icons in the RAR file and the file IISexplorer.php on your PHP enabled webserver. The icons should go into the /icons2/ directory, the IISexplorer.php file can be put anywere.
-- HOW TO USE --
Browse to http://your-server/path/IISexplorer.php?host=[ip of vulnerable target] and you can browse the target system using an explorer style interface.
Please remember, this is version 0.1 beta! So don't expect it to handle errors well.
-- WHERE TO FIND TARGETS TO EXPLORE --
Scan your webserver's logfiles for "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" to get a list of vulnerable IIS's that have been infected with a worm that propagates through this vulnerability.
-- NOTES --
The left frame takes some time to load, since it requires 1 http request for each directory in the list. Make sure to have a decent connection to the internet because this migth use quite some bandwidth ;)
-- FUTURE VERSIONS --
I'm probably not gonna invest more time, since it works. Maybe I'm gonna put in a upload/download facility but that would make stuff a bit too easy for them 14 year olds, wouldn't it ?
-- YOURS TRULY --
Berend-Jan Wever aka SkyLined
http:/spoor12.edup.tudelft.nl
.