Nessus already handled the hex encoding (*not* Unicode!)
e.g. instead of "GET /ABC/ ", send "GET /%41%42%43/ "
I added MS infamous non standard %u encoding in URL.
"GET /ABC/ " --> "GET /%u0041%u0042%u0043/ "
It seems that we could also send plain UTF-16. If I understand all
this correctly, this would just mean inserting a %00 before every
ASCII character and IIS will happily strip it.
"GET /%00%41%00%42%00%43/ "
I also added it but I'm not sure this would really work against
IIS... Can somebody test? (a colleague broke our favorite NT4 test
machine and did not reinstall it yet. The last Nessus session or
software installation was lethal :)
I suppose I could also add "broken UTF8"...
Reference: http://www.eeye.com/html/Research/Advisories/AD20010705.html
e.g. instead of "GET /ABC/ ", send "GET /%41%42%43/ "
I added MS infamous non standard %u encoding in URL.
"GET /ABC/ " --> "GET /%u0041%u0042%u0043/ "
It seems that we could also send plain UTF-16. If I understand all
this correctly, this would just mean inserting a %00 before every
ASCII character and IIS will happily strip it.
"GET /%00%41%00%42%00%43/ "
I also added it but I'm not sure this would really work against
IIS... Can somebody test? (a colleague broke our favorite NT4 test
machine and did not reinstall it yet. The last Nessus session or
software installation was lethal :)
I suppose I could also add "broken UTF8"...
Reference: http://www.eeye.com/html/Research/Advisories/AD20010705.html