Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Found Web Sit vulnerabilities, then what?

  1. #1
    Junior Member
    Join Date
    Aug 2004
    Posts
    6

    Found Web Sit vulnerabilities, then what?

    Hello all,

    I have my fist project to evaluate a web site vulnerabilities, so your help is appreciated.

    Ok, so I made a cgi scan, here what I got, and all are open!:

    /iishelp/iis/misc/iirturnh.htw
    /iissamples/exair/search/qfullhit.htw
    /iissamples/exair/search/qsumrhit.htw
    /iissamples/issamples/oop/qfullhit.htw
    /iissamples/issamples/oop/qsumrhit.htw
    /scripts/samples/search/qfullhit.htw
    /scripts/samples/search/qsumrhit.htw
    /null.ida
    /null.idq
    /iisadmin/
    /_vti_bin/shtml.dll/_vti_rpc
    /abczxv.htw
    /_vti_bin/fpcount.exe?Page=default.htm|Image=2|Digits=1
    /msadc/msadcs.dll
    /_vti_bin/shtml.dll/nosuch.htm
    /_vti_bin/shtml.dll HTTP/1.0
    /_vti_bin/shtml.exe HTTP/1.0

    I was happy at first and then not.

    I can go to all ASP in: www.website.com/iisadmin/anything_here.asp

    But I see them as a form, I can't do anything else.

    I even used there: www.website.com/iishelp online while I am working to find vulnerabilities in thier site!!

    I went to www.netcraft.net and found they are on ISS 5.0

    when I go to www.website.com/iishelp

    I found its the documentation of (Internet Information Services 5.0)

    BUT when I go to: www.website.com/iisadmin/iabout.asp

    I found that they are on ISS 4.0!

    Ok, so I brought a server, I went to /iisadmin directory and started to test every ASP there, then tried to test it on my client web site and ALL WORKED.

    I mean http://www.website.com/iisadmin/you_...thing_here.asp

    I said to myself maybe they have updated to IIS 5.0 but still they have /iisadmin of the older version ISS 4.0

    I used netcat and found they are using IIS 5.O
    and also Simple, Secure Web Server 1.1

    and I am thinking of using Achilles Proxy server man-in-the-middle-
    My questions to all you experts are:

    1. Can I gain ROOT from www.website.com/iishelp
    2. Can I gain ROOT from www.website.com/iisadmin
    3. Why published exploit not working on every directory shown in the cgi scanner? but still I can view all including /_vti_bin/, /iisadmin...etc?
    4. I used netcat and found they are using IIS 5.O and also Simple, Secure Web Server 1.1 and I am thinking of using Achilles Proxy server man-in-the-middle-attack, so my question can Achilles help at all here?
    5. In this stage can I do anything at all??!

    (I am in thier IIS admin wizard now at www.website.com/iisadmin/iiwizsec.asp and just staring at the page)!.

    I really appreciate you help since this is my first project.

    Thank you in advance.

  2. #2
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Jef double posting iis not good. Delet one of your posts mate.

    You will only invite trouble and not get the answere you are looking for.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  3. #3
    Junior Member
    Join Date
    Aug 2004
    Posts
    6

    ok, thank you

    Ok, thank you, someone just did, I think the moderater of the newbeis security questions.

    Thanks

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Duplicate is removed.

    jeff, have you done research into what vulnerabilities exist for those particular areas that you've found? Some places to check include SecurityFocus and the CVE database held by Mitro.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    albn
    Guest
    well, some things are open for others to access and use. The thing is, what do you not want executed or seen is another thing. Thus, you need to check your code for loopholes such as permissions (ie, it is a bad idea to leave an installation folder, the SQL dump, or have certain files where everybody can write and execute).

    Good luck.

  6. #6
    Junior Member
    Join Date
    Aug 2004
    Posts
    6
    MsMittens and albn,

    Really thank you both for your fast responses, I will check now CVE database held by Mitro since I didn't know about this site.

    The thing is everyone is talking about "reaching" the admin side of the server.

    Well, I did from external and found a security hole(s), still I don't know what to do next.

    I thnak you again for a fast relies to me.

  7. #7
    albn
    Guest
    Reaching the admin side of the server is always a concern.

    There are certain things to make it easier to gain access to them:

    1. Bad permissions on files and/or folders

    2. Weak passwords

    3. Security by obscurity is debated, but can slow SOME down, but not by somebody who is determined. Maybe change the admin folder or script to 4dm1n?

    4. Bad code, or known code vuneralbilities. This is a big one, because it is common for overflows, server execution, SQL injections, and other nasties. It is always a good idea to update canned scripts and fix known bugs in your code. Also, updating your server software is always a good idea.

    5. Trust nobody. Assign permissions to the LEAST the user needs to perform a function.

    Hope this helps.

    Oh, and for you Apache junkies out there, IIS is a good server.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Don't know what exploits work on this machine as it's kinda dependant on the patchlevel of the beast.

    I do know how to secure it though

    First off: Kill all the samples! Never ever put sample scripts on a production machine!

    Second: Disable the default website and create a new website with the webroot on any other drive, if windows is on C: create your webroot on D:, this will prevent old and future ../ (directory traversal) tricks from ending up in your windows directory.

    Third: Delete all the mappings you don't need; ida, idq, htr etc..

    Forth: Disable the admin site

    Fifth: Patch it all....

    That will atleast give you some protection...
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Junior Member
    Join Date
    Aug 2004
    Posts
    6
    SirDice,

    Thank you for your help, I will recommend at the end your points.

    I still coudn't understand why I am freezed at this point after lots of work done, I can't go beyond viewing the asp in the iisadmin directory.

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    There are a few exploits I know that used to work but as I said it depends if the machine is patched or not.

    Things to look for:

    unicode exploit (the one Nimba uses)
    extended unicode exploit (a variation on the theme )
    ida exploit (the one Code Red uses)
    IPP exploit (don't know a virus that uses it but I've used remote shell spawners)
    account enumeration, some scripts within the admin site will let you figure out what accounts exist on that machine.

    Maybe MSDE is also installed? SQL SSRP overflow (the one SQL Slammer uses).

    Just to name a few from the top of my head.

    Checkout packetstormsecurity, they have lots of interesting stuff.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •