Found Web Sit vulnerabilities, then what?

Printable View

August 2nd, 2004, 12:42 AM
jeff_listen

Found Web Sit vulnerabilities, then what?

Hello all,

I have my fist project to evaluate a web site vulnerabilities, so your help is appreciated.

Ok, so I made a cgi scan, here what I got, and all are open!:

/iishelp/iis/misc/iirturnh.htw
/iissamples/exair/search/qfullhit.htw
/iissamples/exair/search/qsumrhit.htw
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/scripts/samples/search/qfullhit.htw
/scripts/samples/search/qsumrhit.htw
/null.ida
/null.idq
/iisadmin/
/_vti_bin/shtml.dll/_vti_rpc
/abczxv.htw
/_vti_bin/fpcount.exe?Page=default.htm|Image=2|Digits=1
/msadc/msadcs.dll
/_vti_bin/shtml.dll/nosuch.htm
/_vti_bin/shtml.dll HTTP/1.0
/_vti_bin/shtml.exe HTTP/1.0

I was happy at first and then not.

I can go to all ASP in: www.website.com/iisadmin/anything_here.asp

But I see them as a form, I can't do anything else.

I even used there: www.website.com/iishelp online while I am working to find vulnerabilities in thier site!!

I went to www.netcraft.net and found they are on ISS 5.0

when I go to www.website.com/iishelp

I found its the documentation of (Internet Information Services 5.0)

BUT when I go to: www.website.com/iisadmin/iabout.asp

I found that they are on ISS 4.0!

Ok, so I brought a server, I went to /iisadmin directory and started to test every ASP there, then tried to test it on my client web site and ALL WORKED.

I mean http://www.website.com/iisadmin/you_...thing_here.asp

I said to myself maybe they have updated to IIS 5.0 but still they have /iisadmin of the older version ISS 4.0

I used netcat and found they are using IIS 5.O
and also Simple, Secure Web Server 1.1

and I am thinking of using Achilles Proxy server man-in-the-middle-
My questions to all you experts are:

1. Can I gain ROOT from www.website.com/iishelp
2. Can I gain ROOT from www.website.com/iisadmin
3. Why published exploit not working on every directory shown in the cgi scanner? but still I can view all including /_vti_bin/, /iisadmin...etc?
4. I used netcat and found they are using IIS 5.O and also Simple, Secure Web Server 1.1 and I am thinking of using Achilles Proxy server man-in-the-middle-attack, so my question can Achilles help at all here?
5. In this stage can I do anything at all??!

(I am in thier IIS admin wizard now at www.website.com/iisadmin/iiwizsec.asp and just staring at the page)!.

I really appreciate you help since this is my first project.

Thank you in advance.
August 2nd, 2004, 12:47 AM
jinxy

Jef double posting iis not good. Delet one of your posts mate.

You will only invite trouble and not get the answere you are looking for.
August 2nd, 2004, 12:54 AM
jeff_listen

ok, thank you

Ok, thank you, someone just did, I think the moderater of the newbeis security questions.

Thanks
August 2nd, 2004, 12:55 AM
MrLinus

Duplicate is removed.

jeff, have you done research into what vulnerabilities exist for those particular areas that you've found? Some places to check include SecurityFocus and the CVE database held by Mitro.
August 2nd, 2004, 01:14 AM
albn

well, some things are open for others to access and use. The thing is, what do you not want executed or seen is another thing. Thus, you need to check your code for loopholes such as permissions (ie, it is a bad idea to leave an installation folder, the SQL dump, or have certain files where everybody can write and execute).

Good luck.
August 2nd, 2004, 01:22 AM
jeff_listen

MsMittens and albn,

Really thank you both for your fast responses, I will check now CVE database held by Mitro since I didn't know about this site.

The thing is everyone is talking about "reaching" the admin side of the server.

Well, I did from external and found a security hole(s), still I don't know what to do next.

I thnak you again for a fast relies to me.
August 2nd, 2004, 01:29 AM
albn

Reaching the admin side of the server is always a concern.

There are certain things to make it easier to gain access to them:

1. Bad permissions on files and/or folders

2. Weak passwords

3. Security by obscurity is debated, but can slow SOME down, but not by somebody who is determined. Maybe change the admin folder or script to 4dm1n?

4. Bad code, or known code vuneralbilities. This is a big one, because it is common for overflows, server execution, SQL injections, and other nasties. It is always a good idea to update canned scripts and fix known bugs in your code. Also, updating your server software is always a good idea.

5. Trust nobody. Assign permissions to the LEAST the user needs to perform a function.

Hope this helps.

Oh, and for you Apache junkies out there, IIS is a good server. :)
August 2nd, 2004, 12:19 PM
SirDice

Don't know what exploits work on this machine as it's kinda dependant on the patchlevel of the beast.

I do know how to secure it though :D

First off: Kill all the samples! Never ever put sample scripts on a production machine!

Second: Disable the default website and create a new website with the webroot on any other drive, if windows is on C: create your webroot on D:, this will prevent old and future ../ (directory traversal) tricks from ending up in your windows directory.

Third: Delete all the mappings you don't need; ida, idq, htr etc..

Forth: Disable the admin site

Fifth: Patch it all....

That will atleast give you some protection...
August 2nd, 2004, 12:25 PM
jeff_listen

SirDice,

Thank you for your help, I will recommend at the end your points.

I still coudn't understand why I am freezed at this point after lots of work done, I can't go beyond viewing the asp in the iisadmin directory.
August 2nd, 2004, 12:40 PM
SirDice

There are a few exploits I know that used to work but as I said it depends if the machine is patched or not.

Things to look for:

unicode exploit (the one Nimba uses)
extended unicode exploit (a variation on the theme ;) )
ida exploit (the one Code Red uses)
IPP exploit (don't know a virus that uses it but I've used remote shell spawners)
account enumeration, some scripts within the admin site will let you figure out what accounts exist on that machine.

Maybe MSDE is also installed? SQL SSRP overflow (the one SQL Slammer uses).

Just to name a few from the top of my head.

Checkout packetstormsecurity, they have lots of interesting stuff.
August 3rd, 2004, 04:49 AM
mmkhan

Hi all,
jeff: i think results that u got from the server are false positives as u would be sending the request (e.g. http://mymachine/scripts/samples/search/qsumrhit.htw) and u would be getting 200 OK response from the server and u concluded that these vulnerabilities exist in the webserver but may be this is a redirect to any default page and thus got 200 Ok. Possibly these vulnerbilities does not exist on that machine and u r only getting false +ve.

Thanks

Note: If i m wrong at any point plz correct me.