IIS file parsing vulnerability
There are two parsing vulnerabilities in IIS6.0 when parsing files
1. When creating folders in *.asp, *.asa format, any file in the directory will be parsed as an asp file by IIS.
For example: create a folder test.asp, create a new text document 1.txt in the test.asp folder, the content of which is a one-sentence Trojan horse. (Normally, TXT is a text document format. IIS will not parse such files. It should display its content directly, but in the test.asp folder, it will be directly parsed as an ASP script.
Visiting /test.asp/1.txt will display the one-sentence Trojan horse you put in.
2. When the file is *.asp;1.jpg, IIS6.0 will also execute as ASP script.
For example: the newly created file test.asp;1.jpg is a one-sentence Trojan.
Visiting /test.asp;1.jpg will still display the one-sentence Trojan horse you put in.
This vulnerability has been around for a long time, but Microsoft has not provided a patch to solve the problem of IIS6.0. Many websites are planted in this vulnerability.
There is also a classic vulnerability WebDav in the IIS container
WebDav is a communication protocol based on the HTTP 1.1 protocol. It extends the HTTP protocol and adds some new methods in addition to several HTTP standard methods such as GET, POST, and HEAD to make the HTTP protocol more powerful. After opening the WebDav extended server, if PUT, MOVE, COPY, DELETE and other methods are supported, there may be some security risks. The attacker may upload dangerous script files to the server through the PUT method.
Step 1: Detect the HTTP method supported by the server through OPTIONS
Step 2: Upload the script file to the server through the PUT method
Step 3: Rename by MOVE or COPY method
Through these three steps, the attacker can easily obtain a WebShell
If the server opens the DELETE method, the attacker can also delete any file on the server.