Result:
1. If IIS runs Index Server, it will contain a vulnerability through Null.htw even if no .htw files exist on the server. The vulnerability displays the source code of an ASP page. Sensitive information such as user account is contained in global.asa. The ability to view ASP pages could provide sensitive information such as usernames and passwords. An attacker providing IIS with a malformed URL request could escape the virtual directory, providing access to the logical drive and root directory. The "hit-highlighting" function in the Index Server does not adequately restrain what types of files may be requested, allowing an attacker to request any file on the server. Null.htw function has 3 variables which gets their inputs from the user:CiWebhitsfile, CiRestriction and CiHiliteType. You can see source code of default.asp by typing the link: http://www.victim.com/null.htw?CiWebhitsfile=/default.asp%20&%20CiRestriction=none%20&%20&CiHiliteType=full. A legal .htwfile is not required because the virtual file is restored on the memory.
2. IIS' MDAC has a vulnerability where an attacker can submit commands for local execution. The core problem is with the RDSDatafactory. By default, it allows remote commands to be sent to the IIS server. The commands will be run as the effective user of the service, which is typically the SYSTEM user. You can find a vulnerable site by checking:c:\>nc -nw -w 2 <Target> 80
GET /msadc/msadcs.dll HTTP. And if you get the following application/x_varg, it is most probably vulnerable if not patched.
3. This exploit is also ever so similar to dot asp bug and you can get the source code of ASA and ASP files by appending a +.htr to the URL of asp and asa files: http://www.Target.com/global.asa+.htr.
4. By requesting site.csc, which is normally located in /adsamples/config/site.csc,The attacker may be able to retrieve the DSN, UID and PASS of the database as this file may contain them. By typing the following http://www.victim.com/adsamples/config/site.csc, the attacker will download the file site.csc and (s)he can get some important data.
5. The hit-highligting functionality provided by Index Server allows a web user to have a document with their original search terms highlighted on the page. The name of the document is passed to .htw file with the CiWebhitsfile argument. Webhits.dll, the ISAPI Application that deals with the request, opens the file highlights accordingly and returns the resulting page. As the user has control of the CiWebhitsfile argument passed to the .htw file they can request anything they want. And the real problem is that, they can view the source of ASP and other scripted pages. To understand you are vulnerable, request the following from the site:http://www.victim.com/nosuchfile.htw, and if you get the following from the server: format of the QUERY_STRING is invalid, it means that you are vulnerable.
1. IIS6.0 is prone to parsing directory vulnerability. When IIS6.0 handles the files under the folder with the extension *.asp, *.asa, *.cer or *.cdx, it will parse the file according to the script type (asp, asa, cer, cdx), causing the WebShell with legal extension (such as jpg and txt ) uploaded.
2. IIS6.0 is vulnerable to file parsing. When IIS6.0 handles the files under the folder with the extension *.asp, *.asa, *.cer or *.cdx, it will parse the file according to the script type (asp, asa, cer, cdx), causing the WebShell with legal extension jpg uploaded.