On Wednesday 13 June 2001 11:30 pm, * (todd + 1) wrote:
> hello all,
>
> Recently i came across an IIS webserver that i found to be vulnerable to
> the Unicode attacks. However, i cannot determine the webroot of this drive,
> and therefore i am having troubles reaching a full comprimise. The
> directory "C:\Inetpub" exists, but the only contents of this directory is
> the folder "mailroot".
Then the web directory has been moved. Try making a request for /test.idc or
/test.idq and see if it returns the real web root. If that doesnt work, you
need to dig around the hard drive and try to find it manually. If you dont
see it on the C drive, try looking through the D drive. Common names are
those that start with Web or WWW or the name of the web site that is being
hosted.
> Additionally, when i connect and request the root document (ie GET / ), it
> returns the string: "<% Response.ContentType = "text/plain" %> HELLO"
That is strange. They either wrote an ASP script and gave it the wrong
extension (.htm instead of .asp), or they removed the .asp ISAPI handler. If
the default page is an ASP script and they havent removed the handler, can
you tell us what version and service pack they are running and the exact web
request you sent?
> Does anyone come across anything like this before, and what would be the
> simplest method of determining the webroot?
/test.idc
/test.ida
/test.idq
/test.cfm
If they have cold fusion installed and there are using SQL queries to provide
dymamic content, try changing the ID passed in the URL to a single quote (')
and look at the error message returned. It will give you the hard drive path,
the ODBC driver, the Data Source, and most the time the actual SQL query ;)
-HD
This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 17:19:27 PDT