1. What is IIS
Internet Information Services (IIS, formerly known as Internet Information Server) Internet Information Services is a Microsoft The scalable web server provided by the company supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP, etc. Initially used in the Windows NT series, it was later built into Windows 2000, Windows XP Professional, Windows Server 2003 and subsequent versions, but there is no IIS on the Windows XP Home version. IIS is currently only available for Windows systems and not for other operating systems.
According to data from Netcraft in February 2017, IIS had a market share of 10.19% among the "Millions of Busiest Websites", becoming the third largest network server in the world , behind Apache at 41.41% and Nginx at 28.34%. Currently, the popular Windows versions have the IIS service installed by default. However, the security of IIS has been criticized by the industry. Once a high-risk vulnerability appears in IIS, the threat will be very serious.
Recommended (free): iis
Before touching the IIS vulnerability, let’s first understand the default built-in IIS version under different Windows systems. In order to better understand and distinguish the scope of impact of IIS vulnerabilities:
Figure 1 Default IIS version of each Windows version
2. Complete list of IIS vulnerabilities
Qianlimu Lab has collected IIS-related vulnerabilities in the past fifteen years. There are a total of 39 medium and high-risk vulnerabilities, including the (MS15-034) HTTP.sys remote code execution vulnerability that broke out in 2015 and the 2016 The (MS16-016) WebDAV privilege escalation vulnerability is particularly widespread.
Figure 2 A complete list of IIS vulnerabilities in the past 15 years
After reading the above IIS vulnerabilities in the past ten years, you may ask, why didn’t you see it? What about the protagonist of this article, "IIS Short File Vulnerability"? ! Before understanding the IIS vulnerability family, we first learn about some features of IIS under Windows through IIS short files.
3. IIS short file
1. The origin of the IIS short file vulnerability
Microsoft IIS short file/folder The name information leak was first discovered by Soroush Dalili of the Vulnerability Research Team on August 1, 2010, and the vendor (Microsoft Corporation) was notified on August 3, 2010. Microsoft responded on December 1, 2010 and January 4, 2011 that the next version would be fixed. On June 29, 2012, this vulnerability was publicly disclosed (medium risk).
This vulnerability is actually caused by the old DOS 8.3 Name Convention (SFN) tilde (~) tilde in HTTP requests. It allows remote attackers to expose file and folder names under the web root (which should not be accessible). An attacker can find important files that are usually not directly accessible from the outside and obtain information about the application infrastructure.
Information disclosure caused by Microsoft IIS tilde is the most common medium-risk vulnerability on the world's networks. This problem has been around since at least 1990, but has proven difficult to detect, difficult to solve, or easy to ignore entirely.
2. IIS short file vulnerability scope and harm
2.1 Affected versions:
##IIS 1.0, Windows NT 3.51(Above data source:IIS 3.0, Windows NT 4.0 Service Pack 2
IIS 7.5, Windows 2008 (Classic Pipeline Mode) Note: IIS is not affected when using .Net Framework 4
IIS 4.0, Windows NT 4.0 Option Pack
IIS 5.0, Windows 2000
IIS 5.1, Windows XP Professional and Windows XP Media Center Edition
IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition
IIS 7.0, Windows Server 2008 and Windows Vista
IIS 7.5, Windows 7 (remotely enabledor no web.config)
https://www.securityfocus.com/archive/1/523424)
It has been verified that the above affected scope is mainly for the HTTP GET method, and requires the installation of ASP.NET applications at the same time. The discoverer of this vulnerability disclosed again in 2014: During testing of IIS 7.5 (Windows 2008 R2) and IIS 8.0 (Windows 2012), when OPTIONS is used instead of the GET method, if the short file name in the request exists, IIS A different error message will be returned. Taking advantage of this feature, attackers can implement file or directory scanning based on short file names in the latest IIS version. Currently, IIS supports six HTTP methods for short file name guessing: DEBUG, OPTIONS, GET, POST, HEAD, and TRACE. Verified by Qianlimu Laboratory, the short file names of IIS 8.0, IIS 8.5, and IIS 10.0 File names can be guessed successfully through the OPTIONS and TRACE methods. Therefore, the above affected versions need to be added with the following versions:IIS 8.0, Windows 8, Windows Server 2012IIS 8.5, Windows 8.1, Windows Server 2012 R2IIS 10.0, Windows 10, Windows Server 2016
It can be seen that all versions of IIS have the problem of short file name leakage, and Microsoft seems to have ignored this problem. It can be seen from Microsoft's reply to the discoverer of the vulnerability that the IIS short file vulnerability does not meet security update standards, and it needs to determine when it will be resolved in the next logical version.
2.2 Vulnerability hazards:
2.2.1 Using the "~" character to guess and expose short file/folder names (main hazard)
Windows Support for generating MS-DOS-compatible (short) filenames in 8.3 format to allow MS-DOS or 16-bit Windows-based programs to access these files. Enter the IIS website root directory C:\inetpub\wwwroot under cmd and enter "dir /x" to see the effect of the short file name:
Figure 3 IIS short file Name
The picture above is the default site root directory of IIS 10.0 built in Windows 10. iisstart.htm and iisstart.png are the default files of the website. The length of the file name prefix characters does not reach 9 characters, so there is no short file name. IIS10test.html is a website file added manually. The file name prefix character length reaches 9 characters, and the corresponding short file name is IIS10T~1.HTM. According to this feature, we can indirectly access its corresponding file by accessing the short file name.
Since the length of the short file name is fixed (xxxxxx~xxxx), the attacker can directly brute force the short file name to access the corresponding file.
For example, there is a database backup file backup_20180101.sql, and its corresponding short file name is backup~1.sql. Therefore, the attacker can download the file by brute force cracking backup~1.sql without cracking the complete file name.
IIS short file names have the following characteristics:
1. Only the first six characters are displayed directly, and subsequent characters are designated by ~1. The number 1 can also be incremented if there are multiple files with similar file names (the first 6 digits of the name must be the same, and the first 3 digits of the suffix name must be the same);
2. The suffix name can only have a maximum of 3 digits, which is redundant are truncated, long files with more than 3 characters will generate short file names;
3. All lowercase letters are converted to uppercase letters;
4. Long file names contain multiple ". ”, use the last “.” in the file name as the short file name suffix;
5. The long file name prefix/folder name character length conforms to the range of 0-9 and Aa-Zz and needs to be greater than or equal to 9 characters. A short file name will be generated. If it contains spaces or other special characters, a short file will be generated regardless of the length;
We can use the GET method to violently enumerate short file names under IIS with .net enabled. The reason is that the attacker uses wildcard characters "*" and "?" to send a request to IIS. When IIS receives a file path containing a "~" request, its response is different, that is, the returned HTTP status code and error message different. Based on this feature, an available or unavailable file can be distinguished based on the HTTP response. As shown in the figure below, the information returned by different IIS versions is different:
Figure 4 IIS 5.0 ~ IIS 7.X short file guessing HTTP response information
The picture is an illustration of the legal and illegal IIS short file guessing response information given by Soroush Dalili, the discoverer of this vulnerability, in his research report:
Accessing an existing short file name constructed will return 404;
Accessing a constructed short file name that does not exist will return 400;
Figure 5 Using IIS status code guessing process
The above method is to use the GET method to guess repeatedly in a lower version of IIS ASP.NET environment until the short file name is guessed.
However, Qianlimu Laboratory verified in the real environment that in higher versions of IIS (such as: IIS 8.0/IIS 8.5/IIS 10.0), even if asp.net is not installed, through the OPTIONS and TRACE methods You can guess successfully. The HTTP status code types returned by these two methods are slightly different from the above screenshots, but they are another way to use them.
2.2.2 .Net Framework Denial of Service Attack (Side Hazard)
According to research by Soroush Dalili, if an attacker sends an illegal .Net file in the folder name request, .NeFramework will recursively search all root directories, consuming website resources and causing DOS problems. Microsoft believes that this hazard is recoverable DOS and will be modified in subsequent SP versions, so it will not be discussed here.
3. IIS Short File Vulnerability Recurrence and Exploitation
##3.1 IIS Short File Vulnerability Recurrence
3.1.1 Vulnerability environment constructionInstall the default IIS 10.0 based on Win 10 (APS.NET is not installed)IIS short file vulnerability scanning Java program (Java environment needs to be configured Variables)3.1.2 Vulnerability environment debugging preparationAfter IIS is successfully installed, the intpub directory will be generated in the C drive directory by default. The root directory of the website is located in C:\inetpub\ wwwroot. At this time, check whether there is a short file name in the root directory:
As can be seen from the above figure, the default IIS 10.0 website root directory does not have short file names, only default htm and png files, and the name length does not meet the requirements for generating short files. The following uses the IIS short file scanner to detect whether there is a short file information leakage vulnerability:
3.1.3 Vulnerability environment reproduction
Manually create website long files Name "IIS10test.html", automatically generate the corresponding short file name "IIS10T~1.HTM"
Use the IIS short file scanner to scan again, and the scan found that there is a short file vulnerability. , and successfully guessed the short file name through the HTTP OPTIONS method: IIS10T.HTM
TRACE method can also successfully guess the short file name.
3.1.4 IIS vulnerability OPTIONS and TRACE method guessing analysisOPTIONS method guessing analysisBecause the above OPTIONS method requested 196 times to guess the short file name, If the guess is successful, 404 will be returned. If the guess is failed, 200 will be returned. There are many failed combinations, so the following mainly analyzes how the request with successful 404 guess can obtain the short file name IIS10T.HTM through the OPTIONS method. As shown below:501 (not executed).
3.2 IIS short file vulnerabilityExploit
IIS short file vulnerability limitations
This vulnerability There are several limitations: 1) This vulnerability can only determine the first 6 characters. If the following characters are too long or contain special characters, it is difficult to guess; 2) If The file name itself is too short (no short file name) and cannot be guessed; 3) If the first 6 digits of the file name contain spaces, the short file name in the 8.3 format will be supplemented and does not match the real file name;4) If the first 6 characters of the folder name are dotted with ".", the scanner will think it is a file instead of a folder, and eventually a false alarm will appear;
5) Chinese file names are not supported, including Chinese files and Chinese folders. One Chinese character is equivalent to two English characters, so more than 4 Chinese characters will generate a short file name, but IIS does not support Chinese guessing.
5. IIS short file vulnerability solution
5.1 General vulnerability repair solution
1) CMD closes NTFS 8.3 files Format support
Example: (1 means off, 0 means on)
Windows Server 2008 R2:
Windows Server 2003:Query whether the short file name function is turned on:fsutil 8##dot3name query
Turn off this function:fsutil 8dot3name set 1
Turn off this feature:The shutdown commands of different systems are slightly different. This function is enabled by default and does not need to be enabled for most users. 2) Modify the registry to disable the short file name functionShortcut key Win R to open the command window, enter regedit to open the registry windowFind the path:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem, set the value of NtfsDisable8dot3NameCreation to 1, 1 means not to create a short file name formatAfter the modification is completed, you need to restart the system to take effectNote: This method can only prohibit the creation of NTFS8.3 format file names. The short file names of existing files cannot be removed and need to be copied again before they disappear. The following two methods are only suitable for mitigating the GET method, other methods can still be guessed. 3) Turn off the Web service extension - ASP.NET4) Upgrade netFramework to version 4.0 or abovefsutil behavior set disable8dot3 1
The above is the detailed content of Introducing the repair of IIS short file name leak vulnerability. For more information, please follow other related articles on the PHP Chinese website!

首先去官网下载软件包,解压,路径最好不要有中文nginx配置的路径问题由于在windows下文件路径可以用”\”,也可以用”\\”,也可以用”/”作为路径做分隔符。但”\”最容易引发问题,所以要尽量避免使用。不要添加path,否则会引发错误,config文件路径找不到比如我解压在e盘cmd命令定位到nginx.exe所在文件夹cde:\worksoftware\nginx-1.10.1然后执行,首先保证nginx.conf文件配置没问题其实nginx最重要的和最主要的工作就是配置文件,其他没什么

iis不可以在linux上使用,因为iis是由微软公司提供的基于运行Microsoft Windows的互联网基本服务,是在Windows操作系统平台下开发的,所以限制了它只能在Windows操作系统下运行。

众所周知,当任何文件正在使用时,任何其他进程都无法访问/更改它。在这种情况下,当一个进程试图打开一个文件时,操作系统会锁定该文件以防止它被另一个进程修改。“该进程无法访问该文件,因为它正被另一个进程使用”是许多用户在其Windows计算机上观察到的此类错误消息。已知此错误发生在不同版本的WindowsOS和WindowsServer中。通常,在用户的WindowsPC上使用Netsh命令期间会观察到此错误消息。发生此错误的另一种情况是尝试在Internet信息服务(IIS)M

要在 IIS 中打开应用程序池:1. 打开 IIS 管理器;2. 导航到 "应用程序池" 节点;3. 右键单击目标应用程序池并选择 "管理";4. 单击 "高级设置" 选项卡;5. 应用程序池配置可在此查看和修改。

在使用 PHP 进行网站开发时,你可能会遇到字符编码问题。特别是在使用不同的 Web 服务器时,会发现 IIS 和 Apache 处理字符编码的方法不同。当你使用 IIS 时,可能会发现在使用 UTF-8 编码时出现了乱码现象;而在使用 Apache 时,一切正常,没有出现任何问题。这种情况应该怎么解决呢?

iis无法启动的解决办法:1、检查系统文件完整性;2、检查端口占用情况;3、启动相关服务;4、重新安装IIS;5、重置Windows系统;6、检查元数据库文件;7、检查文件权限;8、更新操作系统和应用程序;9、避免安装过多不必要的软件;10、定期备份重要数据。详细介绍:1、检查系统文件完整性,运行系统文件检查工具,检查系统文件的完整性等等。

解决方法:1、检查IIS服务是否已安装;2、检查依赖服务;3、检查端口冲突;4、检查配置文件和权限;5、重新注册IIS相关组件;6、检查日志文件。

是的,可以删除 IIS 日志文件。删除方法包括:通过 IIS 管理器选择网站或应用程序池,然后在“日志文件”选项卡中删除相应日志文件。使用命令提示符转到日志文件存储目录(通常为 %SystemRoot%\System32\LogFiles\W3SVC1),并使用 del 命令删除日志文件。使用第三方工具(例如 Log Parser)自动删除日志文件。


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.

Atom editor mac version download
The most popular open source editor

MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
