七天酒店入住记录多久删除(如家酒店入住记录

访客4年前关于黑客接单1058

I. 背景
---------------------
"IIS is a web server application and set of
feature extension modules created by Microsoft for use with Microsoft Windows.
IIS is the third most popular server in the world." (Wikipedia)
II. 概述
---------------------
Vulnerability Research Team discovered a vulnerability
in Microsoft IIS.
The vulnerability is caused by a tilde character "~" in a Get request, which could allow remote attackers
to diclose File and Folder names.
III. 影响产品
---------------------------
IIS 1.0, Windows NT 3.51
IIS 2.0, Windows NT 4.0
IIS 3.0, Windows NT 4.0 Service Pack 2
IIS 4.0, Windows NT 4.0 Option Pack
IIS 5.0, Windows 2000
IIS 5.1, Windows XP Professional and Windows XP Media Center Edition
IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition
IIS 7.0, Windows Server 2008 and Windows Vista
IIS 7.5, Windows 7 (error remotely enabled or no web.config)
IIS 7.5, Windows 2008 (classic pipeline mode)
Note: Does not work when IIS uses .Net Framework 4.
IV. Binary Analysis & Exploits/PoCs
---------------------------------------
Tilde character "~" can be used to find short names of files and folders when the website is running on IIS.
The attacker can find important file and folders that they are not normaly visible.
In-depth technical *** ysis of the vulnerability and a functional exploit
are available through:
http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/
V. 解决方案
----------------
There are still workarounds through Vendor and security vendors.
Using a configured WAF may be usefull (discarding web requests including the tilde "~" character).

相关文章

动物之森如何驱逐小动物 动森驱逐指定小动物方法分享

动物之森如何驱逐小动物 动森驱逐指定小动物方法分享

动物之森怎么定向驱逐小动物?在动物之森中,我们的岛屿上经常会刷新小动物,如果玩家喜欢这些小动物就多和它们互动,如果玩家不喜欢就需要用特殊的方法进行驱逐,否则可能会适得其反,将喜欢的动物赶走。下面就是动...

联币金融是怎么赚钱的?联币金融可靠吗

联币金融是怎么赚钱的?联币金融可靠吗

一个星期前,时报君报道了《800亿网贷平台爆雷!自称央企、高额返现、还玩虚拟币,还原一个真实的唐小僧》,里面提到四大高返平台除联璧金融外,其他三家都爆雷。仅仅几天之后,联璧金融也因涉嫌非法集资被警方立...

机械专业就业五年后(机械专业以后干嘛的)

  毕业于南开大学机械自动化技术专业的年青人刘松涛,用自身扎实的专业能力“打”出了一条智能机器人创业历程。他创立的胳膊智能机器人公司兴趣浓厚,期盼学习培训,要敢自主创业,在中国一直处在领先水平。  ...

酒店找人不知道房间号(知道酒店不知道房号)

酒店找人不知道房间号(知道酒店不知道房号)专业盗取微信密码,开房查询,通话记录查询,查询微信聊天记录,非常靠谱!对于智能酒店改造的好处,我相信大多数人都可以说几点,比如降低运营成本、提高运营效率、增加...

14亿国人,并不是所有人都有这样的“贤内助”

针对职工医疗保险客户来讲,每月都是会有些人帮她们立即地交纳医疗保险。在每一次工资条中,也可以见到相对的扣钱清单。可是14亿中国人,并并不是任何人都是有那样的“好妻子”。针对绝大多数新农合医保的参加者来...

微信如何定位自己位置,微信找黑客,被骗了以后找的黑客

Registry registry = LocateRegistry.createRegistry(1099);$obj = json_decode($data); root@e:/rootkit#...