問題
近期收到客戶傳來的滲透測試報告,其中一項弱點為 IIS 目錄列舉
弱點描述:Microsoft IIS 中的部分版本可以利用特殊手法對 Windows 8.3 短文件名規範的檔案或目錄進行猜測。
網站環境
- Windows Server 2019
- IIS 10
- ASP.NET Core 3.1
掃描工具
java -jar iis_shortname_scanner.jar 0 20 http://192.168.0.220:8000
測試結果
# IIS Short Name (8.3) Scanner version 2.3.9 (05 February 2017) - scan initiated 2022/03/22 00:22:15
Target: http://192.168.0.220:8000/
|_ Result: Vulnerable!
|_ Used HTTP method: DEBUG
|_ Suffix (magic part): \a.aspx
|_ Extra information:
|_ Number of sent requests: 703
|_ Identified directories: 0
|_ Indentified files: 10
|_ APPSET~1.JSO
|_ APPSET~2.JSO
|_ NETCOR~1.DLL
|_ NETCOR~1.EXE
|_ NETCOR~1.JSO
|_ NETCOR~1.PDB
|_ NETCOR~2.DLL
|_ NETCOR~2.JSO
|_ NETCOR~2.PDB
|_ WEB~1.CON
|_ Actual file name = WEB
解決方法
- 關閉 NtfsDisable8dot3NameCreation
執行 regedit 修改機碼 HKEY_Local_Machine\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation
- 移除指定目錄及其子目錄的 8.3 檔案名
fsutil 8dot3name strip /l mylogfile.log /s d:\Web\MySite
- 在 IIS 的站台 - 篩選要求
在 URL 項目中,增加拒絕序列 ~
再測試結果:Not vulnerable or no item was found.
# IIS Short Name (8.3) Scanner version 2.3.9 (05 February 2017) - scan initiated 2022/03/22 00:23:28
Target: http://192.168.0.220:8000/
|_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again.
|_ Warning(s):
|_ Question mark character was blocked: you may have a lot of false positives. -> manual check is needed.
|_ File extensions could not be verified. you may have false positive results. -> manual check is needed.
|_ Extra information:
|_ Number of sent requests: 144
結語
我自己的測試,在 IIS 增加篩選要求的拒絕序列 ~ 即可達到防掃目的,但若有主機權限,當然最好從根本直接關閉機碼。
此次的測試網站是以 IIS + .NET Core 的網站來做測試,會出現這弱點,我也另外而針對 ASP.NET MVC 的網站做相同的測試並沒有出現此問題。所以若是用 IIS 來架設 .NET Core 的網站時,最好多做第三項的篩選要求動作!
