IIS各版本报出来的漏洞

千里目实验室搜集了下近十五载的IIS相关漏洞，中、高危漏洞共计39个，其中15年爆发的(MS15-034)HTTP.sys 远程执行代码漏洞和16年的(MS16-016)WebDAV 特权提升漏洞影响范围尤其广泛。

IIS3.0

1. ASP Dot Bug

2.$DATA

IIS4.0

1. .idc & .ida Bugs

2.IIS HACK 缓冲溢出漏洞

3.$DATA

4. ISM.DLL缓冲截断漏洞

5.Translate:f Bug泄露asp文件源代码

6.Unicode 解析错误漏洞

7./iisadmpw暴力猜解密码

IIS5.0

1.ISM.DLL缓冲截断漏洞

2.Unicode 解析错误漏洞

3…idc & .ida Bugs

4.缓冲区溢出

IIS6.0

1. 缓冲区溢出

2.解析漏洞（目录解析、文件解析）

3.绕过认证漏洞

微软IIS与PHP 6.0（这是对PHP5中的Windows Server 2003 SP1的测试）
详细说明：
攻击者可以发送一个特殊的请求发送到IIS 6.0服务，成功绕过访问限制
攻击者可以访问有密码保护的文件
例：

Example request (path to the file): /admin::$INDEX_ALLOCATION/index.php

(暂时没有翻译，怕影响精确度)

if the:$INDEX_ALLOCATION postfix is appended to directory name.
This can result in accessing administrative files and under special circumstances execute arbirary code remotely

IIS7.0

1.解析漏洞

IIS7.5

1.ASP验证绕过

受影响的软件：.NET Framework 4.0（.NET框架2.0是不受影响，其他.NET框架尚未进行测试）（在Windows 7测试）
详细说明：
通过添加 [ “:$i30:$INDEX_ALLOCATION” ] to the directory serving (便可成功绕过)
例：
There is a password protected directory configured that has administrative asp scripts inside An attacker requests the directory with :$i30:$INDEX_ALLOCATION appended to the directory name IIS/7.5 gracefully executes the ASP script without asking for proper credentials

2.NET源代码泄露和身份验证漏洞

(.NET 2.0和.NET 4.0中测试)
例：–>
http:///admin:$i30:$INDEX_ALLOCATION/admin.php
will run the PHP script without asking for proper credentials.（暂时没有翻译）
By appending /.php to an ASPX file (or any other file using the .NET framework that is not blocked through the request filtering rules,like misconfigured: .CS,.VB files) IIS/7.5 responds with the full source code of the file and executes it as PHP code. This means that by using an upload feature it might be possible (under special circumstances) to execute arbitrary PHP code.
Example: Default.aspx/.php

3.解析漏洞

https://www.jianshu.com/p/354fcf0939cc

IIS8.0

https://www.24wd.net/?q-31.html