Microsoft IIS Upload Filter Bypass Vulnerability, Code Execution

4 replies [Last post]
numb
numb's picture
Offline
Apprentice
Joined: 2009/11/17

Microsoft IIS fully patched web servers are vulnerable to remote code execution. Critical vulnerability. Any IIS server that allows users to upload images, such as an avatar, is vulnerable. By appending a semicolon with a benign file format extension, the filters that would normally prevent malicious files from being uploaded can be easily bypassed.

Example: Let's say we have a shell called c99.php and we want to upload it to an IIS web server that allows us to upload images with the .jpeg extension. All we have to do is rename the file to "c99.php;.jpg" in order to bypass the filter. Then when we go to execute the file, the server recognizes it as a php script and executes it accordingly.

Just in time for Christmas. Merry Christmas and Happy Hacking!

My contact information is invalid at the moment.