Office2K对IIS的意外影响(下)
Article last modified on 2002-9-10
The information in this article applies to:
ü Microsoft IIS 5.0
ü Microsoft FrontPage
ü Microsoft Outlook Web Access
ü Microsoft Exchange 2000
【具体流程】:
下面我们结合网络监视器捕获的包,来讲解一下具体流程。
蓝色的字体代表捕获的包体,这里只是部分包内容。
红色的字体代表需要重视的包内容。
绿色的字体代表我的注释。
从第594个包到第625个包的解释(弹出对话框情况下的):
OPTIONS /XY/XYZUV/XYZUVW.dll/迁移方案.doc?ClassName=XY_ZUVWABCDEF.GHIJKM&sessio=nmA3F0F1-B122-4814-AD29-0B4B6F686B40&Validate=YES&URL=http://xyzuvwabcde/exchange/zhengyun/%E6%94%B6%E4%BB%B6%E7%AE%B1/%E8%BF%81%E7%A7%BB%E6%96%B9%E6%A1%88.doc-2.EML HTTP/1.1
User-Agent: Microsoft Data Access Internet Publishing Provider Cache Manager
Host: xyserver
Content-Length: 0
Connection: Keep-Alive
第一步,客户端的Explorer发送给服务器一个OPTIONS /HTTP/1.1的请求,请注意它的User-Agent已经改变了。
….. HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 10 Sep 2002 04:46:35 GMT
Set-Cookie: sessionid=b198d31e-08d1-409e-8b1c-6b484f024bbb,0x804; path=/exchange/zhengyun
Content-Type: text/html
Content-Length: 796
ETag: "b9cdb478f9b2a343a2f0b41c6df4e7b300000033dec1"
Accept-Ranges: bytes
MS-WebStorage: 6.0.4712
Cache-Control: no-cache
…
这是第二步:
…..POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1
Date: Tue, 10 Sep 2002 04:46:35 GMT
MIME-Version: 1.0
User-Agent: MSFrontPage/4.0
Host: xyserver
Accept: auth/sicily
Content-Length: 127
Content-Type: application/x-www-form-urlencoded
X-Vermeer-Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cache-Control: no-cache
上面的请求的含义:客户端好像认定了authoring binaries的位置,直接发送一个POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1到服务器。Shtml.dll是
browse binary,权限是everyone。POST的数据是下面的这个method=url+to+web+url%3a….:
method=url+to+web+url%3a4%2e0%000%2e4715&url=%2fum%2fisapi%2fComBox%2edll%2f%e8%bf%81%e7%a7%bb%e6%96%11%e1%a1%88%2edoc&flags=0 HTTP/1.1 100 Continue
….
然后,服务器返回这么一个HTML:
<html><head><title>vermeer RPC packet</title></head>
<body>
<p>method=url to web url:4.0.2.4715
<p>webUrl=/
<p>fileUrl=um/isapi/ComBox.dll/ooooooÓoo案.doc
</body>
</html>
</body>
</html>
现在,客户端的Explorer知道了服务器的version,于是开始它的工作:
Explorer将发送一个POST请求给/_vti_bin/_vti_aut/author.dll,POST的数据是method=open+service%3a4%2e0%2e2%2e4715&service%5fname=%2f,这个数据好像是固定不变的。
…POST /_vti_bin/_vti_aut/author.dll HTTP/1.1
Date: Tue, 10 Sep 2002 04:46:35 GMT
MIME-Version: 1.0
User-Agent: MSFrontPage/4.0
Host: xyserver
Accept: auth/sicily
Content-Length: 58
Content-Type: application/x-www-form-urlencoded
X-Vermeer-Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cache-Control: no-cache
method=open+service%3a4%2e0%2e2%2e4715&service%5fname=%2f….. HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Tue, 10 Sep 2002 04:46:34 GMT
这样,我们就进入了验证段。如果author.dll的ACL列表允许这个请求,服务器将会返回一大段配置,这基本上是/_vti_pvt/services.cnf文件的内容:
…
<!--Copyright (c) 2000-2001 Microsoft Corporation. All rights reserved.-->
<!--CURRENT FILE== "NON-IE5" "NON-WIN32" frameset -->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=gb2312">
<HTML>
<TITLE>Microsoft Outlook Web Access</TITLE>
<HEAD>
<BASE href="http://XYZUSERVER/exchange/zhengyun/">
</HEAD>
<FRAMESET framespacing="1" cols="110,*">
<FRAME name="navbar" src="%E6%94%B6%E4%BB%B6%E7%AE%B1/?Cmd=navbar" marginheight="0" marginwidth="0" scrolling="auto" border="1">
<FRAME name="viewer" src="%E6%94%B6%E4%BB%B6%E7%AE%B1/%E8%BF%81%E7%A7%BB%E6%96%B9%E6%A1%88.doc-2.EML?Cmd=open" scrolling="auto">
<NOFRAMES>
<BODY>
<P>This page uses frames, but your browser doesn't support them.</P>
</BODY>
</NOFRAMES>
</FRAMESET>
</HTML>
上面这段不太有趣,关键看下面的:
…..HTTP/1.1 401 Access denied
Server: Microsoft-IIS/5.0
Date: Tue, 10 Sep 2002 04:46:34 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Content-Length: 0
有趣吧,服务器端准备NTLM的三次握手了,上面的是第一次401打回:
POST /_vti_bin/_vti_aut/author.dll HTTP/1.1
Date: Tue, 10 Sep 2002 04:46:35 GMT
MIME-Version: 1.0
User-Agent: MSFrontPage/4.0
Host: xyserver
Accept: auth/sicily
Content-Length: 58
Content-Type: application/x-www-form-urlencoded
X-Vermeer-Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cache-Control: no-cache
Authorization: Negotiate YIIFggYGKwYBBQUCoIIFd……………..<很多,都是哈希后的密码>
然后,客户端把自己的密码Hash结果发给服务器。
HTTP/1.1 401 Access denied
Server: Microsoft-IIS/5.0
Date: Tue, 10 Sep 2002 04:46:34 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Content-Length: 0
服务器第二次401打回;
客户端再送一次:
….GET /xx/xxxxx/xxxxxx.dll/%E8%BF%81%E7%A7%BB%E6%96%B9%E6%A1%88.doc?ClassName=xx_xxxxxxxxxx.xxxxxx&ssssss=6DA3F0F1-B122-4814-AD29-0B4B6F686B40&Validate=YES&URL=http://XYZUSERVER/exchange/zhengyun/%E6%94%B6%E4%BB%B6%E7%AE%B1/%E8%BF%81%E7%A7%BB%E6%96%B9%E6%A1%88.doc-2.EML/迁移方案.doc HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461)
Host: xyserver
Connection: Keep-Alive
这次终于过了:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 10 Sep 2002 04:46:44 GMT
Content-Type: application/msword
Content-Length: 485376
MS-WebStorage: 6.0.4712
Expires: Mon, 09 Sep 2002 04:46:44 GMT
最后,都是这样的数据包:
它们都叫做:“HTTP: Continuation of missing frame”。
Okay,以上介绍的是弹出对话框的网络数据包。
我们还需要看看可以正常打开Word附件的情况:
最简单的恢复正常的做法就是,确保邮件主题是45个字节以上。
这时的数据包中没有任何异常的请求。
最开始,还是客户端发起GET请求:
XCP 002.002 GET /xx/xxxxx/xxxxxx.dll/%E5%91%98%E5%B7%A5%E7%8E%8B%E6%98%95.doc?ClassName=xx_xxxxxxxxxx.xxxxxx&UserID=0DB515A4-9FA8-41E9-9DE9-B449BFC95603&Validate=YES&URL=http://XYZUSERVER/exchange/zhengyun/%E6%94%B6%E4%BB%B6%E7%AE%B1/qE6qB5q8BqE8qAFq95qE6q80qAAqE5qBCq82q82q33qE3.EML/迁移方案.doc HTTP/1.1
Accept: */*
Referer: http://xyserver/xx/xxxxx/Folder/xxxxxxxx/default.asp?xxxstring=%12%12%21%21%3a%2f%2f%45%4d%41%49%4c%53%45%52%56%45%52%2f%33%33%33%68%61%6e%33%33%2f%7a%68%65%6e%67%79%75%6e%2f%25%45%36%25%39%34%25%42%36%25%33%33%33%42%42%25%42%36%25%45%37%25%41%45%25%42%31%2f%71%45%36%71%42%35%71%38%42%71%45%38%71%41%46%71%39%35%71%45%36%71%38%30%71%41%41%71%45%35%71%42%43%71%38%32%71%38%32%71%33%33%71%45%33%2e%45%4d%4c&UserID=0DB515A4-9FA8-41E9-9DE9-B449BFC95603&sssss=收件箱
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461)
Host: xyserver
Connection: Keep-Alive
Cookie: ASPSESSIONIDQGGGGYDG=KCDDMOJCKEBJCFGMNOOCCANH
然后,服务器干净利索地返回所有附件内容:
….HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 10 Sep 2002 10:35:32 GMT
Content-Type: application/msword
Content-Length: 468992
MS-WebStorage: 6.0.4712
Expires: Mon, 09 Sep 2002 10:35:32 GMT
后面跟的全是附件数据,此处略。
为什么会有这种区别呢?!
继续研究。
区别似乎在于请求的URL的长度:
可以通过的最少字节数的URL为:
http://xyserver/xx/xxxxx/xxxxxx.dll/迁移方案.doc?ClassName=xx_xxxxxxxxxx.xxxxxx&ssssss=CE0DB799-9590-4D41-97B2-41146F1F4B0F&Validate=YES&URL=http://XYZUSERVER/exchange/zhengyun/%E6%94%B6%E4%BB%B6%E7%AE%B1/%E8%BF%81%E7%A7%BB%E6%96%B9%33%33%32123123123.EML/迁移方案.doc
总长度为260个字节。
而下面这个URL就通不过,因为URL长度为259个字节:
http://xyserver/xx/xxxxx/xxxxxx.dll/迁移方案.doc?ClassName=ss_ssssssssss.ssssss&ssssss=ss0DB799-9590-4D41-97B2-41146F1F4B0F&Validate=YES&URL=http://XYZUSERVER/exchange/zhengyun/%E6%94%B6%E4%BB%B6%E7%AE%B1/%E8%BF%81%E7%A7%BB%E6%96%B9%E6%A1%8812312312.EML/迁移方案.doc
可能少于260个字节的访问远端Web site文件的请求,就被转移到FrontPage的author.dll进行验证。
待考。
Writen by zhengyun@tomosoft.com
本文档所包含的信息代表了在发布之日,ZhengYun 对所讨论问题的当前看法,Zhengyun 不保证所给信息在发布之日以后的准确性。
本文档仅供参考。对本文档中的信息,Zhengyun 不做任何明示或默示的保证。
参考文献:
R http://www.xato.net/Reference/webfolders.txt
R 新闻群组:microsoft.public.inetserver.iis的邮件(寄件者:Jerry Bryant [MS] 主旨:Re: URLScan IIS Security Tool!! 日期:2001-09-13 16:17:42 PST)
