ScriptResource.axd vulnerable script when I test it with Shadow Security Scanner
I was performed tests againts my web server using Shadow Security Scanner with the following results:
Web Servers : Vulnerable script Port : 80
Description: Found vulnerable script on this web site Risk level :High Script: http://servername/ScriptResource.axd?d=P4tzN-eCJlchxi30M7K6eGzyH7tdeY4timDGCw0yDS开发者_如何学C45Ur477KM8CSqJQdqun4VDGbs5xXGPE7VeqXqRIDyOHxwoopCbgbWmKFLiyKB1Qs5UDJTyZQYe4zURSEshSBwPOm1hORh40237AJZ_EWO2n2-3IwAzTY__px0r6WbIYgWamkVz0&t=/etc/passwd CVE : GENERIC-MAP-NOMATCHWhy ScriptResource.axd is a vulnerable script?
Thanks in advance.
Don Pablone
Automated tools will produce false positives. Have you tried to manually verify this vulnerability? Judging by this PoC its supposed to print out the /etc/passwd file (or possibly overwritten its not clear). However this file is *nix only, so it shouldn't exist on your system. You could try setting the t variable to a file that does exist: ../../../../../../../../../Windows/system.ini
If its not being printed out then its a false positive.
精彩评论