Se intenta en diferentes subcarpetas:
1 2 3 |
/scripts/..??../winnt/system32/cmd.exe /msadc/..??../..??../..??../winnt/system32/cmd.exe /_vti_bin/..??../..??../..??../winnt/system32/cmd.exe |
Detectado en la consulta:
1 2 3 4 5 |
SELECT [cs-uri-stem], COUNT(*) AS EXPR1 FROM tabla where [cs-uri-stem] like '%?%' GROUP BY [cs-uri-stem] ORDER BY 2 desc |
Bloquear el ataque utilizando la IP de origen o la cadena de entrada ‘..??..’.