Shulou(Shulou.com)05/31 Report--

This article shows you how to start from building a platform to learn IIS file PUT upload loopholes, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

Learn the PUT upload vulnerability of IIS files from building the platform.

New vulnerability testing skills get! I have to say that IIS is still very common, ah, many items have been tested before are IIS, so it is necessary to know what are the loopholes in this thing.

Target aircraft construction:

Choose the target machine as Windows server2003, open IIS is very simple, Control Panel > add or remove programs, click "add / remove Windows components" on the left, pop-up dialog box.

Dialog box, locate and select the application server, and click on the details in the lower right corner.

Check the components as shown in the figure, and then make sure that you can take the next step.

If you have not installed IIS before, you may be prompted to insert the CD. Because I am a virtual machine, I can import the installation cd1 directly into the virtual CD-ROM drive. Note here that although he says the pop-up window is cd2, the actual file he needs is only in cd1. If you are prompted to reinstall windows server2003 after plugging in cd1, just don't ask him to turn it off.

When prompted to complete the changes, close the dialog box. At this time, the service has been built, and the verification method is very simple. Enter localhost or 127.0.0.1 in the browser address bar. If you see the following page, you can prove that the construction has been completed.

Of course, local access is not enough, we need the host can also be linked. To be on the safe side, see if the host can ping the virtual machine. Check that the virtual machine ip is 192.168.101.9 (note that the virtual machine network card must choose the bridging mode), and then the host goes to the address ping.

Good. I can get through ping. Then check whether the host can access the application services of the virtual machine. Enter the application address 192.168.101.9 (default port) in the browser address bar to access it.

Ok, the target plane has been built successfully. After the build is complete, it is followed by the relevant settings or management. Select Control Panel > Management tools for the target machine, find the Internet Information Services (IIS) Manager, and open it, as shown below.

After the target plane has been built, let's discuss this loophole. IIS file PUT upload vulnerability, as the name implies, one is only under IIS (and IIS6.0), and the other is the need for PUT, that is, the often said unsafe http method PUT. When you come across a site that has confirmed that it is built in a lower version of IIS and the PUT method is open, then it is likely that this vulnerability exists. The following figure shows the OPTIONS request returned by the system without vulnerabilities (I don't want to install burp suite on the virtual machine, so imitate it on win10 and ignore iis10.0. After testing, the vulnerability has been fixed.)

The following are the OPTIONS requests returned by the vulnerable system:

The existence of the vulnerability depends on whether the WebDAV of the system is turned on or configured properly. To recreate this vulnerability, we first need to turn on the WebDAV function and turn on write permissions. For how to open it, see the figure. Right-click default website > Properties > Home Directory, and write to the tick point (off by default):

WebDAV is an extension protocol of HTTP1.1, which makes HTTP add some new methods in addition to several standard methods such as GET, POST, HEAD, etc., so that applications can read and write to Web Server directly. WebDAV is not commonly used, in fact, the general business POST and GET methods can be satisfied. Then return to the vulnerability recurrence, we now use the tool IIS PUT Scanner to test whether the target loophole exists. The host opens the tool, the address is 192.168.101.9 (of course, the target system address should be filled in in the actual test), the port defaults to 80.8080, according to the actual system, fill in the port, the rest defaults, and then click Scan.

You can see that port 80 PUT is YES. We are using another tool to upload to the server. Upload a word Trojan horse for txt file, Trojan horse see picture.

Yeah? Wait, why is 401 not authorized to view? Baidu searched, ah, it turned out that it was also necessary to open an Internet account access. Right-click the default website permissions to read, write and modify the Internet permission point.

If you send it again, ok returns 201, and the file can be seen in the website directory.

Of course, txt is not an executable file, and we need to convert it into a format before we can connect it with a kitchen knife. Using the MOVE method, submit the packet and change the txt to asp.

Yeah? Why 403 again? Why is it that what I do is always different from that of the boss? Cry... Troubleshoot the problem and find that the file format is banned. Because I just try to convert txt to jpg.

All right, let's check the permission script resource access in the properties again.

Try again and finally succeed!

Shell just lay there quietly, waiting for the kitchen knife to knock on the door.

The above content is how to start from building a platform to learn IIS file PUT upload vulnerabilities, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.