预备知识
nikto、nmap、iis6.0的webdav、davtest、kali自带webshell、
信息收集
nmap 10.10.10.15
只开了个80端口,那么还是web,浏览器访问目标机器
直接就是报错页面,迷惑,不过可知服务器是iis
扫了下目录,毫无思路,nmap扫下漏洞
nmap -script=vuln 10.10.10.15
还是没什么发现
nikto 扫一下,这次的信息就多了
nikto -h http://10.10.10.15
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.
+ OSVDB-5646: HTTP method 'DELETE' allows clients to delete files on the web server.
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
服务器是iis6.0,google iis6.0 exploit
找到了Microsoft IIS 6.0 - WebDAV ‘ScStoragePathFromUrl’ Remote Buffer Overflow ,CVE:
2017-7269 而且本机器正好有DAV
dav可以用davtest测试
davtest -url http://10.10.10.15
测试结果如下
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: a6GgkBw
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_a6GgkBw
********************************************************
Sending test files
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.pl
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.jhtml
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.jsp
PUT asp FAIL
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.cfm
PUT php SUCCEED: http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.php
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.txt
PUT cgi FAIL
PUT shtml FAIL
PUT aspx FAIL
PUT html SUCCEED: http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.html
********************************************************
Checking for test file execution
EXEC pl FAIL
EXEC jhtml FAIL
EXEC jsp FAIL
EXEC cfm FAIL
EXEC php FAIL
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.txt
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_a6