Select Browser Mobile | Continue

Silic Group Froum Archive - Silic Security

 Forgot Password?
 Join Us
Search
12Next
Threads List New Thread
Show: 2280|Reply: 29

[原创] 记一次IIS8.5拿shell过程

[Copy URL]
冷尊 The user has been deleted
Posted 2016-9-13 16:37:48 | Show all replies |Read Mode
本帖最后由 冷尊 于 2016-9-13 16:39 编辑

0x0:前言
大表哥(Rainy)今天火急火燎的给我发了一个站,
后台神马的甩给我了www.xxxxx.com
这里我就用这个域名代替目标站的域名,毕竟这个网站对大表哥很重要。
0x1
打开网站先看一眼后台www.xxxxx.com/admin
图片1.png
先不着急登录后台,我们先去看看网站服务器类型
图片2.png
Microsoft-IIS/8.5

我当时就懵逼了,第一次见iis8.5(原谅我这个乡下人)

然后去百度,Google都是无果

硬着头皮上吧 祈祷后台能蹦出个数据库备份,sql语句能执行之类的,或者让我插一下网站配置
0x2
登进后台一看,所有幻想都破灭了
图片3.png
0x3:开始拿shell
进来之后开始翻翻有木有可利用的地方,找到一个kind编辑器。

以前拿过一次kind编辑器的网站本想看看这个是否也能利用呢,上传一下彻底失望了
图片4.png
404,好吧 再找找其他的上传点吧,左翻右找的,找到了一个有上传按钮的上传点
图片5.png
来尝试用burp突破吧,截断神马的都试试。
上神器,设置神马的我就不说了,截断试试
图片6.png
……上传失败
图片7.png
截断失败了,我抽根烟想了一想。
又拦截一次,突然想起我以前看过的一个文章
更改一下拦截的包,
图片8.png
看一下 Headers 这个栏
里面有我们上传文件时候的信息,然后把文件名x.asp;.jpg修改成x.asp
图片9.png
图片10.png
然后Forward放到这个包
然后到网站看看,有个框框变成了空白的地方
图片11.png
右键--属性,就看到我们上传的马地址
看到这里我内心是非常激动的,这个上传原理我也不懂,只是知道这种方法
我是一个注重内在的人,方法好用就行原理神马的我记也记不住
额,言归正传,访问一下这个地址
图片12.png
成功得到了马的地址,提权学的不精就不献丑了。

只求学习进步,大牛轻喷!!
DreamerK The user has been deleted
Posted 2016-9-13 17:08:20 | Show all replies
看看学习学习
nolove The user has been deleted
Posted 2016-9-13 17:20:46 | Show all replies
学学有没有新的姿势
南宫剑影 The user has been deleted
Posted 2016-9-13 17:47:58 | Show all replies
我就是来学习的啊
Mohan The user has been deleted
Posted 2016-9-13 18:05:03 | Show all replies
看一下!!
yeyu The user has been deleted
Posted 2016-9-13 18:10:03 | Show all replies

看看学习学习
shimx The user has been deleted
Posted 2016-9-13 18:34:27 | Show all replies
看看思路,截断?还是。。。
blsn3548 The user has been deleted
Posted 2016-9-13 21:32:00 | Show all replies
感谢分享经验
Harry The user has been deleted
Posted 2016-9-13 21:46:41 | Show all replies
长知识了 看看
koko410 The user has been deleted
Posted 2016-9-13 21:50:32 | Show all replies
iis8.5,没搞过 = =
捡垃圾的小白 The user has been deleted
Posted 2016-9-13 23:32:24 | Show all replies
什么姿势我看看
toolsmtbao The user has been deleted
Posted 2016-9-14 01:20:35 | Show all replies
学习一下 还没碰到过
canxue The user has been deleted
Posted 2016-9-14 10:53:24 | Show all replies
666666666
CR7sun The user has been deleted
Posted 2016-9-14 12:18:20 | Show all replies
看看如何拿下的。。。
Tabris The user has been deleted
Posted 2016-9-14 15:03:15 | Show all replies
看看大神思路
zxcvbnm The user has been deleted
Posted 2016-9-14 17:27:37 | Show all replies
这么六,不看不行啊
suy The user has been deleted
Posted 2016-9-14 20:22:16 | Show all replies
看老司机套路
chuyu The user has been deleted
Posted 2016-9-15 15:34:02 | Show all replies
冷尊阔,膜拜下
cao The user has been deleted
Posted 2016-9-15 15:58:04 | Show all replies
我来看看呢
Amone The user has been deleted
Posted 2016-9-15 20:19:28 | Show all replies

看看学习学习
12Next
Threads List New Thread
You need to login before reply! Login | Join Us

Credit Rules of This Forum

Close

公告Privious /1 Next

小黑屋|手机版|Archiver|Silic Security

GMT+8, 2017-8-19 15:20

© 2001-2014 Silic Corp.

Quick Reply Top Return List