0x00 信息收集
nmap -Pn -sV -p- -T 4 10.10.10.14
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
80端口服务如下
使用路径爆破,没有发现可利用的信息。
再次使用nmap进行扫描 nmap -Pn -sV -p 80 -A --script=vuln 10.10.10.14
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /postinfo.html: Frontpage file or folder
| /_vti_bin/_vti_aut/author.dll: Frontpage file or folder
| /_vti_bin/_vti_aut/author.exe: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder
| /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder
| /_vti_bin/shtml.dll: Frontpage file or folder
|_ /_vti_bin/shtml.exe: Frontpage file or folder
| http-frontpage-login:
| VULNERABLE:
| Frontpage extension anonymous login
| State: VULNERABLE
| Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|
| References:
|_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
|_http-server-header: Microsoft-IIS/6.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
大致判断漏洞出现在服务中,使用exploit-db搜索“Microsoft IIS 6.0”,尝试利用如下漏洞
0x01 漏洞利用
使用msf搜索“iis 6.0”,修改相关配置并利用漏洞
0x02 权限提升
利用msf的提权检测模块
使用 multi/recon/local_exploit_suggester 模块
使用前需要进行一下进程的迁移