Good day, I am new to web scripting and while studying basic web development on ASP.NET I decided to write about a simple InfoSec shell script that is useful for systems administrator or web developer in performing security measure on IIS server.
So a little bit info about Power Shell:
Microsoft Windows PowerShell command line shell and scripting languageAlso this is considered as vulnerability in web application security. Possible cause is by file upload vulnerabilities. This really becomes more practical when you're testing a web app QA environment and you want to show the client that it may grant direct access to system's information or processes or even direct access to the database, even critical production databases like MSSQL servers.
helps IT professionals achieve greater control and productivity. Using a
new admin-focused scripting language, more than 130 standard command line tools,
and consistent syntax and utilities, Windows PowerShell allows IT professionals
to more easily control system administration and accelerate automation.
Windows PowerShell is easy to adopt, learn, and use, because it works with your
existing IT infrastructure and existing script investments, and because it runs on
Windows XP, Windows Vista, and Windows Server 2003. Windows PowerShell is now included
as part of Windows Server 2008 and can be evaluated in Windows Server 2008 Beta 3.
Exchange Server 2007, System Center Operations Manager 2007, System Center Data Protection Manager
V2, and System Center Virtual Machine Manager also leverage Windows PowerShell to
improve administrator control, efficiency, and productivity.
Take note that this web shell might be considered as asp.net backdoor shell for attackers and it only works on IIS servers that allow .aspx execution. Penetration tester's, this will be a good information to mitigate the means to escalate the attack into the internal network if we can also check for possible web shell pages.
pshell.aspx shell supports command execution. Below is an overview of some basic functionality tested on my local machine:
The command execution can be used to locate the web directories or configurations in your system.
For educational purposes, I also tried testing this thing on a live free asp.net shared hosting and get some information example below:
It is very dangerous if you have a powershell profile that executes undetected because it doing nothing more than writing a simple text files. When properly configured every instruction in your profile executes, including bad stuff.
So how you can avoid this problem? Well, some of it is by preventing script execution in Execution Policy and set to not permit. See Set-ExecutionPolicy command. Make sure that you use the AllSigned policy, which requires all scripts to be digitally signed and forces the shell to check the integrity when executed. You can use the command Set-AuthenticodeSignature.
This way you can hardened web shell script from execution without your knowing but this is not the only way to prevent this attack vector on power shell. A proper configuration and malware detection tool might be needed also.
Here, I have uploaded a simple asp.net power shell. This is for educational purposes only, so use this at your own risk!
Finally, you can download the pentesting tool/script here: pshell.aspx
Have fun!
0 comments:
Post a Comment