search

IIS - Internet Information Services

Test executable file extensions:

  • asp

  • aspx

  • config

  • php

hashtag
Internal IP Address disclosure

On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address:

nc -v domain.com 80
openssl s_client -connect domain.com:443

Response disclosing the internal IP:

GET / HTTP/1.0       

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.5.237/owa/
Server: Microsoft-IIS/10.0
X-FEServer: NHEXCHANGE2016

hashtag
Execute .config files

You can upload .config files and use them to execute code. One way to do it is appending the code at the end of the file inside an HTML comment: Download example herearrow-up-right

More information and techniques to exploit this vulnerability herearrow-up-right

hashtag
IIS HTTP Bruteforce

Download the list that I have created:

file-download
19KB
iisfinal.txt
arrow-up-right-from-square打开

It was created merging the contents of the following lists:

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txtarrow-up-right http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.htmlarrow-up-right https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txtarrow-up-right https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txtarrow-up-right https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txtarrow-up-right https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txtarrow-up-right

Use it without adding any extension, the files that need it have it already.

hashtag
Local File Inclusion list

From herearrow-up-right

hashtag
Old IIS vulnerabilities worth looking for

hashtag
Microsoft IIS tilde character “~” Vulnerability/Feature – Short File/Folder Name Disclosure

You can try to enumerate folders and files inside every discovered folder (even if it's requiring Basic Authentication) using this technique. The main limitation of this technique if the server is vulnerable is that it can only find up to the first 6 letters of the name of each file/folder and the first 3 letters of the extension of the files.

You can use https://github.com/irsdl/IIS-ShortName-Scannerarrow-up-right to test for this vulnerability:java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/

Original research: https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdfarrow-up-right

You can also use metasploit: use scanner/http/iis_shortname_scanner

hashtag
Basic Authentication bypass

Bypass a Baisc authentication (IIS 7.5) trying to access: /admin:$i30:$INDEX_ALLOCATION/admin.php or /admin::$INDEX_ALLOCATION/admin.php

You can try to mix this vulnerability and the last one to find new folders and bypass the authentication.

上一页H2 - Java SQL database下一页JBOSS

最后更新于