Sec-88
  • πŸ§‘Whoami
  • πŸ•ΈοΈWeb-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
  • βœ‰οΈAPI-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • πŸ“±Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
  • πŸ“ΆNetwork-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • πŸ’»Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
  • πŸ‘¨β€πŸ’»Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • πŸ–₯️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page
  • Resources
  • HTTPAPI 2.0 Assets
  • VHost Hopping
  • Local FIle Disclosure to DLLs
  • LFD -> RCE
  • RCE with Local
  • ASP.NET XSS
  • DNSpy
  • IIS Discovery Bruteforce
  • Partial Fuzzing
  • Nuclei
  • Fingerprinting with Shodan
  • Fingerprinting Techniques
  • Cookies
  • Headers Regex
  • HTML Regex
  • URL Regex
  • Ignoring Directories from Scanning
  • Extensions to Bruteforce
  • Port Scanning

Was this helpful?

Edit on GitHub
  1. Web-AppSec

Hacking IIS Applications

PreviousCSPNextDependency Confusion

Last updated 9 months ago

Was this helpful?

Resources

https://youtu.be/XlmeSFm3RT4?si=hfhzGF9ymG6Igt5j

https://www.youtube.com/watch?v=cqM-MdPkaWo

https://www.youtube.com/watch?v=yyD8Z5Qar5I

https://www.youtube.com/watch?v=_4W0WXUatiw

HTTPAPI 2.0 Assets

  • Got HTTPAPI ERROR 404

  • It is IP but you can get the subdomain from the certificate common name

  • Edit the Host Header

VHost Hopping

  • Came across subdomain that running IIS Server apply.company.com

  • VHost Enumeration using ffuf or burp intruder

  • Found mssql.company.com

  • Running MSSQL Explorer/Manager

Local FIle Disclosure to DLLs

  • DownloadCategoryExcel?fileName=../../web.config

  • DownloadCategoryExcel?fileName=../../glopal.asax

  • <add namespace="Company.Web.Api.dell/>

  • DownloadCategoryExcel?fileName=../../bin/Company.Web.Api.dll

LFD -> RCE

  • https://bit.ly/2MzJ1qI

  • Optain machinekey from web.config file (validation key and decryption keyy)

  • VIEWSTATE -> Insecure Deserialization -> RCE

  • https://github.com/0xacb/viewgen

RCE with Local

ASP.NET XSS

  • Try in login pages, redirects, forms & dynamic URL construction (~/images/). Payload: /(A(%22onerror='alert%60123%60'test))/

DNSpy

  • Found Leaked zip files contains DLL Files?

  • https://github.com/dnSpy/dnSpy

  • Use DNSpy to reverse them to source code

  • or https://www.jetbrains.com/decompiler/

IIS Discovery Bruteforce

  • iisfinal.txt

  • https://github.com/orwagodfather/WordList/blob/main/iis.txt

  • https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt

  • http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html

  • https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt

  • https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt

  • https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt

  • https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt

  • ffuf -w iis.txt -u https://example.com/FUZZ

  • ffuf -w iis.txt -u https://example.com/shortnameFUZZ

Partial Fuzzing

  • shortscan https://apply.company.com/

  • IIS Short Name Scanner

    • Explore the latest version on GitHub.

  • Got a part of file names not the full name ? let's fuzz the rest

  • LIDSDI -> LIDFUZZ | EASYFI -> EASYFUZZ

  • ffuf -w wordlist.txt -D -e asp,aspx,ashx,asmx -t 100 -c -u https://apply.company.com/lidsFUZZ

  • You can make your own wro=dlist using wordlist generator https://sourceforge.net/projects/crunch-wordlist/ https://github.com/jim3ma/crunch

  • ./crunch 0 3 abcdefghijklmnopqrstuvwxyz0123456789 -o 3char.txt

  • Fuzzing doesn't work? try search in Github or use https://github.com/retkoussa/gsnw

Nuclei

Check out the Nuclei templates for fuzzing techniques.

Fingerprinting with Shodan

Utilize Shodan to identify IIS instances with specific characteristics:

  • http.title:"IIS"

  • Ssl:"Company Inc." http.title:"IIS"

  • Ssl.cert.subject.CN:"company.in" http.title:"IIS"

Fingerprinting Techniques

Cookies

  • ASP.NET_Sessionid

  • ASPSESSION

Headers Regex

  • X-AspNet-Version: (.*)\\;version:\\1

  • X-Powered-By:^ASP\\.NET

HTML Regex

  • <input[^>]+name\"_VIEWSTATE

URL Regex

  • \\.aspx?(?.$|\\?)

Ignoring Directories from Scanning

Exclude these directories from your scans:

  • ASPNET~1

  • DEFAULT~1.ASP

  • DEFAULT~1.CSS

  • GLOBAL.ASA

  • GLOBAL.ASP

  • GLOBAL.CS

  • MASTER.CS

  • WEB.CON

Extensions to Bruteforce

Bruteforce file extensions to uncover vulnerabilities:

  • .aspx (Legacy active server pages)

  • .aspx (Modern Active server pages)

  • .ashx (APIs/AJAX)

  • .wsdl (Web Services Description Language)

  • .wadl (Web Application Description Languages)

  • .asmx (XML Web Services)

  • .xml

  • .zip

  • .txt

Port Scanning

  • naabu -host iis.target.com

πŸ•ΈοΈ
LogoSoroush Dalili (@irsdl) Blog | A web application security ninja πŸ₯·, a semicolon enthusiast!
LogoExploiting Deserialisation in ASP.NET via ViewStateSoroush Dalili (@irsdl) Blog
LogoMicrosoft IIS Server Shortnames & Tilde Magic πŸͺ„Medium
LogoASP.NET Microsoft IIS PentestingMedium
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/iis-internet-information-book.hacktricks.xyz
LogoExploiting XXE with local DTD files
All is XSS that comes to the .NETisec_pl
Page cover image