Page cover

Hacking IIS Applications

PreviousCSP NextDependency Confusion

Last updated 1 year ago

Was this helpful?

Resources

https://youtu.be/XlmeSFm3RT4?si=hfhzGF9ymG6Igt5j

https://www.youtube.com/watch?v=cqM-MdPkaWo

https://www.youtube.com/watch?v=yyD8Z5Qar5I

https://www.youtube.com/watch?v=_4W0WXUatiw

HTTPAPI 2.0 Assets

Got HTTPAPI ERROR 404
It is IP but you can get the subdomain from the certificate common name
Edit the Host Header

VHost Hopping

Came across subdomain that running IIS Server apply.company.com
VHost Enumeration using ffuf or burp intruder
Found mssql.company.com
Running MSSQL Explorer/Manager

Local FIle Disclosure to DLLs

DownloadCategoryExcel?fileName=../../web.config
DownloadCategoryExcel?fileName=../../glopal.asax
<add namespace="Company.Web.Api.dell/>
DownloadCategoryExcel?fileName=../../bin/Company.Web.Api.dll

LFD -> RCE

https://bit.ly/2MzJ1qI
Optain machinekey from web.config file (validation key and decryption keyy)
VIEWSTATE -> Insecure Deserialization -> RCE
https://github.com/0xacb/viewgen

RCE with Local

ASP.NET XSS

Try in login pages, redirects, forms & dynamic URL construction (~/images/). Payload: /(A(%22onerror='alert%60123%60'test))/

DNSpy

Found Leaked zip files contains DLL Files?
https://github.com/dnSpy/dnSpy
Use DNSpy to reverse them to source code
or https://www.jetbrains.com/decompiler/

IIS Discovery Bruteforce

iisfinal.txt
https://github.com/orwagodfather/WordList/blob/main/iis.txt
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt
http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html
ffuf -w iis.txt -u
ffuf -w iis.txt -u

Partial Fuzzing

shortscan https://apply.company.com/
IIS Short Name Scanner
- Explore the latest version on GitHub.
Got a part of file names not the full name ? let's fuzz the rest
LIDSDI -> LIDFUZZ | EASYFI -> EASYFUZZ
ffuf -w wordlist.txt -D -e asp,aspx,ashx,asmx -t 100 -c -u https://apply.company.com/lidsFUZZ
You can make your own wro=dlist using wordlist generator
./crunch 0 3 abcdefghijklmnopqrstuvwxyz0123456789 -o 3char.txt
Fuzzing doesn't work? try search in Github or use

Nuclei

Check out the Nuclei templates for fuzzing techniques.

Fingerprinting with Shodan

Utilize Shodan to identify IIS instances with specific characteristics:

http.title:"IIS"
Ssl:"Company Inc." http.title:"IIS"
Ssl.cert.subject.CN:"company.in" http.title:"IIS"

Fingerprinting Techniques

Cookies

ASP.NET_Sessionid
ASPSESSION

Headers Regex

X-AspNet-Version: (.*)\\;version:\\1
X-Powered-By:^ASP\\.NET

HTML Regex

<input[^>]+name\"_VIEWSTATE

URL Regex

\\.aspx?(?.$|\\?)

Ignoring Directories from Scanning

Exclude these directories from your scans:

ASPNET~1
DEFAULT~1.ASP
DEFAULT~1.CSS
GLOBAL.ASA
GLOBAL.ASP
GLOBAL.CS
MASTER.CS
WEB.CON

Extensions to Bruteforce

Bruteforce file extensions to uncover vulnerabilities:

.aspx (Legacy active server pages)
.aspx (Modern Active server pages)
.ashx (APIs/AJAX)
.wsdl (Web Services Description Language)
.wadl (Web Application Description Languages)
.asmx (XML Web Services)
.xml
.zip
.txt

Port Scanning

naabu -host iis.target.com