Pentest Book
Search…
IIS
1
# Reminder:
2
Case insensitive
3
IIS Shortname
4
VIEWSTATE deserialization RCE gadget
5
Web.config upload tricks
6
Debug mode w/ detailed stack traces and full path
7
Debugging scripts often deployed (ELMAH, Trace)
8
Telerik RCE
9
10
# ViewState:
11
https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC
12
13
# WebResource.axd:
14
https://github.com/inquisb/miscellaneous/blob/master/ms10-070_check.py
15
16
# ShortNames
17
https://github.com/irsdl/IIS-ShortName-Scanner
18
java -jar iis_shortname_scanner.jar 2 20 http://domain.es
19
20
# Padding Oracle Attack:
21
# https://github.com/KishanBagaria/padding-oracle-attacker
22
npm install --global padding-oracle-attacker
23
padding-oracle-attacker decrypt hex: [options]
24
padding-oracle-attacker decrypt b64: [options]
25
padding-oracle-attacker encrypt [options]
26
padding-oracle-attacker encrypt hex: [options]
27
padding-oracle-attacker analyze [] [options]
28
# https://github.com/liquidsec/pyOracle2
29
30
# Look for web.config or web.xml
31
https://x.x.x.x/.//WEB-INF/web.xml
32
33
# ASP - force error paths
34
/con/
35
/aux/
36
con.aspx
37
aux.aspx
38
39
# HTTPAPI 2.0 404 Error
40
Change Host header to correct subdomain
41
Add to /etc/hosts
42
Scan again including IIS Shortnames
43
44
# IIS 7
45
IIS Short Name scanner
46
HTTP.sys DOS RCE
47
48
# ViewState
49
# https://github.com/0xacb/viewgen
Copied!
Last modified 8mo ago
Export as PDF
Copy link