Re: finding webroot on IIS

From: Jay D. Dyson (jdysonat_private)
Date: Thu Jun 14 2001 - 10:31:19 PDT

  • Next message: H D Moore: "Re: finding webroot on IIS"

    -----BEGIN PGP SIGNED MESSAGE-----
    
    On Wed, 13 Jun 2001, * wrote:
    
    > Recently i came across an IIS webserver that i found to be vulnerable to
    > the Unicode attacks. However, i cannot determine the webroot of this
    > drive, and therefore i am having troubles reaching a full comprimise. 
    > The directory "C:\Inetpub" exists, but the only contents of this
    > directory is the folder "mailroot". 
    > 
    > Additionally, when i connect and request the root document (ie GET / ),
    > it returns the string: "<% Response.ContentType = "text/plain" %> HELLO" 
    > 
    > Does anyone come across anything like this before, and what would be the
    > simplest method of determining the webroot? 
    
    	If you're exploiting via the Unicode attack, then it's just a
    matter of finding a known quantity.  The hamfisted way will do in a pinch; 
    namely this: 
    
    	1.	Find a page by browsing for a sufficiently unique page
    		name (foobar.htm). 
    
    	2.	Via the Unicode exploit, run this command:
    		dir DRIVE:\foobar.htm /s
    		(where DRIVE is the drive letter; usually C and/or D)
    
    	The IIS system will gleefully return its location.
    
    - -Jay
    
      (    (                                                         _______
      ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
    C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) |    = |-'
     `--' `--'  `--- Every day's a Friday when you have a gun. ---'  `------'
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    
    iQCVAwUBOyjm2tCClfiU/BIVAQGRLgP/VxyGAGwuIApdktgiaQ/vTxyIyeJIpOuq
    xjXexp30UCn1b8b141ZiW3QzRZPcYv7jqOy1h/5uh8GTsx4u4b8H1SE5KSuUcsqF
    MJg/YgxRr1YT1WAx+VVUjeh5a2cgwkeVbeacfbub4RLTqQ1Rv2oZGNa46Zwg+YBD
    hHZqn0Ebl38=
    =MUu1
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 17:16:37 PDT