Re: finding webroot on IIS

From: todd + 1 (toddat_private)
Date: Thu Jun 14 2001 - 12:19:35 PDT

Next message: Ofir Arkin: "RE: Voice over IP"

Previous message: Yonatan Bokovza: "RE: finding webroot on IIS"
In reply to: H D Moore: "Re: finding webroot on IIS"
Next in thread: Yonatan Bokovza: "RE: finding webroot on IIS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hello again
thank you all for the help.  requesting /test.idq and /test.ida disclosed the 
path, while /test.cfm and /test.idc did not. trying "attrib -s [index, 
default].[html, shtml, asp]" did not work.  this was a win2k with iis 5.0, 
and presumably no service patches.

thanks again
todd willey
ubermother

On Thursday 14 June 2001 12:16, H D Moore wrote:
> On Wednesday 13 June 2001 11:30 pm, * (todd + 1) wrote:
> > hello all,
> >
> > Recently i came across an IIS webserver that i found to be vulnerable to
> > the Unicode attacks. However, i cannot determine the webroot of this
> > drive, and therefore i am having troubles reaching a full comprimise. 
> > The directory "C:\Inetpub" exists, but the only contents of this
> > directory is the folder "mailroot".
>
> Then the web directory has been moved.  Try making a request for /test.idc
> or /test.idq and see if it returns the real web root.  If that doesnt work,
> you need to dig around the hard drive and try to find it manually.  If you
> dont see it on the C drive, try looking through the D drive.  Common names
> are those that start with Web or WWW or the name of the web site that is
> being hosted.
>
> > Additionally, when i connect and request the root document (ie GET / ),
> > it returns the string: "<% Response.ContentType = "text/plain" %> HELLO"
>
> That is strange.  They either wrote an ASP script and gave it the wrong
> extension (.htm instead of .asp), or they removed the .asp ISAPI handler.
> If the default page is an ASP script and they havent removed the handler,
> can you tell us what version and service pack they are running and the
> exact web request you sent?
>
> > Does anyone come across anything like this before, and what would be the
> > simplest method of determining the webroot?
>
> /test.idc
> /test.ida
> /test.idq
> /test.cfm
>
> If they have cold fusion installed and there are using SQL queries to
> provide dymamic content,  try changing the ID passed in the URL to a single
> quote (') and look at the error message returned. It will give you the hard
> drive path, the ODBC driver, the Data Source, and most the time the actual
> SQL query ;)
>
> -HD

Next message: Ofir Arkin: "RE: Voice over IP"
Previous message: Yonatan Bokovza: "RE: finding webroot on IIS"
In reply to: H D Moore: "Re: finding webroot on IIS"
Next in thread: Yonatan Bokovza: "RE: finding webroot on IIS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 17:32:48 PDT