----- Original Message ----- From: "Jay D. Dyson" <jdysonat_private> To: "Penetration Testers" <pen-testat_private> Sent: Friday, June 15, 2001 12:31 AM Subject: Re: finding webroot on IIS -----BEGIN PGP SIGNED MESSAGE----- On Wed, 13 Jun 2001, * wrote: > Recently i came across an IIS webserver that i found to be vulnerable to > the Unicode attacks. However, i cannot determine the webroot of this > drive, and therefore i am having troubles reaching a full comprimise. > The directory "C:\Inetpub" exists, but the only contents of this > directory is the folder "mailroot". > > Additionally, when i connect and request the root document (ie GET / ), > it returns the string: "<% Response.ContentType = "text/plain" %> HELLO" > > Does anyone come across anything like this before, and what would be the > simplest method of determining the webroot? If you're exploiting via the Unicode attack, then it's just a matter of finding a known quantity. The hamfisted way will do in a pinch; namely this: 1. Find a page by browsing for a sufficiently unique page name (foobar.htm). 2. Via the Unicode exploit, run this command: dir DRIVE:\foobar.htm /s (where DRIVE is the drive letter; usually C and/or D) The IIS system will gleefully return its location. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee."-. >====<--. C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) | = |-' `--' `--' `--- Every day's a Friday when you have a gun. ---' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBOyjm2tCClfiU/BIVAQGRLgP/VxyGAGwuIApdktgiaQ/vTxyIyeJIpOuq xjXexp30UCn1b8b141ZiW3QzRZPcYv7jqOy1h/5uh8GTsx4u4b8H1SE5KSuUcsqF MJg/YgxRr1YT1WAx+VVUjeh5a2cgwkeVbeacfbub4RLTqQ1Rv2oZGNa46Zwg+YBD hHZqn0Ebl38= =MUu1 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 16:14:55 PDT