IIS

F£&# Microsoft

id: iis-shortname

info:
  name: iis-shortname
  author: r3dcl1ff
  severity: low
  description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~.
  reference:
    - https://github.com/irsdl/IIS-ShortName-Scanner
    - https://github.com/lijiejie/IIS_shortname_Scanner
    - https://www.exploit-db.com/exploits/19525
  tags: iis

variables:
  randstring: "{{to_lower(rand_base(8))}}"

requests:
  - raw:

    - |
        GET /{{randstring}}*~1*/a.aspx HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        GET /*~1*/a.aspx' HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        OPTIONS /{{randstring}}*~1*/a.aspx HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    - |
        OPTIONS /*~1*/a.aspx' HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    - |
       DEBUG /{{randstring}}*~1*/a.aspx HTTP/1.1
       Host: {{Hostname}}
       Origin: {{BaseURL}}
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    - |
       DEBUG /*~1*/a.aspx HTTP/1.1
       Host: {{Hostname}}
       Origin: {{BaseURL}}
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 != 404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404 || status_code_5 != 404 && status_code_6 == 404"