4.15.1. IIS

4.15.1.1. IIS 6.0

• Suffix parsing /xx.asp;.jpg

  • By default, the server does not resolve the ; and the content after it, which is equivalent to truncation.

• Directory parsing /xx.asp/xx.jpg (arbitrary parsing in the xx.asp directory)

• Default parsing xx.asa xx.cer xx.cdx

• PROPFIND stack overflow vulnerability

• RCE CVE-2017-7269

4.15.1.2. IIS 7.0-7.5 / Nginx <= 0.8.37

When Fast-CGI is enabled, add after the file path /xx.php as xx.jpg/xx.php will be parsed as a php file.

4.15.1.3. PUT Vulnerability

• Enable WebDAV

• Has a guest user, and the guest user has upload permissions

• Any file can be uploaded

4.15.1.4. Windows Features

Windows does not allow spaces and dots and some special characters as endings, creating such files will automatically rename them, so you can use xx.php[space] ， xx.php.， xx.php/， xx.php::$DATA upload script files.

4.15.1.5. File name guessing

When the NTFS 8.3 file format is supported, directory files can be guessed using short file names. The short file name features are as follows:

• The file name is added with the first 6 characters of the original file name ~1, and the number part is incremented. If there are files with the same prefix, the following numbers are incremented.

• The suffix name does not exceed 3 digits, and the excess part will be truncated

• All lowercase letters are converted to uppercase letters

• The short file name will only be generated when the suffix length of the file name is greater than or equal to 4 or the total length is greater than or equal to 9. If it contains spaces or other special characters, the length condition is ignored.

Versions prior to IIS 8.0 support six HTTP methods for short file name guessing: DEBUG, OPTIONS, GET, POST, HEAD, and TRACE. ASP.NET needs to be installed. The version after IIS 8.0 can only be guessed successfully through the OPTIONS and TRACE methods, but there is no limitation of ASP.NET.

The limitations of this approach are:

• The first 6 characters of the folder name are dotted with “.”, the scanner will think it is a file instead of a folder, and eventually a false positive will occur.

• Chinese file names are not supported

This method can be fixed by command fsutil behavior set disable8dot3 1 to turning off the support of NTFS 8.3 file type.

4.15.1.6. Reference Links

• Use Windows features to efficiently guess directories

• Uploading web.config for Fun and Profit 2