Penetration Testing mailing list archives

Re: finding webroot on IIS

From: * (todd + 1) <todd () ubermother net>
Date: Thu, 14 Jun 2001 14:19:35 -0500

hello again
thank you all for the help.  requesting /test.idq and /test.ida disclosed the 
path, while /test.cfm and /test.idc did not. trying "attrib -s [index, 
default].[html, shtml, asp]" did not work.  this was a win2k with iis 5.0, 
and presumably no service patches.

thanks again
todd willey
ubermother

On Thursday 14 June 2001 12:16, H D Moore wrote:

On Wednesday 13 June 2001 11:30 pm, * (todd + 1) wrote:

hello all,

Recently i came across an IIS webserver that i found to be vulnerable to
the Unicode attacks. However, i cannot determine the webroot of this
drive, and therefore i am having troubles reaching a full comprimise. 
The directory "C:\Inetpub" exists, but the only contents of this
directory is the folder "mailroot".


Then the web directory has been moved.  Try making a request for /test.idc
or /test.idq and see if it returns the real web root.  If that doesnt work,
you need to dig around the hard drive and try to find it manually.  If you
dont see it on the C drive, try looking through the D drive.  Common names
are those that start with Web or WWW or the name of the web site that is
being hosted.

Additionally, when i connect and request the root document (ie GET / ),
it returns the string: "<% Response.ContentType = "text/plain" %> HELLO"


That is strange.  They either wrote an ASP script and gave it the wrong
extension (.htm instead of .asp), or they removed the .asp ISAPI handler.
If the default page is an ASP script and they havent removed the handler,
can you tell us what version and service pack they are running and the
exact web request you sent?

Does anyone come across anything like this before, and what would be the
simplest method of determining the webroot?


/test.idc
/test.ida
/test.idq
/test.cfm

If they have cold fusion installed and there are using SQL queries to
provide dymamic content,  try changing the ID passed in the URL to a single
quote (') and look at the error message returned. It will give you the hard
drive path, the ODBC driver, the Data Source, and most the time the actual
SQL query ;)

-HD

Current thread:

finding webroot on IIS todd + 1 (Jun 14)
- RE: finding webroot on IIS George Milliken (Jun 14)
- Re: finding webroot on IIS David Page (Jun 14)
  - Re: finding webroot on IIS David Jacoby (Jun 15)
- Re: finding webroot on IIS H D Moore (Jun 14)
  - Re: finding webroot on IIS todd + 1 (Jun 14)
- Re: finding webroot on IIS Frederic Guerin (Jun 15)
- Re: finding webroot on IIS Gary Warner (Jun 18)
  - 3 pigs building web servers? hacker wolf? Robert Shea (Jun 18)
    - Re: 3 pigs building web servers? hacker wolf? ghandi (Jun 19)
    - Re: 3 pigs building web servers? hacker wolf? Riley Hassell (Jun 19)
- <Possible follow-ups>
- RE: finding webroot on IIS Yonatan Bokovza (Jun 14)