Penetration Testing mailing list archives
Re: finding webroot on IIS
From: H D Moore <hdm () secureaustin com>
Date: Thu, 14 Jun 2001 12:16:38 -0500
On Wednesday 13 June 2001 11:30 pm, * (todd + 1) wrote:
hello all, Recently i came across an IIS webserver that i found to be vulnerable to the Unicode attacks. However, i cannot determine the webroot of this drive, and therefore i am having troubles reaching a full comprimise. The directory "C:\Inetpub" exists, but the only contents of this directory is the folder "mailroot".
Then the web directory has been moved. Try making a request for /test.idc or /test.idq and see if it returns the real web root. If that doesnt work, you need to dig around the hard drive and try to find it manually. If you dont see it on the C drive, try looking through the D drive. Common names are those that start with Web or WWW or the name of the web site that is being hosted.
Additionally, when i connect and request the root document (ie GET / ), it returns the string: "<% Response.ContentType = "text/plain" %> HELLO"
That is strange. They either wrote an ASP script and gave it the wrong extension (.htm instead of .asp), or they removed the .asp ISAPI handler. If the default page is an ASP script and they havent removed the handler, can you tell us what version and service pack they are running and the exact web request you sent?
Does anyone come across anything like this before, and what would be the simplest method of determining the webroot?
/test.idc /test.ida /test.idq /test.cfm If they have cold fusion installed and there are using SQL queries to provide dymamic content, try changing the ID passed in the URL to a single quote (') and look at the error message returned. It will give you the hard drive path, the ODBC driver, the Data Source, and most the time the actual SQL query ;) -HD
Current thread:
- finding webroot on IIS todd + 1 (Jun 14)
- RE: finding webroot on IIS George Milliken (Jun 14)
- Re: finding webroot on IIS David Page (Jun 14)
- Re: finding webroot on IIS David Jacoby (Jun 15)
- Re: finding webroot on IIS H D Moore (Jun 14)
- Re: finding webroot on IIS todd + 1 (Jun 14)
- Re: finding webroot on IIS Frederic Guerin (Jun 15)
- Re: finding webroot on IIS Gary Warner (Jun 18)
- 3 pigs building web servers? hacker wolf? Robert Shea (Jun 18)
- Re: 3 pigs building web servers? hacker wolf? ghandi (Jun 19)
- Re: 3 pigs building web servers? hacker wolf? Riley Hassell (Jun 19)
- 3 pigs building web servers? hacker wolf? Robert Shea (Jun 18)
- <Possible follow-ups>
- RE: finding webroot on IIS Yonatan Bokovza (Jun 14)