Re: finding webroot on IIS

[H D Moore <hdm () secureaustin com>]

On Wednesday 13 June 2001 11:30 pm, * (todd + 1) wrote:
> hello all,
>
> Recently i came across an IIS webserver that i found to be vulnerable to
> the Unicode attacks. However, i cannot determine the webroot of this drive,
> and therefore i am having troubles reaching a full comprimise.  The
> directory "C:\Inetpub" exists, but the only contents of this directory is
> the folder "mailroot".

Then the web directory has been moved.  Try making a request for /test.idc or 
/test.idq and see if it returns the real web root.  If that doesnt work, you 
need to dig around the hard drive and try to find it manually.  If you dont 
see it on the C drive, try looking through the D drive.  Common names are 
those that start with Web or WWW or the name of the web site that is being 
hosted.

> Additionally, when i connect and request the root document (ie GET / ), it
> returns the string: "<% Response.ContentType = "text/plain" %> HELLO"

That is strange.  They either wrote an ASP script and gave it the wrong 
extension (.htm instead of .asp), or they removed the .asp ISAPI handler. If 
the default page is an ASP script and they havent removed the handler, can 
you tell us what version and service pack they are running and the exact web 
request you sent?

> Does anyone come across anything like this before, and what would be the
> simplest method of determining the webroot?

/test.idc
/test.ida
/test.idq
/test.cfm

If they have cold fusion installed and there are using SQL queries to provide 
dymamic content,  try changing the ID passed in the URL to a single quote (') 
and look at the error message returned. It will give you the hard drive path, 
the ODBC driver, the Data Source, and most the time the actual SQL query ;)

-HD