Proposed revisions to IIS Shortname (iis-shortname.yaml) template #4911
Description
Template Information:
I am proposing revisions to the current iis shortname template (https://github.com/projectdiscovery/nuclei-templates/blob/d6636f9169920d3ccefc692bc1a6136e2deb9205/fuzzing/iis-shortname.yaml)
-
Addition of the DEBUG http method. In my experience, a certain percentage of vulnerable IIS servers (maybe 15 percent or so) will ONLY be vulnerable to the DEBUG method and no others. This means the current template is causing false negatives.
-
Changing the string
N0t4xistto be a randomly generated value. This improves the operational security for a tester using this template as defenders may have signatures to detect the hardcodedN0t4xiststring. -
Perhaps most importantly, removing the
fuzztag (and also moving the template out of the fuzz directory). This tag is causing the template to not be run in a default scan. The template is not particularly aggressive, requiring only 6 requests for detection (previously 4). This issue is stubbornly still ubiquitous in the wild, despite the fact that tooling has been present for years to detect it. Microsoft refuses to do anything about it. I actually wrote a blog post describing the situation a while back. Hopefully, ensuring it runs in a default scan will bring increased awareness to this issue. -
Adding an "IIS" tag since the issue is IIS specific.
-
Adding a reference to the original tool (https://github.com/irsdl/IIS-ShortName-Scanner) as it has more github stars and is more full featured than the python tool currently cited
-
Changing severity from info to low. This one is solely based on my opinion, but we've been reporting this as a low for years on pentest reports and low seems like a better fit
The changes I have listed are reflected in the template below
Nuclei Template:
id: iis-shortname
info:
name: iis-shortname
author: nodauf
severity: low
description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~.
reference:
- https://github.com/irsdl/IIS-ShortName-Scanner
- https://github.com/lijiejie/IIS_shortname_Scanner
- https://www.exploit-db.com/exploits/19525
tags: iis
variables:
randstring: "{{to_lower(rand_base(8))}}"
requests:
- raw:
- |
GET /{{randstring}}*~1*/a.aspx HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
- |
GET /*~1*/a.aspx' HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
- |
OPTIONS /{{randstring}}*~1*/a.aspx HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
- |
OPTIONS /*~1*/a.aspx' HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
- |
DEBUG /{{randstring}}*~1*/a.aspx HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
- |
DEBUG /*~1*/a.aspx HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 != 404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404 || status_code_5 != 404 && status_code_6 == 404"