Successful IIS Shortname Fuzzing Scan

 1title: Successful IIS Shortname Fuzzing Scan
 2id: 7cb02516-6d95-4ffc-8eee-162075e111ac
 3status: test
 4description: When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
 5references:
 6    - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml
 7    - https://www.exploit-db.com/exploits/19525
 8    - https://github.com/lijiejie/IIS_shortname_Scanner
 9author: frack113
10date: 2021/10/06
11modified: 2023/01/02
12tags:
13    - attack.initial_access
14    - attack.t1190
15logsource:
16    category: webserver
17detection:
18    selection:
19        cs-uri-query|contains: '~1'
20        cs-uri-query|endswith: 'a.aspx'
21        cs-method:
22            - GET
23            - OPTIONS
24        # Success only
25        sc-status:
26            - 200
27            - 301
28    condition: selection
29falsepositives:
30    - Unknown
31level: medium

References

• nuclei-templates/fuzzing/iis-shortname.yaml at 9d2889356eebba661c8407038e430759dfd4ec31 · projectdiscovery/nuclei-templates

  

  Community curated list of templates for the nuclei engine to find security vulnerabilities. - projectdiscovery/nuclei-templates

  
  Read More

• OffSec’s Exploit Database Archive

  

  Microsoft IIS - Short File/Folder Name Disclosure. CVE-83771 . webapps exploit for Windows platform

  
  Read More

• GitHub - lijiejie/IIS_shortname_Scanner: an IIS shortname Scanner

  

  an IIS shortname Scanner. Contribute to lijiejie/IIS_shortname_Scanner development by creating an account on GitHub.

  
  Read More

Related rules

• OMIGOD HTTP No Authentication RCE
• Apache Spark Shell Command Injection - ProcessCreation
• Atlassian Confluence CVE-2022-26134
• DNS Query to External Service Interaction Domains
• OMIGOD SCX RunAsProvider ExecuteScript