nuclei-templates/http/fuzzing/iis-shortname.yaml

id: iis-shortname

info:
  name: IIS - Short Name Detect
  author: nodauf
  severity: info
  description: A website running via IIS on an old .net framework contains a get request vulnerability. Using the the tilde character "~" in the request, an attacker can locate short names of files and folders not normally visible.
  reference:
    - https://github.com/lijiejie/IIS_shortname_Scanner
    - https://www.exploit-db.com/exploits/19525
    - http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0
    cwe-id: CWE-200
  metadata:
    max-request: 4
  tags: fuzzing,fuzz,edb

http:
  - raw:
      - |
        GET /N0t4xist*~1*/a.aspx HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
      - |
        GET /*~1*/a.aspx' HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
      - |
        OPTIONS /N0t4xist*~1*/a.aspx HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
      - |
        OPTIONS /*~1*/a.aspx' HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    matchers:
      - type: dsl
        dsl:
          - "status_code_1!=404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404"

# digest: 4a0a00473045022100c1481eeae29da2a1037678e50a1fbcdf0d9abedcdc00a900c389cf024d1cbb0102203a1121c56b0555e037faa9d7775e35116fe544afcc4dd8323717fdd17b00cce3:922c64590222798bb761d5b6d8e72950
Add iis-shortname template 2020-10-24 21:21:17 +00:00			`id: iis-shortname`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00
Add iis-shortname template 2020-10-24 21:21:17 +00:00			`info:`
Enhancement: fuzzing/iis-shortname.yaml by md 2023-03-08 16:02:58 +00:00			`name: IIS - Short Name Detect`
Add iis-shortname template 2020-10-24 21:21:17 +00:00			`author: nodauf`
			`severity: info`
Enhancement: fuzzing/iis-shortname.yaml by md 2023-03-08 16:02:58 +00:00			`description: A website running via IIS on an old .net framework contains a get request vulnerability. Using the the tilde character "~" in the request, an attacker can locate short names of files and folders not normally visible.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://github.com/lijiejie/IIS_shortname_Scanner`
			`- https://www.exploit-db.com/exploits/19525`
Enhancement: fuzzing/iis-shortname.yaml by md 2023-03-08 16:02:58 +00:00			`- http://soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N`
templateman update 2023-10-14 11:27:55 +00:00			`cvss-score: 0`
Enhancement: fuzzing/iis-shortname.yaml by md 2023-03-08 16:02:58 +00:00			`cwe-id: CWE-200`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 4`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: fuzzing,fuzz,edb`
Add iis-shortname template 2020-10-24 21:21:17 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
fixing syntax 2021-03-09 08:12:02 +00:00			`- raw:`
			`- \|`
			`GET /N0t4xist~1/a.aspx HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{BaseURL}}`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8`
			`- \|`
			`GET /~1/a.aspx' HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{BaseURL}}`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8`
			`- \|`
			`OPTIONS /N0t4xist~1/a.aspx HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{BaseURL}}`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8`
			`- \|`
			`OPTIONS /~1/a.aspx' HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{BaseURL}}`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8`
Add iis-shortname template 2020-10-24 21:21:17 +00:00
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "status_code_1!=404 && status_code_2 == 404 \|\| status_code_3 != 404 && status_code_4 == 404"`
TemplateMan Update [Mon Nov 27 09:19:41 UTC 2023] :robot: 2023-11-27 09:19:41 +00:00
			`# digest: 4a0a00473045022100c1481eeae29da2a1037678e50a1fbcdf0d9abedcdc00a900c389cf024d1cbb0102203a1121c56b0555e037faa9d7775e35116fe544afcc4dd8323717fdd17b00cce3:922c64590222798bb761d5b6d8e72950`