nuclei-templates/fuzzing/iis-shortname.yaml

27 lines
695 B
YAML

id: iis-shortname
info:
name: iis-shortname
author: nodauf
severity: info
description: If IIS use old .Net Framwork it's possible to enumeration folder with the symbol ~.
# References:
# - https://github.com/lijiejie/IIS_shortname_Scanner
# - https://www.exploit-db.com/exploits/19525
requests:
- method: GET
path:
- "{{BaseURL}}/N0t4xist*~1*/a.aspx"
- "{{BaseURL}}/*~1*/a.aspx'"
- method: OPTIONS
path:
- "{{BaseURL}}/N0t4xist*~1*/a.aspx"
- "{{BaseURL}}/*~1*/a.aspx'"
matchers:
- type: dsl
name: iis-scan
dsl:
- "status_code_1!=404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404"