Finding Hidden Files and Folders on IIS using BigQuery

Sep 18, 2020

 

Motivations

I recently made a video on how to find hidden files and folders on IIS through the use of IIS Shortname Scanner.

Using IIS shortname scanner, gets you 50% of the way there, by giving you the short names of files and folders on the server. However, the problem of identifying the rest of the file or folder name is still sometimes a challenge. Here is what the output from IIS Shortname Scanner could look like:

Testing request method: "DEBUG" with magic part: "\a.aspx" ...
File: WEB~1.CON
File: GLOBAL~1.ASA
File: PACKAG~1.CON
File: LOG4NE~1.CON
File: WEB-CO~1.CON
File: SITEBA~1.ZIP
Dir: PROPER~1COS
[-] PROPER~1.S
# IIS Short Name (8.3) Scanner version 2.3.9 (05 February 2017)
Target: http://REDACTED/bidsservice/
|_ Result: Vulnerable!
|_ Used HTTP method: DEBUG
|_ Suffix (magic part): \a.aspx
|_ Extra information:
  |_ Number of sent requests: 701
  |_ Identified directories: 1
    |_ PROPER~1
  |_ Indentified files: 6
    |_ GLOBAL~1.ASA
    |_ LOG4NE~1.CON
    |_ PACKAG~1.CON
    |_ SITEBA~1.ZIP
    |_ WEB-CO~1.CON
    |_ WEB~1.CON
      |_ Actual file name = WEB

Finished in: 13 second(s)

There are two main approaches you can take:

  • Bruteforce the rest of the file or folder name, purely using existing wordlists or generating wordlists of characters (0-5 chars, a-z, 0-9 etc).
  • Bruteforce the rest of the file or folder name, by using regexes on the GitHub dataset from BigQuery.

At the end of the first video I made on hacking IIS, I mentioned that I found a zip file in the docroot on an IIS server, that contained all of the application source code and secrets. This led to roughly a $3000 finding:

 

This was done by first running IIS shortname scanner, and then by using Google BigQuery to generate a list of zip files that start with the shortnames. I have found this to be an effective method in many cases, and it certainly does help.

Safety advice

Now, before we go into the “how” section, I want to share an anecdote:

Before we start scouring through GitHub’s dataset, I want to make sure you avoid what happened to me. Some people on twitter suggested setting a quota for BigQuery so you cannot overspend, and that is solid advice here.

The pricing for BiqQuery is not so bad. The first terabyte of processing is free every month, and every terabyte after costs $5. See here for more details.

Typically, a single query against the GitHub dataset can be 300-500 GB of processing. With further optimization, you can bring these costs down.

To do this, go to https://console.cloud.google.com/iam-admin/quotas and set a quota for “BigQuery API - Query usage per day”:

 

Also, grab this Chrome Extension so that you can see the estimated costs per query.

How?

Using BigQuery is incredibly simple to use. Instead of going into depth around how to use BigQuery for offensive purposes, I would like to direct you to the following resources we have already written or presented about:

This guide will help you get setup for BigQuery.

If you go through the resources above, you will truly understand the power of BigQuery when it comes to application security.

So, let’s go back to the example output I provided for IIS shortname scanner at the top of this blog post.

Did you notice SITEBA~1.ZIP in the output?

Here is how you would pull down all files starting with siteba and end with .zip using BigQuery:

SELECT * FROM `bigquery-public-data.github_repos.files` WHERE (REGEXP_CONTAINS(path, r'(\/(?i)siteba[a-z0-9A-Z]+\.zip|^siteba[a-z0-9A-Z]+\.zip)')) LIMIT 1000

This returns the following:

 

Nice. I hadn’t considered that the file name could be called sitebase.zip. In my head, I thought it could be something like sitebackup.zip.

This is how BigQuery helps you in your process for guessing the correct file or folder name. It may not directly lead to the results but it will get you closer.

Why not just try all of the zip files available on BigQuery as a standard process in my testing? Sure, that’s an option too.

Download wordlist with all .zip files from BigQuery (JSON)

After reading this blog post, if you’ve tried BigQuery, and are still looking for the rest of the file or folder name, I then suggest using crunch to generate an appropriate wordlist to bruteforce the rest of the path with.

Video

I cover some more concepts about IIS hacking in the video embedded below: