IIS – Page 7 – WindowsTechs.com

How to lock IIS server files through a shell?

Posted on September 23, 2019 by Unedited Reality

After uploading a shell to a .net site (.aspx extensions) and get it to work, is there any way to execute a command through that shell to prevent the upload of any other shell?

Continue reading How to lock IIS server files through a shell?→

Install SSL for a site in IIS 8 when you have a certificate.txt file and private key file

Posted on August 27, 2019 by Harobed

I have two files.

File whose contents start with —–BEGIN CERTIFICATE REQUEST—–
File whose contents start with —–BEGIN PRIVATE KEY—–

How do I use these two files to create a SSL for a given website in IIS 8/W… Continue reading Install SSL for a site in IIS 8 when you have a certificate.txt file and private key file→

Securing DB connection string and other configuration files in RCE scenario

Posted on August 26, 2019 by Raimonds Liepiņš

Environment:

Microsoft Windows
IIS Web server
MSSQL DB

Let’s say an application gets compromised with an RCE, what’s the best scenario of protecting the database connection string file or any other sensitive configurati… Continue reading Securing DB connection string and other configuration files in RCE scenario→

Determining clients connecting to IIS using CBC ciphers. (preparing for Lucky13 remediation)

Posted on August 20, 2019 by MaCuban

I am trying to determine the impact of re-mediating a lucky 13 vulnerability; which i understand requires disabling CBC cipher modes.
So far i have added custom logging to my IIS instance to capture and translate the algorith… Continue reading Determining clients connecting to IIS using CBC ciphers. (preparing for Lucky13 remediation)→

Secure AWS instance metadata against potential SSRF

Posted on August 10, 2019 by Raimonds Liepiņš

I am running a Windows instance on AWS.

The instance has an IIS service running on it.

The IIS service has a user associated to it and it has no need to access the AWS instance metadata.

I was reading up on
https://aws…. Continue reading Secure AWS instance metadata against potential SSRF→

Upload failed on /metasploitblablabla.txt [303 See other] [on hold]

Posted on August 8, 2019 by Pamela Garcia

I am dealing with a website on Microsoft-IIS/8.5 (OS: Windows Server 2012). I found a module that can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script… Continue reading Upload failed on /metasploitblablabla.txt [303 See other] [on hold]→

Upload failed on /metasploitblablabla.txt [303 See other] [on hold]

Posted on August 8, 2019 by Pamela Garcia

Risk of allowing the string "xss" in query string

Posted on August 1, 2019 by mikemurf22

A former employee, put the following in our “global.axas”

if (url.Contains(“xss”)){
response.StatusCode = 404;
resposne.end();
}

I get he was trying to prevent cross site scripting, but other than example where people put… Continue reading Risk of allowing the string "xss" in query string→

wss websocket not working in windows server [on hold]

Posted on July 28, 2019 by IGCGamers

I am installing a poker game. It connects to a websocket and it works perfect with http. If i access using https, it connects to wss. But it says connection refused.

ws is working properly. But wss is not working properly…. Continue reading wss websocket not working in windows server [on hold]→

How filter a GET parameter for a specific URL in IIS 10?

Posted on July 26, 2019 by sushi

I have an openredirect vulnerability on my web application. You can learn about this with the following link: https://stackoverflow.com/questions/48340714/azure-ad-b2c-vulnerable-to-open-redirect

Because it is a problem with… Continue reading How filter a GET parameter for a specific URL in IIS 10?→