Exploit the possiblities

Microsoft IIS UrlScan Module Bypass

Microsoft IIS UrlScan Module Bypass
Posted Oct 3, 2017
Authored by Steve Kaun

The Microsoft IIS UrlScan module suffers from a bypass vulnerability.

tags | exploit, bypass
MD5 | 9508fb9d121697442b8bd2d57e43604e

Microsoft IIS UrlScan Module Bypass

Change Mirror Download
#Paper Title: Microsoft IIS UrlScan Module Bypass
#Date: 16 AUG 2017
#Software Link: https://www.iis.net/downloads/microsoft/urlscan
#Author: Steven Kaun (Gh0st)
#Contact: https://twitter.com/AngryMilks
#Website: https://gh0sthacks.blogspot.com/
#Category: WAF Bypass

Gh0st
`oooooooooooooooooooo
.mmmmmmmmmmmmmmmmmmmm
.........-mmmmmmmmmmmmmmmmmmmm..........
hdddddddddmmmmmmmmmmmmmmmmmmmmdddddddddd`
hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm`
sssssdmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmsssso
`mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmd
----:mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmd----.
dddddmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmddddy
dmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmh
dmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmh
dmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmh
dmmmmmmmmmmmmmmssssssssssmmmmmmmmmmyssssssssymmmmmmmmmmmmmmh
dmmmmmmmmmmmmmm dmmmmmmmmm. .mmmmmmmmmmmmmmh
````dmmmmmmmmmmmmmm dmmmmmmmmm. .mmmmmmmmmmmmmmh`````
shhhhmmmmmmmmmmmmmmm dmmmmmmmmm. .mmmmmmmmmmmmmmdhhhhh
hmmmmmmmmmmmmmmmmmmm dmmmmmmmmm. .mmmmmmmmmmmmmmmmmmmm
hmmmmmmmmmmmmmmmmmmmoooooooooommmmmmmmmmsoooooooosmmmmmmmmmmmmmmmmmmmm
hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
hmmmmmmmmd::::::::::mmmmmmmmmm::::::::::dmmmmmmmmd::::::::::mmmmmmmmmm
hmmmmmmmmd mmmmmmmmmm` hmmmmmmmmh `mmmmmmmmmm
hmmmmyyyyy----------yyyyyyyyyy----------syyyyyyyys----------yyyyhmmmmm
hmmmm` `mmmmmmmmmm dmmmmmmmmm. .mmmmmmmmmd .mmmmm
hmmmm`````mmmmmmmmmm``````````dmmmmmmmmm.````````.mmmmmmmmmd````-mmmmm
hmmmmyyyyymmmmmmmmmmyyyyyyyyyymmmmmmmmmmyyyyyyyyyymmmmmmmmmmyyyyymmmmm
hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
hmmmmmmmmmmmmmmmmmmmsssssmmmmmmmmmmmmmmmmmmmmsssssmmmmmmmmmmmmmmmmmmmm
hmmmmmmmmmmmmmmmmmmm .mmmmmmmmmmmmmmmmmmmm .mmmmmmmmmmmmmmmmmmmm
yddddmmmmmmmmmmddddd `dddddmmmmmmmmmmddddd `dddddmmmmmmmmmmddddd
`....dmmmmmmmmm-.... .....dmmmmmmmmm-.... .....dmmmmmmmmh.....
dmmmmmmmmm. dmmmmmmmmm. dmmmmmmmmh
+ooooooooo` +ooooooooo` +oooooooo/

########
Preface
########

Identified after coming up with null for help with bypassing a WAF identified as UrlScan. After identifying that a web application was filtering and essentially dropping most attacks and their associated payloads a delve into how to bypass this was constructed. This is as simple as bypasses can possibly get, but at the same time is unique enough to warrant writing about.

########
Situation
########

We all understand that WAFs are in place to identify and block malicious requests before the reach the application, so in effect I need to figure out exactly what makes it tick or how to make it tick for us. To that regard the development of this came after exhaustive research into UrlScan and trying to see if anyone had run across this in the professional or unethical realm. Well, guess you can figure out how well that went.

Anyways... I've identified the IIS module "UrlScan 3.1" running on a IIS6 machine (Note this can be IIS 7.5, 6, 5, etc.), I've identified that the application is filtering certain characters, but I'm stuck because whatever malicious requests I send get dropped or filtered by UrlScan anyways.

########
Eureka!
########

So after perusing developer forums, Microsoft technical documentation, and various SQLmap documentation and tamper methods I had learned that appending %00 (Null-Byte) can be performed by the tamper script "appendnullbyte". This however refused to work, and the UrlScan module picked it up right away. So what was I supposed to do? Well apparently UrlScan doesn't know how to handle or what to do when the prefix is the nullbyte, and as far as I'm aware there are no SQLmap tamper scripts that would perform this bypass.

So after formatting the sqlmap command with the real value of a parameter I know that this page exists and has dynamic content depending on the "users" integer value



Original Unmodified
http://somesite.com/blog?users=3389

I quickly learn that the appendnullbyte tamper script only modifys the payload like this (note this is just generic payload)

http://somesite.com/blog?users=3389' WAITFOR DELAY '0:0:10'--%00

So after analyzing the responses from the application it seemed like it wouldn't take it at all... However, not all is lost and after performing more research into the matter the solution became apparent after some random dev was complaining about UrlScan filter rule of %00 basically crashing their application. So what I can extrapolate from that is that %00 is a null value (obvious), but more so than that I can deduce that %00 is not only not interpreted by UrlScan, but its completely overlooked because of the null value where it expects something.

Imagine if you will, you are an application looking for a value of anything greater than 0, but then you encounter 0. Would you simply stop interpreting it because to you there is nothing there? Well if you said yes, your in the same boat as UrlScan's logic apparently.

########
The Attack
########

So I've come to the conclusion that UrlScan expects some value to interpret or inspect whether it be in the Url, Url parameter, or POST body. I've also come to understand that if the value is null UrlScan simply ignores it on the basis that there is nothing to inspect, thus giving us the path towards carnage.

So here I am, at the end of the road... Will it work or not?

http://somesite.com/blog?users=3389%00' WAITFOR DELAY '0:0:10'--

IT WORKS! This little null value gave me the ability to perform SQL injection where SQL had failed time and time before.

This also allowed XSS to any arbitrary parameter I wanted...

http://somesite.com/blog?%foobar=%00foo'><script>alert("XSS")</script>

########
Conclusion
########

In the end I've learned the following...

1. UrlScan's logic is flawed in the manner of interpreting null values - Expects 1, but gets 0 and does not continue inspection
2. %00 allows us to bypass UrlScan's logic to perform XSS and SQL injection where it would normally fail
3. %00 filtering within UrlScan breaks applications for whatever reason
4. SQLmap does not have a tamper script with which to bypass UrlScan, only has the ability to append %00 to end of payload where instead requires it be prepended to the payload

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close