Giters

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.

Home Page:https://github.com/projectdiscovery/nuclei

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

IIS Root Directory Listing not caught in dir-listing.yaml

V0idC0de opened this issue · comments

commented

Nuclei Version:

Nuclei 2.7.0
Templates 9.0.1

Template file:

miscellaneous/dir-listing.yaml

Command to reproduce:

nuclei -u https://raw.githubusercontent.com/V0idC0de/dir-listing-iis-test/main/index.html -id dir-listing

Unfortunately, the site I tested with is not available publicly. I couldn't find a suitable example page, so I uploaded the returned HTML into a GitHub repo for testing purposes (see command to reproduce). That should allow for a "manual validation" of the issue.

There are screenshots and videos of such an IIS directory listing default page.
For example this video: https://youtu.be/WO1AwWW03po?t=201

The issue can be seen quickly, by taking a look at the YAML file. It checks for certain phrases, which should be present in a directory listing, however, none of them is present in the root directory (see video linked above). This is different in any deeper directory level (see: https://youtu.be/WO1AwWW03po?t=187) where the phrase [To Parent Directory] is visible.

I suggest going for either of the following or a combination of them as additional or-condition on top of the existing ones:

  • the phrase " - /" in the title line (with a regex like \s-\s\/<\/(title|h1)>), which can be checked explicitly as the false negative only occurs in the root directory
  • the weird property of this IIS directory listing to write HTML tags in all-caps in the lines representing files (I'd have to check, whether this behavior is consistent with later versions of IIS)
  • the specific pattern present in the file lines, which might be
    • the timestamp only, which can be captured with a regex like \d{1,2}\/\d{1,2}\/\d{4}\s+\d+:\d+\s+
    • or the timestamp followed by the pattern of optionally AM/PM or whitespace until a number (file size) or &lt;dir&gt; (instead of file size, in case of directories) is encountered, after which the anchor-tag in all-caps starts (caps may be explicitly checked - my regex doesn't, as I don't know if that's consistent in later versions). All of that may be checked with \d{1,2}\/\d{1,2}\/\d{4}\s+\d+:\d+\s+[\sAPM]+(&lt;dir&gt;|\d+)\s+<[Aa]\s+[hH][rR][eE][fF]="\/ (RegEx101 Link)

I suggest the following template (all files and a brief explanation also in my test repository for this):

id: dir-listing

info:
  name: Directory listing enabled
  author: _harleo,pentest_swissky
  severity: info
  reference:
    - https://portswigger.net/kb/issues/00600100_directory-listing
  tags: misc,generic

requests:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: word
        words:
          - "Directory listing for"
          - "Index of /"
          - "[To Parent Directory]"
          - "Directory: /"
        condition: or
      - type: regex
        regex:
          - '\d{1,2}\/\d{1,2}\/\d{4}\s+\d+:\d+\s+[\sAPM]+(&lt;dir&gt;|\d+)\s+<[Aa]\s+[hH][rR][eE][fF]="\/'
          - '\s+-\s+\/<\/(title|h1)>'
        condition: and

Run my updated version from the test repository with nuclei -u https://raw.githubusercontent.com/V0idC0de/dir-listing-iis-test/main/index.html -t https://raw.githubusercontent.com/V0idC0de/dir-listing-iis-test/main/dir-listing.yaml

commented

Hi @V0idC0de, The response time to this issue was much longer than usual. Thank you for taking the time to create this issue and for contributing to the project 🍻