> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/lfi/credentials-extraction/trick-0113.md).

# Extract IIS Credentials via File Read

***

The `web.config` file is a fundamental configuration file used by IIS and ASP.NET applications. It stores critical settings for the web application, including database connection strings, which frequently contain sensitive credentials such as usernames and passwords required to access backend databases.

An arbitrary file read or Local File Inclusion (LFI) vulnerability on an IIS server can be exploited to gain unauthorized access to the contents of sensitive files like `web.config`. This type of vulnerability allows an attacker to supply a file path as input to a web application parameter, which is then used by the application to include or read a file from the server's file system.

Exploiting such a vulnerability to read `web.config` on an IIS server typically involves using directory traversal techniques. By inserting sequences like `../` (or `..\` on Windows) into the vulnerable parameter, an attacker can navigate up the directory structure from the location of the vulnerable script to reach the web application's root directory or other locations on the file system where `web.config` might reside.

A common approach involves constructing a URL payload that traverses upwards from the current directory to the root of the web application or the `inetpub/wwwroot` directory, and then specifies the `web.config` file. The number of `../` sequences needed depends on the directory depth of the vulnerable script relative to the target file.

For instance, a payload might look like this:

```
http://[target]/[vulnerable_path]?file=../../../../web.config
```

or potentially a path relative to the IIS installation directory, such as:

```
http://[target]/[vulnerable_path]?file=../../../../inetpub/wwwroot/web.config
```

Successful exploitation results in the server processing the request and returning the raw content of the `web.config` file to the attacker.

Once the `web.config` content is obtained, attackers can analyze the XML structure to locate sensitive configuration data. The `<connectionStrings>` section is particularly valuable, as it often contains database connection strings that include usernames, passwords, server addresses, and database names.

An example of sensitive information found within a `web.config` file's connection string:

```xml
<connectionStrings>
  <add name="ApplicationDb" connectionString="Data Source=SQLSERVER;Initial Catalog=MyDatabase;User ID=appuser;Password=ComplexPassword123;" providerName="System.Data.SqlClient" />
</connectionStrings>
```

Extracting such connection strings provides attackers with direct access to backend data stores, which can be a critical step in further compromising the system. The ability to read arbitrary files like `web.config` via LFI on IIS servers poses a significant risk due to the potential exposure of hardcoded credentials and other sensitive configuration details.
