AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
![]() It would turn /secret/ into /%c0%afsecret/. The original script only used one type of check it would first find a protected folder (/secret/) and then try inserting the %c0%af character after the first /. An Ubuntu server running Apache returns a 405 Method Not Allowed for instance. ![]() If we get back anything other than a 207 or 501 then we jump ship saying the web server is not supported. It works great in the lab on IIS servers. This is the method I've implemented in the http-iis-webdav-vuln.nse script. When WebDAV has been disabled, it should return "HTTP/1.1 501 Not Supported". When WebDAV is enabled, it should return "HTTP/1.1 207 Multi-Status". This is the same basic PROPFIND request we used in the http-iis-webdav-vuln.nse script: ![]() My method of detection simply involves running a PROPFIND request on the server. On IIS 5.0 and 5.1, WebDAV is enabled by default and you must edit the registry to disable it. On IIS 6.0, WebDAV is disabled by default. That being said, if the root folder is _not_ protected then it's time to break out the funky cold medina and have some fun. Also if the root folder is protected, there is no way to determine if WebDAV is even enabled. The first thing one should know when playing with this vulnerability is that the IIS server is not exploitable if the root folder is protected. Ron is in a meeting today so I thought I'd jump in where he left off and post a bit about how to detect if WebDAV is enabled and how to actually exploit a folder once you've determined it is vulnerable. Ahoy! My name is Andrew and I've been playing with the recent IIS WebDAV authentication bypass vulnerability ( CVE-2009-1676) and helping Ron with writing the nmap detection script (http-iis-webdav-vuln.nse) and testing it in the lab.
0 Comments
Read More
Leave a Reply. |