Script http-iis-webdav-vuln
Script types:
portrule
Categories:
vuln, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-iis-webdav-vuln.nse
Script Summary
Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020, https://nmap.org/r/ms09-020.
A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), then the folder is marked as vulnerable.
This script is based on the Metasploit auxiliary module auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass
For more information on this vulnerability and script, see:
- http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
- http://seclists.org/fulldisclosure/2009/May/att-134/IIS_Advisory_pdf.bin
- http://www.skullsecurity.org/blog/?p=271
- http://www.kb.cert.org/vuls/id/787932
- http://www.microsoft.com/technet/security/advisory/971492.mspx
Script Arguments
- basefolder
The folder to start in; eg,
"/web"will try"/web/xxx".- folderdb
The filename of an alternate list of folders.
- webdavfolder
Selects a single folder to use, instead of using a built-in list.
- slaxml.debug
See the documentation for the slaxml library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap --script http-iis-webdav-vuln -p80,8080 <host>
Script Output
80/tcp open http syn-ack |_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav
Requires
Authors:
License: Same as Nmap--See https://nmap.org/book/man-legal.html