2 :80

===============================================================
2021/05/06 11:31:33 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 149] [--> http://10.10.10.14/images/]

$ nikto -h http://10.10.10.14
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.14
+ Target Hostname:    10.10.10.14
+ Target Port:        80
+ Start Time:         2021-05-06 11:17:46 (GMT-7)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (COPY UNLOCK PROPFIND PROPPATCH LOCK SEARCH MKCOL listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://10.10.10.14/
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ Retrieved x-aspnet-version header: 1.1.4322

$ davtest -url http://10.10.10.14
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://10.10.10.14
********************************************************
NOTE    Random string for this session: VaPJediW983Iw
********************************************************
 Creating directory
MKCOL           FAIL
********************************************************
 Sending test files
PUT     cgi     FAIL
PUT     php     FAIL
PUT     jsp     FAIL
PUT     pl      FAIL
PUT     aspx    FAIL
PUT     html    FAIL
PUT     txt     FAIL
PUT     cfm     FAIL
PUT     jhtml   FAIL
PUT     shtml   FAIL
PUT     asp     FAIL

********************************************************
/usr/bin/davtest Summary:

Previous3 webdav exploit Next1 recon

Last updated 3 years ago

=============================================================== 2021/05/06 11:31:33 Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 149] [--> http://10.10.10.14/images/] $ nikto -h http://10.10.10.14 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.14 + Target Hostname: 10.10.10.14 + Target Port: 80 + Start Time: 2021-05-06 11:17:46 (GMT-7) --------------------------------------------------------------------------- + Server: Microsoft-IIS/6.0 + Retrieved microsoftofficewebserver header: 5.0_Pub + Retrieved x-powered-by header: ASP.NET + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Retrieved dasl header: <DAV:sql> + Retrieved dav header: 1, 2 + Retrieved ms-author-via header: MS-FP/4.0,DAV + Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH + OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server. + OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server. + WebDAV enabled (COPY UNLOCK PROPFIND PROPPATCH LOCK SEARCH MKCOL listed as allowed) + OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://10.10.10.14/ + OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted. + OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252. + OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST. + /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found. + Retrieved x-aspnet-version header: 1.1.4322 $ davtest -url http://10.10.10.14 ******************************************************** Testing DAV connection OPEN SUCCEED: http://10.10.10.14 ******************************************************** NOTE Random string for this session: VaPJediW983Iw ******************************************************** Creating directory MKCOL FAIL ******************************************************** Sending test files PUT cgi FAIL PUT php FAIL PUT jsp FAIL PUT pl FAIL PUT aspx FAIL PUT html FAIL PUT txt FAIL PUT cfm FAIL PUT jhtml FAIL PUT shtml FAIL PUT asp FAIL ******************************************************** /usr/bin/davtest Summary: