Hackthebox：Granny Walkthrough（not use metasploit）_put' method could allow clients to save files on t-优快云博客

本文链接：https://blog.youkuaiyun.com/Alexhcf/article/details/110764857

本文档详细记录了利用CVE-2017-7269攻击IIS 6.0 WebDAV漏洞的过程，包括信息收集、漏洞利用和提权。通过nikto、nmap和davtest等工具，最终成功上传并执行jsp马，然后利用Windows Exploit Suggester找到提权漏洞，完成攻击。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

预备知识

nikto、nmap、iis6.0的webdav、davtest、kali自带webshell、

信息收集

nmap 10.10.10.15

只开了个80端口，那么还是web，浏览器访问目标机器

直接就是报错页面，迷惑，不过可知服务器是iis

扫了下目录，毫无思路，nmap扫下漏洞

nmap -script=vuln 10.10.10.15

还是没什么发现

nikto 扫一下，这次的信息就多了

nikto -h http://10.10.10.15

+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.
+ OSVDB-5646: HTTP method 'DELETE' allows clients to delete files on the web server.
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV

服务器是iis6.0，google iis6.0 exploit

找到了Microsoft IIS 6.0 - WebDAV ‘ScStoragePathFromUrl’ Remote Buffer Overflow ，CVE:
2017-7269 而且本机器正好有DAV

dav可以用davtest测试

davtest -url http://10.10.10.15

测试结果如下

********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://10.10.10.15
********************************************************
NOTE    Random string for this session: a6GgkBw
********************************************************
 Creating directory
MKCOL           SUCCEED:                Created http://10.10.10.15/DavTestDir_a6GgkBw
********************************************************
 Sending test files
PUT     pl      SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.pl
PUT     jhtml   SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.jhtml
PUT     jsp     SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.jsp
PUT     asp     FAIL
PUT     cfm     SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.cfm
PUT     php     SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.php
PUT     txt     SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.txt
PUT     cgi     FAIL
PUT     shtml   FAIL
PUT     aspx    FAIL
PUT     html    SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.html
********************************************************
 Checking for test file execution
EXEC    pl      FAIL
EXEC    jhtml   FAIL
EXEC    jsp     FAIL
EXEC    cfm     FAIL
EXEC    php     FAIL
EXEC    txt     SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.txt
EXEC    html    SUCCEED:        http://10.10.10.15/DavTestDir_a6