I've been practicing with nikto against a NetTalk web server, trying to expand on recent training. The tool reports a number of informational items, one of which is this:
OSVDB-28260: POST /_vti_bin/shtml.exe/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611: Gives info about server settings.
If I replay the request through a proxy (I used Burpsuite Pro), the request looks like this:
GET /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1
Connection: close
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:002763)
Host: [redacted: IP]
The response looks like this:
HTTP/1.1 200 OK
Date: Fri, 23 Jun 2017 04:28:33 GMT
Server: NetTalk-WebServer/8.31
Expires: Thu, 23 Jun 2016 04:28:33 GMT
Content-Length: 41
Content-Type: application/json
Cache-Control: no-store, no-cache, must-revalidate, private,post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: SESSIONID=[redacted]; path=/; HttpOnly
Connection: close
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
[redacted: return data]
A similar request does the same thing:
POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1
Connection: close
Content-Length: 57
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003486)
Content-Type: application/x-www-form-urlencoded
Host: [redacted: IP]
method=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2f
Response:
HTTP/1.1 200 OK
Date: Fri, 23 Jun 2017 03:24:47 GMT
Server: NetTalk-WebServer/8.31
Expires: Thu, 23 Jun 2016 03:24:47 GMT
Content-Length: 41
Content-Type: application/json
Cache-Control: no-store, no-cache, must-revalidate, private,post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: SESSIONID=[redacted]; path=/; HttpOnly
Connection: close
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
[redacted: return data]
The resources /_vti_bin/shtml.dll/_vti_rpc and /_vti_bin/shtml.exe/_vti_rpc certainly do not exist, and I would have expected a 404 response.