IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....
The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
*Dirbusting and ruby FTW*
I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory. VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.
Once you have a directory you want to test you can use cadaver to manually test, davtest, or Ryan Linn's metasploit module for testing for WebDAV.
I've also done some posts on webDAV in the past
hdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here: http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html
Decent writeup here:
HTTP PUT/SEARCH usually gets rolled into
Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you. I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.
Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.
metasploit has a module to test for PUT functionality as well.
HTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.