# WebDav
\ Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
When dealing with a **HTTP Server with WebDav** enabled, it's possible to **manipulate files** if you have the right **credentials**, usually verified through **HTTP Basic Authentication**. Gaining control over such a server often involves the **upload and execution of a webshell**. Access to the WebDav server typically requires **valid credentials**, with [**WebDav bruteforce**](../../generic-methodologies-and-resources/brute-force.md#http-basic-auth) being a common method to acquire them. To overcome restrictions on file uploads, especially those preventing the execution of server-side scripts, you might: * **Upload** files with **executable extensions** directly if not restricted. * **Rename** uploaded non-executable files (like .txt) to an executable extension. * **Copy** uploaded non-executable files, changing their extension to one that is executable. ## DavTest **Davtest** try to **upload several files with different extensions** and **check** if the extension is **executed**: ```bash davtest [-auth user:password] -move -sendbd auto -url http:// #Uplaod .txt files and try to move it to other extensions davtest [-auth user:password] -sendbd auto -url http:// #Try to upload every extension ``` Output sample: ![](<../../.gitbook/assets/image (848).png>) This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web. ## Cadaver You can use this tool to **connect to the WebDav** server and perform actions (like **upload**, **move** or **delete**) **manually**. ``` cadaver ``` ## PUT request ``` curl -T 'shell.txt' 'http://$ip' ``` ## MOVE request ``` curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt' ```
\ Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} ## IIS5/6 WebDav Vulnerability This vulnerability is very interesting. The **WebDav** does **not allow** to **upload** or **rename** files with the extension **.asp**. But you can **bypass** this **adding** at the end of the name **";.txt"** and the file will be **executed** as if it were a .asp file (you could also **use ".html" instead of ".txt"** but **DON'T forget the ";"**). Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a ".asp;.txt"** file. An accessing that file through the web server, it will be **executed** (cadaver will said that the move action didn't work, but it did). ![](<../../.gitbook/assets/image (1089).png>) ## Post credentials If the Webdav was using an Apache server you should look at configured sites in Apache. Commonly:\ _**/etc/apache2/sites-enabled/000-default**_ Inside it you could find something like: ``` ServerAdmin webmaster@localhost Alias /webdav /var/www/webdav DAV On AuthType Digest AuthName "webdav" AuthUserFile /etc/apache2/users.password Require valid-user ``` As you can see there is the files with the valid **credentials** for the **webdav** server: ``` /etc/apache2/users.password ``` Inside this type of files you will find the **username** and a **hash** of the password. These are the credentials the webdav server is using to authenticate users. You can try to **crack** them, or to **add more** if for some reason you wan to **access** the **webdav** server: ```bash htpasswd /etc/apache2/users.password #You will be prompted for the password ``` To check if the new credentials are working you can do: ```bash wget --user --ask-password http://domain/path/to/webdav/ -O - -q ``` ## References * [https://vk9-sec.com/exploiting-webdav/](https://vk9-sec.com/exploiting-webdav/)
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
\ Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}