InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Network scan and basic recon
  • WebDAV content browsing
  • WebDAV client
  • Remote Code Execution through files upload
  • Known vulnerabilities
  1. Web applications
  2. CMS & softwares

WebDAV

Overview

Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by a working group of the Internet Engineering Task Force.

The WebDAV protocol provides a framework for users to create, change and move documents on a server.

WebDAV verbs

WebDAV extends the set of standard HTTP verbs and headers allowed for request methods.

The added verbs include:

  • COPY: copy a resource from one URI to another

  • LOCK: put a lock on a resource. WebDAV supports both shared and exclusive locks.

  • MKCOL: create collections (a.k.a. a directory)

  • MOVE: move a resource from one URI to another

  • PROPFIND: retrieve properties, stored as XML, from a web resource. It is also overloaded to allow one to retrieve the collection structure (also known as directory hierarchy) of a remote system.

  • PROPPATCH: change and delete multiple properties on a resource in a single atomic act

  • UNLOCK: remove a lock from a resource

Network scan and basic recon

nmap can be used to scan the network for exposed HTTP WebDAV services.

nmap includes the following default NSE script, triggered by usning -sC:

  • http-webdav-scan, which will detect and attempt to retrieve information about a WebDAV installation, notably the allowed verbs.

nmap -v -sV -sC -oA nmap_WebDAV -p 80,443  <HOST | RANGE | CIDR>

The Metasploit module auxiliary/scanner/http/webdav_scanner can be used to detect webservers with WebDAV enabled on a single IP or a CIDR identifier.

msf> use auxiliary/scanner/http/webdav_scanner

WebDAV content browsing

While a browser may be used to manually browse the content of a WebDAV webserver, the Metasploit module auxiliary/scanner/http/webdav_website_content can be used to automatically enumerate the accessible files.

msf> use auxiliary/scanner/http/webdav_website_content

WebDAV client

The DAV Explorer utility (dave on Linux systems) can be used to interact with a WebDAV service through Linux like commands interfaced with the WebDAV HTTP verbs.

The supported commands are:

  • cat shows the contents of a remote file

  • cd changes directories

  • copy copies one remote resource to another

  • delete deletes a remote resource

  • edit edits the contents of a remote file

  • get downloads the file or directory at URL

  • help prints list of commands or help for CMD

  • lcd changes local directory

  • lls lists local directory contents

  • lock locks a resource

  • ls lists remote directory contents or file props

  • mkcol make a remote collection (directory)

  • move moves a remote resource to another

  • open connects to the WebDAV-enabled server at URL

  • option show the HTTP methods allowed for a URL

  • propfind show the properties of a resource

  • put uploads a local file or directory to URL

  • pwd prints the currently opened URL (working directory)

  • quit exits dave

  • set sets a custom property on a resource

  • sh executes a local command (alias !)

  • showlocks show my locks on a resource

  • steal remove ANY locks on a resource

  • unlock unlocks a resource

  • unset unsets a property from a resource

Usage:

dave <URL>
dave -u <USERNAME> -p <PASSWORD> <URL>

Remote Code Execution through files upload

Automated files upload tests with davtest

The davtest Perl script can be used to automatically detect if files of various types can be upload on a WebDAV server.

The script attempts to:

  • PUT test files of various programming languages

  • PUT files with .txt extension then MOVE them to executable file types

Usage:

davtest -url <URL>

Files upload

davtest can also be used to upload a specific file on a WebDAV server:

davtest -url <URL> -directory <UPLOAD_DIR> -uploadfile <LOCAL_FILE_PATH> --uploadloc <REMOTE_FILE_NAME>

Metasploit payload deploying

If asp files can be uploaded, the Metasploit module exploit/windows/iis/iis_webdav_upload_asp can be used to automatically deploy a Metasploit payload.

The module will firstly try to directly upload an asp executable and, if the upload is not permitted, try to upload a txt file and move / copy it to an asp executable.

msf> use exploit/windows/iis/iis_webdav_upload_asp

Windows 2003 R2 WebDAV filter bypass

On IIS 6 (Windows 2003 and 2003 R2), the policy filter restricting the uploaded files types can be bypassed. This bypass can be used to execute files on the webserver even if the upload of such files is restricted. The only pre requisite is being able to upload file of any type.

To exploit the filter bypass:

  • Generate an executable that will be executed by the webserver, such as a reverse shell (Refer to the [General] Shells note)

  • Rename the executable to a file type that can be uploaded, for example .txt

  • Upload the file using the dave or davetest tools

  • Rename the file on the server using dave

mv <FILE> <FILENAME>.<EXECUTABLE_EXTENSION>;.<UPLOADABLE_EXTENSION>

# For example, txt uploadable file for asp executable
mv file.txt file.asp;.txt
  • Browse to the renamed file for execution

Known vulnerabilities

Microsoft IIS WebDav ScStoragePathFromUrl Overflow - CVE-2017-7269

A buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 can be leveraged to execute arbitrary code.

A Metasploit module is available for the exploit:

msf> use exploit/windows/iis/iis_webdav_scstoragepathfromurl
PreviousWordPressNextExploitation - Overview

Last updated 2 years ago