Tuesday, April 27, 2010

DAVTest: Quickly Test & Exploit WebDAV Servers

When facing off against a WebDAV enabled server during a penetration test, there are two main things to find out: can you upload files, and if so, can you upload executable files?

Testing this can be a little tricky depending on the server configuration--what extensions are you allowed to upload, can you use MOVE, and what about MKCOL?

DAVTest attempts help answer those questions, as well as enable the pentester to quickly gain access to the host. DAVTest tries to upload test files of various extension types (e.g., ".php" or ".txt"), checks if those files were uploaded successfully, and then if they can execute on the server. It also allows for uploading of the files as plain text files and then trying to use the MOVE command to rename them to an executable.

Assuming you can upload an executable, a test file does you no good--so DAVTest can automatically upload a fully functional shell or back-door. It ships with shells for PHP, ASP, ASPX, CFM, JSP, CGI, and PL, and dropping a file in the right directory will let you upload any back-door you like.


DAVTest is written in PERL and licensed under the GNU GPLv3.

7 comments:

  1. I m getting this Error When trying to run this file:
    D:\My Data\Tools & Software Setup\davtest-1.0(2)\davtest-1.0>davtest.pl
    Can't locate HTTP/DAV.pm in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .)
    at D:\My Data\Tools & Software Setup\davtest-1.0(2)\davtest-1.0\davtest.pl line
    30.
    BEGIN failed--compilation aborted at D:\My Data\Tools & Software Setup\davtest-1
    .0(2)\davtest-1.0\davtest.pl line 30.

    ReplyDelete
  2. You need to install the HTTP::DAV module. This should help:
    http://www.cpan.org/modules/INSTALL.html

    ReplyDelete
  3. @ rainbowAttack :
    just type this command in your console :
    perl -MCPAN -e shell [enter]
    cpan> install HTTP::DAV

    but you need internet connections

    ReplyDelete
  4. How can we use this in case of a virtual IP? I mean if multiple sites (siteA and siteB) resolve to the same IP and are accessible based on the Host: header.. In such case, when I use ./davtest, it is not able to identify the vulnerable (writeable) webdav directory on siteA and fails. On a side note, I am able to PUT a file manually & confirm as well, using cadaver.

    Any suggestions..?

    ReplyDelete
  5. Victor, you should be able to just specify the hostname as the URL, and it will be used for the testing--unless HTTP::DAV is doing something behind the scenes that it shouldn't...

    ReplyDelete
  6. If you have only html or txt that "SUCCEED", for test file execution, what would be a way to exploit the server? Is it possible to have the html file execute something else to create a backdoor?

    ReplyDelete
  7. @Z: You wouldn't be able to attack the server with a text/html push through DAV (unless you want to try to fill the disk using a lot of very large files). Using those, you'd need to target client systems that access them (e.g., using XSS or spoofing type attack against them, since the content will be served directly from the server).

    ReplyDelete