WebDAV

WebDAV exploits-WebDAV (Web Distributed Authoring and Versioning) is a webserver feature that allows users to collaborate with each other to manage the content of a website. Sometimes for reasons of convenience and practicality (don't want to be complicated) for DAV feature users, the configuration given by sysadmin is too radical so the permissions set are too excessive (for example, besides being able to read also write and even execute, etc.). This time I will show an example of webDAV exploitation due to the 'free' permissions configuration in the 'webdav' directory on the webserver. The worst result is that the entire web server can be mastered.

This is an old technique because DAV is also an old feature. But for the penetration tester it's fine for old doors or old windows. The important thing is how to enter the system hahah. Moreover, it turns out there are still many web servers in the internet that use webdav.

I tried the experiment with settings like the following:

IP Attacker: 10.97.97.185 (Linux Ubuntu)
Target IP: 192.168.66.43 (MS Windows Server 2003 with IIS 6.0 webserver and DAV module enabled)
The tool that I use for this experiment is the Metasploit Framework.

First, I scan the target to make sure that the WebDAV is enabled. Through the Metasploit Framework it is possible ... using other webDAV scanning tools can also.

  
Target Scan Results
 
Okay, clearly visible in the image if webDAV is enabled. Now let's go to the target side to see the configuration. The configuration is as follows

'Webdav' Directory Property on the Webserver


folder C: \ Inetpub \ wwwroot \ webdav is really an easy target = P  Then run the Metasploit Framework again 

 Metasploit Framework

After knowing DAV web enabled, trial and error just use the ASP reverse shell file uploader. With a reverse shell, if it is successfully uploaded, you can get a shell webserver through the .ASP file. If it's not clear about the reverse shell.

The exploit that will be used is named iis_webdav_upload_asp. From the name it is clear that the purpose is to exploit the webdav by uploading ASP files to a writeable directory.

From the image above, make sure the exploit property is filled. By typing the 'show options' command, the PATH set becomes the PATH where the ASP file will be uploaded, in this case at /webdav/open_sasame.asp. And the target is RHOST (Remote HOST). So it becomes like this image


If all properties are set correctly, the next step is execution, type the command 'exploit -j' so that the exploit process becomes background process.


From the message when the exploit process was running it saw the exploit step. First is uploading the text file named open_sasame.txt to the webdav folder on the target server. Then try to convert the txt file into an ASP file and execute it. It also appears that the delete backdoor process failed so that if sysadmin searches, you can see the ASP reverse shell file in the 'webdav' directory.




WebDAV Windows
Free Download

Next, return to the Metasploit console, using another exploit that will handle the reverse shell sent from the target. try sending an HTTP request for the open_sasame.ASP file (meaning you can directly browse to the target ... http://192.168.66.43/webdav/open_sasame.asp) and the response from the server is a shell.


arrive at the meterpreter session. Now it's actually already in the web server environment. Horray! I'm at the webserver!

Target server desktop screenshots

Screenshot Server



In the example above, try killing the 'notepad.exe' program on the webserver.WebDAV The Sesion Webserver

Incoming Search Terms :

Discussion: