IIS WebDav
Last updated
Last updated
(Internet Information Services) - a Microsoft proprietary extensible web server developed for use with Windows.
Ports: 80 (no certificate), 443 (with SSL Certificate)
Host websites and web applications
Administrative GUI for IIS management
Static and dynamic web pages, developed in ASP.NET and PHP
Supported file extensions: .asp, .aspx, .config, .php
🗒️ (Web Distributed Authoring & Versioning) - a set of HTTP protocol extentions used by users to manage file on remote web servers.
Web server as File server
Runs on top of Apache or IIS - ports 80/443
Credentials, username & password, are necessary for connection the WebDAV server
WebDAV Exploitation
Check if WebDAV is configured to run on the IIS web server.
Brute-force attack on the WebDAV server - identify legitimate credentials.
Use the obtained credentials to authenticate with the WebDAV and upload malicious code, like an .asp payload, used to execute arbitrary commands or obtain reverse shell on the target.
- scanner tool used to scan, authenticate and exploit a WebDAV server, by uploading test executable files which allow for command execution on the target. Pre-installed on Kali Linux and Parrot OS.
- supports file upload, download, on-screen display, in-place editing, namespace operations (move/copy), collection creation and deletion, property manipulation, and resource locking. Pre-installed on Kali Linux and Parrot OS.
EXPLOITATION:-
Try hydra to brute force WebDAV in this case
In this case there were no credentials that matched
Now we will try Davtest tool to see which extention and format of files the server support
Use cadaver to upload an .asp payload to the /webdav directory
use cadaver to login by using the follwoing command
Upload your payload in using the following command
Access the backdoor using the browser
http://10.3.26.115/webdav/webshell.asp
Windows commands can be provided in the box
