< Back to JetLib.com

jetlib.sec » Carnal0wnage » From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH

« Expand/Collapse

Carnal0wnage

May 11, 2012
From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH

Posted: May 11th, 2012, 5:00am PDT by CG

Tags: script-logs blah-blah metasploit Pentesting

Post [7] HTTP PUT/WebDAV/SEARCH

Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.

LOW?

IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....

The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
*Dirbusting and ruby FTW*

I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory. VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.

Once you have a directory you want to test you can use cadaver to manually test, davtest, or Ryan Linn's metasploit module for testing for WebDAV.

I've also done some posts on webDAV in the past

http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
http://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.html

hdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here: http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html

Decent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdf

HTTP PUT

HTTP PUT/SEARCH usually gets rolled into

Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you. I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.

Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.

metasploit has a module to test for PUT functionality as well. http://www.metasploit.com/modules/auxiliary/scanner/http/http_put
HTTP SEARCH
HTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.
Mubix did a post on it http://www.room362.com/blog/2011/8/26/iis-search-verb-directory-listing.html

← From LOW to PWNED [6] SharePoint Android Emulator, Trusted CA, and Per... →