# WebDav
\ Use [**Trickest**](https://trickest.com/?utm_source=hacktricks\&utm_medium=text\&utm_campaign=ppc\&utm_content=put-method-webdav) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="" %} {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} When dealing with a **HTTP Server with WebDav** enabled, it's possible to **manipulate files** if you have the right **credentials**, usually verified through **HTTP Basic Authentication**. Gaining control over such a server often involves the **upload and execution of a webshell**. Access to the WebDav server typically requires **valid credentials**, with [**WebDav bruteforce**](https://angelica.gitbook.io/hacktricks/generic-methodologies-and-resources/brute-force#http-basic-auth) being a common method to acquire them. To overcome restrictions on file uploads, especially those preventing the execution of server-side scripts, you might: * **Upload** files with **executable extensions** directly if not restricted. * **Rename** uploaded non-executable files (like .txt) to an executable extension. * **Copy** uploaded non-executable files, changing their extension to one that is executable. ## DavTest **Davtest** try to **upload several files with different extensions** and **check** if the extension is **executed**: ```bash davtest [-auth user:password] -move -sendbd auto -url http:// #Uplaod .txt files and try to move it to other extensions davtest [-auth user:password] -sendbd auto -url http:// #Try to upload every extension ``` Output sample: ![](https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-ab835abd2d1935e6921e894d047ae1a520a5cd28%2Fimage%20\(851\).png?alt=media) This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web. ## Cadaver You can use this tool to **connect to the WebDav** server and perform actions (like **upload**, **move** or **delete**) **manually**. ``` cadaver ``` ## PUT request ``` curl -T 'shell.txt' 'http://$ip' ``` ## MOVE request ``` curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt' ```
\ Use [**Trickest**](https://trickest.com/?utm_source=hacktricks\&utm_medium=text\&utm_campaign=ppc\&utm_content=put-method-webdav) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="" %} ## IIS5/6 WebDav Vulnerability This vulnerability is very interesting. The **WebDav** does **not allow** to **upload** or **rename** files with the extension **.asp**. But you can **bypass** this **adding** at the end of the name **";.txt"** and the file will be **executed** as if it were a .asp file (you could also **use ".html" instead of ".txt"** but **DON'T forget the ";"**). Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a ".asp;.txt"** file. An accessing that file through the web server, it will be **executed** (cadaver will said that the move action didn't work, but it did). ![](https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-c475e52f9de9ec93c7c48b071499aac66ed9cc22%2Fimage%20\(1092\).png?alt=media) ## Post credentials If the Webdav was using an Apache server you should look at configured sites in Apache. Commonly:\ \&#xNAN;***/etc/apache2/sites-enabled/000-default*** Inside it you could find something like: ``` ServerAdmin webmaster@localhost Alias /webdav /var/www/webdav DAV On AuthType Digest AuthName "webdav" AuthUserFile /etc/apache2/users.password Require valid-user ``` As you can see there is the files with the valid **credentials** for the **webdav** server: ``` /etc/apache2/users.password ``` Inside this type of files you will find the **username** and a **hash** of the password. These are the credentials the webdav server is using to authenticate users. You can try to **crack** them, or to **add more** if for some reason you wan to **access** the **webdav** server: ```bash htpasswd /etc/apache2/users.password #You will be prompted for the password ``` To check if the new credentials are working you can do: ```bash wget --user --ask-password http://domain/path/to/webdav/ -O - -q ``` ## References * {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
\ Use [**Trickest**](https://trickest.com/?utm_source=hacktricks\&utm_medium=text\&utm_campaign=ppc\&utm_content=put-method-webdav) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://angelica.gitbook.io/hacktricks/network-services-pentesting/pentesting-web/put-method-webdav.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.