 |
| Image Source |
WebDAV is a term given to a collection of HTTP methods.HTTP requests can use a range of methods other than the standard GET and POST methods.
WebDAV can be used to manipulate files on the web server. Given the nature of the functionality, if these are accessible by low-privileged users, they may provide an effective avenue for attacking an application.
Here are some methods to look for:
- PUT uploads the attached file to the specified location.
- DELETE deletes the specified resource.
- COPY copies the specified resource to the location given in the Destination header.
- MOVE moves the specified resource to the location given in the Destination header.
- SEARCH searches a directory path for resources.
- PROPFIND retrieves information about the specified resource, such as author, size and content type.
Let's check how we can actually perform the attack.
We can use the OPTIONS method to list the HTTP methods that are permitted in a particular directory.
This response indicates that several of the powerful methods listed previously are in fact allowed.However we will be looking at exploiting put method.
The PUT method is particularly dangerous. If you upload arbitrary files within the web root, the first target is to create a backdoor script on the server that will be executed by a server-side module, thereby giving the attacker full control of the application, and often the web server itself.
If the PUT method appears to be present and enabled, application will respond with 201 created response as shown in below Exhibit.
you may receive 405 status code if you attempt to use the PUT method where it is not supported. 405 Method Not Allowed indicates that the method used in the request is not supported for the specified URL.
We can even upload reverse shell directly instead of backdoor as shown in below Exhibit.
Note that permissions are likely to be implemented per directory, so recursive checking is required in an attack. Tools such as DAVTest can be used to iteratively check all directories on the server for the PUT method.
Observe the difference between below tests.
| Image courtesy - https://tools.kali.org/web-applications/davtest |
As http://192.168.1.209/ has put method enabled, it shows different response than http://mdsec.net/public which has disabled put method access.
Also note that For WebDAV instances where end users are permitted to upload files, it is relatively common for uploading server-side scripting language extensions specific to that server’s environment to be forbidden. The ability to upload HTML or JAR files is much more likely, and both of these allow attacks against other users to be conducted.
Let's summarise the testing steps to be followed:
a. Attempt to use the PUT method to upload a benign file
b. If this is successful, try uploading a backdoor script using PUT.
c. If the necessary extension for the backdoor to operate is being blocked, try uploading the file with a .txt extension and using the MOVE method to move it to a file with a new extension.
d. If any of the preceding methods fails, try uploading a JAR file, or a file with contents that a browser will render as HTML.
e. Recursively step through all the directories using a tool such as Davtest.
Remediation
Only GET and POST HTTP methods should be allowed and other unused methods should be blocked. If required these extra methods should only be enabled with credentials and public access denied.
References
Article Link: https://lucideustech.blogspot.com/2019/03/how-to-exploit-put-method.html