# WebDav A **HTTP Server with WebDav** active is a server where you probably can **update, delete, move, copy** files. **Sometimes** you **need** to have **valid credentials** (usually check with HTTP Basic Authentication). You should try to **upload** some **webshell** and **execute** it from the web server to take control over the server.\ Usually, to **connect** a WebDav server you will need valid **credentials**: [**WebDav bruteforce**](/githubimport/brute-force.md#http-basic-auth) *\*\*(Basic Auth)*. Other common configuration is to **forbid uploading** files with **extensions** that will be **executed** by the web server, you should check how to **bypass this:** * **Upload** files with **executable extensions** (maybe it's not forbidden). * **Upload** files **without executable extensions** (like .txt) and try to **rename** the file (move) with an **executable extension**. * **Upload** files **without executable extensions** (like .txt) and try to **copy** the file (move) with **executable extension.** ## DavTest **Davtest** try to **upload several files with different extensions** and **check** if the extension is **executed**: ```bash davtest [-auth user:password] -move -sendbd auto -url http:// #Uplaod .txt files and try to move it to other extensions davtest [-auth user:password] -sendbd auto -url http:// #Try to upload every extension ``` Output sample: ![](/files/-MaoH_yqbOWwvtDqckCl) This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web. ## Cadaver You can use this tool to **connect to the WebDav** server and perform actions (like **upload**, **move** or **delete**) **manually**. ``` cadaver ``` ## PUT request ``` curl -T 'shell.txt' 'http://$ip' ``` ## MOVE request ``` curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt' ``` ## IIS5/6 WebDav Vulnerability This vulnerability is very interesting. The **WebDav** does **not allow** to **upload** or **rename** files with the extension **.asp**. But you can **bypass** this **adding** at the end of the name **";.txt"** and the file will be **executed** as if it were a .asp file (you could also **use ".html" instead of ".txt"** but **DON'T forget the ";"**). Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a ".asp;.txt"** file. An accessing that file through the web server, it will be **executed** (cadaver will said that the move action didn't work, but it did). ![](/files/-MaoH_ysN2ZCGC4zpOXq) ## Post credentials If the Webdav was using an Apache server you should look at configured sites in Apache. Commonly:\ \&#xNAN;***/etc/apache2/sites-enabled/000-default*** Inside it you could find something like: ``` ServerAdmin webmaster@localhost Alias /webdav /var/www/webdav DAV On AuthType Digest AuthName "webdav" AuthUserFile /etc/apache2/users.password Require valid-user ``` As you can see there is the files with the valid **credentials** for the **webdav** server: ``` /etc/apache2/users.password ``` Inside this type of files you will find the **username** and a **hash** of the password. These are the credentials the webdav server is using to authenticate users. You can try to **crack** them, or to **add more** if for some reason you wan to **access** the **webdav** server: ```bash htpasswd /etc/apache2/users.password #You will be prompted for the password ``` To check if the new credentials are working you can do: ```bash wget --user --ask-password http://domain/path/to/webdav/ -O - -q ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://chinnidiwakar.gitbook.io/githubimport/pentesting/pentesting-web/put-method-webdav.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.