Friday, May 11, 2012

From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH


Post [7] HTTP PUT/WebDAV/SEARCH

Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server.  Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.

LOW?


IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....

The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
     *Dirbusting and ruby FTW*

I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory.  VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.

Once you have a directory you want to test you can use cadaver to manually test, davtest, or Ryan Linn's metasploit module for testing for WebDAV.


I've also done some posts on webDAV in the past

http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
http://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.html

hdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here: http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html

Decent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdf

HTTP PUT

HTTP PUT/SEARCH usually gets rolled into



Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you.  I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.

Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.

metasploit has a module to test for PUT functionality as well.  

HTTP SEARCH

HTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.




CG

2 comments:

Anonymous said...

Very interesting, love LOW vulns for Nessus that are, indeed, very serious if you go deep. Always clear and good works, i really read you with pleasure

Anonymous said...

There is also a (medium impact) 0day hidden in the Athcon presentation.

/_vti_bin/wacproxy.ashx?redirect=http://192.168.
50.103&spsite=http://www.google.com/_layouts/images/&docT
ype=PP&callbackFunctionName=b

You can do internal network scanning, remote dos and potentially poisoning the DNS (if vulnerable to Kamisky bug)