DAVTest: Test fast and exploits for WebDAV Servers

[firebits]

In a WebDAV enabled, there are two things to quickly discover:

1) if you can upload files,
2) and if so, if you can run code

DAVTest help answer these questions, as well as a pentest allow quick access to the host. DAVTest tries to load the test file extension of different types (eg. "Php" or. "Txt"), checks if these files were sent successfully and then it can be run on the server.

It also lets you upload plain text files and then try to use the MOVE command to rename them in an executable format.

Assuming you can upload an executable file, a test file is not good for the server, then DAVTest can automatically download a fully functional shell. It comes with scripts for PHP, ASP, ASPX, CFM, JSP, CGI, PL, and a file that you can test in a certain directory or let upload any backdoor you want.





DAVTest was coded in PERL and is under the GPLv3 license.

• Google Code
• Download davtest-1.0.tar.bz2
• Download davtest-1.0.zip

Source: Sunera Information Security Blog


Adapted and translated by firebits

[sl33p]

Just tried out and the following error appeared:

#./davtest.pl -url https://XXX.XXX.XXX.XXX/ -sendbd auto

Can't locate HTTP/DAV.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at ./davtest.pl line 30.
BEGIN failed--compilation aborted at ./davtest.pl line 30.

How do I install "HTTP/DAV.pm"?
I guess that's a missing perl module.
I'm running BT4, the first one, not the R1 edition.

Thanks in advance!

[iremove]

i Too get that same error, i tried to install the HTTP:AV module from inside the CPAN but no luck still. anyone can point me in the right direction please?

kind regards

[skinnypuppy]

cpan -i HTTP::DAV

This pulls in other dependencies, once complete type: perl davtest.pl
Works fine here with no errors so far.