Codebase list davtest / 2660babf-21a2-489e-a194-838c2617c8c8/main README.txt
2660babf-21a2-489e-a194-838c2617c8c8/main

Tree @2660babf-21a2-489e-a194-838c2617c8c8/main (Download .tar.gz)

README.txt @2660babf-21a2-489e-a194-838c2617c8c8/mainraw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
#############################################################
Copyright 2010 Sunera, LLC.

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

Author: Chris Sullo / csullo [at] sunera . com

#############################################################
About

This program attempts to exploit WebDAV enabled servers by:
- attempting to create a new directory (MKCOL)
- attempting to put test files of various programming langauges (PUT)
- optionally attempt to put files with .txt extension, then move to executable (MOVE)
- check if files executed or were uploaded properly
- optionally upload a backdoor/shell file for languages which execute

Additionally, this can be used to put an arbitrary file to remote systems.

#############################################################
Requirements

The following PERL modules are required from cpan.org:
	HTTP::DAV
	Getopt::Long

#############################################################
Options

davtest.pl -url url [options]
 -auth+         Authorization like user:password. Supports Basic and Digest only, no NTLM (yet).
 -cleanup       Delete everything uploaded except backdoor/shell files
 -directory+    Postfix of directory to create. This is always prefixed by 'DavTestDir_' and if not specified
                is set to a random string.
 -debug+        HTTP::DAV debug level 1-3. Levels 2 and 3 log request/responses to /tmp/perldav_debug.txt.
 -move          PUT files as .txt and then try to MOVE them to the executable file extension
 -nocreate      Don't create a directory, work at the -url level.
 -quiet         Only print out summary and serious (usually fatal) errors.
 -random name+  Use this string instead of a random string for filenames.
 -sendbd+       Send backdoor files (from backdoors/ directory). See each script's source for how to use it, if
                it's not immediately obvious.
                        auto - for any succeeded test
                        ext - extension matching file name(s) in backdoors/ dir
 -uploadfile+   Upload this file to to the server. This option requires -uploadloc to specify the remote location.
 -uploadloc+    Upload -uploadfile to this location/name. This option requires -uploadfile.
 -url+          Url of the DAV location.

#############################################################
Test Files

Tests are used to determine if the server can execute a certain type of code. Each test may have a 
corresponding backdoor file, but backdoor files *must* have a corresponding test to determine if 
that file type can execute on the server. It is recommended a simple/basic operation for each language
is used--by default, the supplied tests use mathematical calculations, if possible.

Test files are located in the 'test/' directory. Files must be named according to
the type of program file they will become on the server. For example, a file named 'php.txt'
will be put to the server with a .php extension. 

Each file must have two lines, 'content' and 'execmatch'--the body put to the server and regex to 
match to see if it executed. For example, the php.txt contents are:
	content=<?php print 7.8 * 6.4;?>
	execmatch=49.92

Additionally, the token $$FILENAME$$ will be replaced (with the PUT file's name) in the content before
it sent to the server. Embedded newlines (\n) will be converted to actual newlines (to accommodate PERL).

#############################################################
Backdoor files

Backdoor files are located in the 'backdoors/' directory. They must have the match extension for the type 
they will be uploaded for. For example, a php backdoor must have a '.php' extension.

A backdoor file can contain any code you desire, and multiple backdoor files may be used for a file type. 
If multiple files exist for a type, each will be uploaded when appropriate.

A backdoor type (e.g., php) *must* have a corresponding type in the 'tests/' directory, otherwise it will 
never be tested/uploaded.

#############################################################
Examples

Example: Test file uploads at this location url:
		davtest.pl -url http://localhost/davdir

Example: Test file uploads at this location url and send backdoors for any that succeed:
		davtest.pl -url http://localhost/davdir -sendbd auto

Example: Upload a file using authentication, send the perl_cmd.pl backdoor and call it perl.pl on the server:
		davtest.pl -url http://localhost/davdir -auth user:pass -uploadfile backdoors/perl_cmd.pl -uploadloc perl.pl

#############################################################
TODO:
	- NTLM authentication
	- Backdoors for more languages 
	- Validate jhtml test syntax