-
Notifications
You must be signed in to change notification settings - Fork 462
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cheat Sheet - Add UNC Injection Help for WEBDAV #54
Comments
@nullbind Bump... I'll buy you lunch or a beer if you can figure out how to reliably force webdav auth from MSSQL server. |
There are a few ways to do this, but unfortunately it requires a few things to be in place. 1st "Desktop Experience" must be installed, so that the WebClient service is present. Then it has to be enabled/running. You can trigger the WebClient service to start programatically as a non privileged user, but there isn't a way to install the "Desktop Experience" feature that way. Another option is that MSSQL is installed on a client operating system like Win7 or Win10, in which case you still have to deal with starting the WebClient service, which as far as I can tell, you can't do from functions inside of MSSQL. Maybe @nullbind can figure that piece out. Once you are over that hurdle, you still have to deal with having a attack tool that supports WebDAV's process for authentication, which isn't straight HTTP. It does a OPTION request, then a PROPFIND (which expects an XML response), then it starts down the NTLM authentication route, but if Auth is required or a correctly formatted response isn't given, then the auth won't be performed. I don't believe that Inveigh (which is what PowerUpSQL uses if I remember correctly), doesn't support WebDAV based authentication. I could be wrong here, but if it isn't, then that's up to @Kevin-Robertson to fix, not @nullbind . Finally, once you have that perfect storm in place, you can get PowerUpSQL to perform an xp_dirtree on a WebDAV path, but it's a long road to get here. Just wanted to make sure you knew what you were asking for :) |
I can confirm that I don't have the standard WebDAV auth in Inveigh. To further complicate things though, the Microsoft-WebDAV-MiniRedir does seem to trigger auth through straight HTTP:) So for example, Inveigh should capture auth for an incoming webdav connection that is redirected from a port 445 UNC on a redirect capable system. I could add the standard webdav auth if there is a need. |
Requester:
kevin @GuhnooPlusLinux
Question:
@nullbind Is there anything special you have to do for webdav auth in MSSQL? Tested all formats listed in the PowerUpSQL UNC path cheatsheet but no dice.
The text was updated successfully, but these errors were encountered: