Fix webdav upload php false positive

[sjanusz-r7]

This PR addresses a recent issue stemming from the recently-made changes to the webdav upload php module, where a false positive was being reported based on only the response code.

This PR adds a header and a message check, to try and get rid of the false positive.

res.body is an empty string, so there isn't anything we can search for there that is specific to webdav. I resorted to the headers that are being returned instead:

[2] pry(#<Msf::Modules::Exploit__Multi__Http__Webdav_upload_php::MetasploitModule>)> res.body
=> ""
[6] pry(#<Msf::Modules::Exploit__Multi__Http__Webdav_upload_php::MetasploitModule>)> res.headers
=> {"Date"=>"xxx",
 "Server"=>"Apache/2.4.37 (Unix)",
 "Authentication-Info"=>"rspauth=\"xxx\", cnonce=\"xxx\", nc=xxx, qop=auth",
 "DAV"=>"1,2, <http://apache.org/dav/propset/fs/1>",
 "MS-Author-Via"=>"DAV",
 "Allow"=>"OPTIONS,MKCOL,PUT,LOCK",
 "Content-Length"=>"0"}

Before & After

Run a Docker container that will give us a 200 response code, without actually having WebDAV running:
docker run --rm -d -p 9090:80 --name false-positive-test httpd:2.4

Before

msf exploit(multi/http/webdav_upload_php) > run rhost=127.0.0.1 rport=9090
s[*] Started reverse TCP handler on 192.168.1.230:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
e[-] Error with upload request (HTTP 405, should be 2xx)
[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Upload request failed with HTTP status 405 "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
rmsf exploit(multi/http/webdav_upload_php) > services
Services
========

host       port  proto  name    state  info                  resource  parents
----       ----  -----  ----    -----  ----                  --------  -------
127.0.0.1  9090  tcp    tcp     open                         {}
127.0.0.1  9090  tcp    webdav  open   Apache/2.4.67 (Unix)  {}        http (9090/tcp)
127.0.0.1  9090  tcp    http    open                         {}        tcp (9090/tcp)

After

msf exploit(multi/http/webdav_upload_php) > run rhost=127.0.0.1 rport=9090
[*] Started reverse TCP handler on 192.168.1.230:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Target responded with an unknown DAV header: '', should be '(?-mix:^\d,\d, <http:\/\/apache.org\/dav\/propset\/fs\/\d>$)'
[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Target responded with unexpected message and/or header "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf exploit(multi/http/webdav_upload_php) > services
Services
========

host  port  proto  name  state  info  resource  parents
----  ----  -----  ----  -----  ----  --------  -------

No false positive.

Verification

• Start docker container: docker run --restart always -e AUTH_TYPE=Digest -e USERNAME=wampp -e PASSWORD=xampp --publish 8000:80 bytemark/webdav
• Start msfconsole
• use multi/http/webdav_upload_php
• run rhost=127.0.0.1 rport=8000 username=wampp password=xampp uri=/

[adfoster-r7]

Any thoughts on this one @g0tmi1k ? 👀