- Joined
- Jun 13, 2020
- Messages
- 7,903
- Reaction score
- 942
- Points
- 212
- Awards
- 2
Determining allowed HTTP methods
First we will learn how we can determine which HTTP methods are allowed and find out if HTTP PUT is one of them. From the Nmap port scan we found out that Metasploitable is running Microsoft IIS on port 80 and Apache httpd 2.2.21 on port 8585. In this tutorial we will target the Apache server on port 8585.
Nmap service scan on Metasploitable 3
Discovering webserver directories with Dirb
The next step is to find out what directories are present on this webserver. A nice tool that brute forces directories on a webserver is dirb. When we run dirb on the Apache webserver with the following command we find a directory named ‘uploads’:
Dirb found the uploads directory on Metasploitable 3 port 8585.
Nmap: Determining allowed HTTP methods
We can use several methods to determine if we’re allowed to upload files to this directory with the HTTP PUT method. Testing for allowed HTTP methods can be done with the OPTIONS HTTP method which provides a list of allowed methods. But as this may not always work an easier way is to run the Nmap http-methods script on the uploads directory. When we run the following command see that HTTP PUT is enabled for the uploads directory:
Nmap HTTP-Methods script returns the allowed methods for the uploads directory.
As we can see the webserver allows us to upload files to the uploads directory and even delete files.
Nikto
We can also use the web vulnerability scanner Nikto to determine vulnerabilities in the webserver. If the HTTP PUT method is enabled than Nikto will indicate this as following:
The last line of Nikto output indicates that the uploads directories allows uploading files using HTTP PUT.
Exploiting HTTP PUT for shell
Now that we know we can upload files to this directory let’s have a look at a few different ways to do this. In the next steps of this tutorial we will upload a Meterpreter PHP reverse shell script to the webserver and execute it. We will demonstrate how to upload files with Nmap, Metasploit and Curl.
Nmap HTTP PUT Meterpreter shell
Let’s with creating a PHP Meterpreter reverse shell payload with msfvenom first by running the following command:
Create the PHP Meterpreter reverse shell payload with Msfvenom.
Modify the file to make sure that the scripts contains the proper PHP open and closing tags:
Add the PHP opening tag at the beginning of the file:
Next we’ll setup the listener in Metasploit to intercept the reverse shell with the following commands:
Setup the multi handler exploit in Metasploit.
Nmap HTTP-PUT script
Now that we’ve created the Meterpreter payload and setup our listener in Metasploit we will use Nmap to upload the Meterpreter payload to the webserver. Execute the following command to run the Nmap http-put script:
Nmap http-put script on port 8585.
As we can see on the screenshot the meterpreter.php has been successfully created. Because port 8585 is not defined as an http service port in the nmap services file it is important that we run a service scan with -sV flag. Otherwise script will fail in uploading the file and only display an open port and unknown service.
Metasploit HTTP PUT Auxiliary module
We can also use the Metasploit auxiliary module HTTP PUT to upload a file to the uploads web directory. In the following steps we will be uploading the PHP Meterpreter reverse shell script that we’ve created earlier in this tutorial and intercept the Meterpreter reverse shell with the multi handler module. Run the following commands:
Metasploit HTTP-PUT options.
The next step is to setup the multi handler module again to intercept the reverse shell connection and execute the auxiliary module with the run command:
Metasploit indicates that the upload has failed.
Metasploit is showing us that the upload has failed, but when we check the uploads directory on the webserver we can see that the file upload did go through:
But the upload did got through.
All that remains is to execute the PHP script and receive a reverse shell from the Metasploitable 3 machine on our multi handler:
Execute the meterpreter.php script on the webserver and get a reverse shell on your multi handler.
HTTP PUT with Curl
Finally we can also upload the Meterpreter payload with a single command using Curl:
Alternatively you can also use Curl to upload the meterpreter.php file using HTTP-PUT.
As we can see the meterpreter.php file has been successfully uploaded to the webserver.
Lessons Learned
In this tutorial we have learned how to assess a webserver for uploading files using the HTTP PUT method. We have discovered that the uploads directory on port 8585 on the Metasploitable 3 machines allows us to upload malicious files and execute them in the context of the webserver. We have used 3 different tools to upload the files; Nmap, Metasploit and Curl.
First we will learn how we can determine which HTTP methods are allowed and find out if HTTP PUT is one of them. From the Nmap port scan we found out that Metasploitable is running Microsoft IIS on port 80 and Apache httpd 2.2.21 on port 8585. In this tutorial we will target the Apache server on port 8585.
Nmap service scan on Metasploitable 3
Discovering webserver directories with Dirb
The next step is to find out what directories are present on this webserver. A nice tool that brute forces directories on a webserver is dirb. When we run dirb on the Apache webserver with the following command we find a directory named ‘uploads’:
Dirb found the uploads directory on Metasploitable 3 port 8585.
Nmap: Determining allowed HTTP methods
We can use several methods to determine if we’re allowed to upload files to this directory with the HTTP PUT method. Testing for allowed HTTP methods can be done with the OPTIONS HTTP method which provides a list of allowed methods. But as this may not always work an easier way is to run the Nmap http-methods script on the uploads directory. When we run the following command see that HTTP PUT is enabled for the uploads directory:
Nmap HTTP-Methods script returns the allowed methods for the uploads directory.
As we can see the webserver allows us to upload files to the uploads directory and even delete files.
Nikto
We can also use the web vulnerability scanner Nikto to determine vulnerabilities in the webserver. If the HTTP PUT method is enabled than Nikto will indicate this as following:
The last line of Nikto output indicates that the uploads directories allows uploading files using HTTP PUT.
Exploiting HTTP PUT for shell
Now that we know we can upload files to this directory let’s have a look at a few different ways to do this. In the next steps of this tutorial we will upload a Meterpreter PHP reverse shell script to the webserver and execute it. We will demonstrate how to upload files with Nmap, Metasploit and Curl.
Nmap HTTP PUT Meterpreter shell
Let’s with creating a PHP Meterpreter reverse shell payload with msfvenom first by running the following command:
Create the PHP Meterpreter reverse shell payload with Msfvenom.
Modify the file to make sure that the scripts contains the proper PHP open and closing tags:
Add the PHP opening tag at the beginning of the file:
Next we’ll setup the listener in Metasploit to intercept the reverse shell with the following commands:
Setup the multi handler exploit in Metasploit.
Nmap HTTP-PUT script
Now that we’ve created the Meterpreter payload and setup our listener in Metasploit we will use Nmap to upload the Meterpreter payload to the webserver. Execute the following command to run the Nmap http-put script:
Nmap http-put script on port 8585.
As we can see on the screenshot the meterpreter.php has been successfully created. Because port 8585 is not defined as an http service port in the nmap services file it is important that we run a service scan with -sV flag. Otherwise script will fail in uploading the file and only display an open port and unknown service.
Metasploit HTTP PUT Auxiliary module
We can also use the Metasploit auxiliary module HTTP PUT to upload a file to the uploads web directory. In the following steps we will be uploading the PHP Meterpreter reverse shell script that we’ve created earlier in this tutorial and intercept the Meterpreter reverse shell with the multi handler module. Run the following commands:
Metasploit HTTP-PUT options.
The next step is to setup the multi handler module again to intercept the reverse shell connection and execute the auxiliary module with the run command:
Metasploit indicates that the upload has failed.
Metasploit is showing us that the upload has failed, but when we check the uploads directory on the webserver we can see that the file upload did go through:
But the upload did got through.
All that remains is to execute the PHP script and receive a reverse shell from the Metasploitable 3 machine on our multi handler:
Execute the meterpreter.php script on the webserver and get a reverse shell on your multi handler.
HTTP PUT with Curl
Finally we can also upload the Meterpreter payload with a single command using Curl:
Alternatively you can also use Curl to upload the meterpreter.php file using HTTP-PUT.
As we can see the meterpreter.php file has been successfully uploaded to the webserver.
Lessons Learned
In this tutorial we have learned how to assess a webserver for uploading files using the HTTP PUT method. We have discovered that the uploads directory on port 8585 on the Metasploitable 3 machines allows us to upload malicious files and execute them in the context of the webserver. We have used 3 different tools to upload the files; Nmap, Metasploit and Curl.