Acabo de escanear un objetivo y he observado que se permite HTTP PUT
.
Entonces, solo para verificar que usé nmap
:
# nmap --script http-methods <IP>
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-11-11 15:05 CET
Nmap scan report for <IP>
Host is up (0.16s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE CONNECT OPTIONS PATCH PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK TRACE
|_ Potentially risky methods: PUT DELETE CONNECT PATCH PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK TRACE
111/tcp open rpcbind
139/tcp open netbios-ssn
199/tcp open smux
443/tcp open https
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE CONNECT OPTIONS PATCH PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK TRACE
|_ Potentially risky methods: PUT DELETE CONNECT PATCH PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK TRACE
995/tcp open pop3s
32768/tcp open filenet-tms
MAC Address: <MAC> (VMware)
Nmap done: 1 IP address (1 host up) scanned in 10.47 seconds
Genial. Eso significa que puedo subir archivos utilizando el método HTTP PUT
.
Intenté usar curl
:
# curl http://<IP>/ --upload-file ./test.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /test.html
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.23 Server at 127.0.0.1 Port 80</ADDRESS>
</BODY></HTML>
y nmap
otra vez:
# nmap -p 80 <IP> --script http-put --script-args http-put.url'/',http-put.file='./test.html'
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-11-11 15:09 CET
Nmap scan report for <IP>
Host is up (0.15s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: <MAC> (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.10 seconds
Aparentemente, se permite PUT
, pero no puedo usarlo. ¿Estoy haciendo algo mal o hay otras medidas de seguridad vigentes, de las que no tengo conocimiento?