0

I was scanning an OSCP lab machine, and saw this enter image description here

I tried to send a typical put request to test if I can put files on the server through netcat. enter image description here However, I'm still getting a 404 error when accessing the uploaded file. enter image description here

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
HSN
  • 968
  • 5
  • 14
  • 2
    It is called *potentially* for a reason - i.e. it does not need to be a problem but might. And, given your test it is probably not a problem in your case. For more see [How is HTTP PUT and DELETE methods insecure, if they really are?](https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods.) – Steffen Ullrich Jun 26 '17 at 20:40
  • 3
    I guess you need to "try harder" :) – Nalaurien Jun 26 '17 at 20:47
  • 1
    The correct c-len for that body is 58 with CRLF or 53 with LF. I don't have enough voodoo to resurrect Apache1.3 and check it rejected damaged/truncated request but I would expect it did. – dave_thompson_085 Jun 27 '17 at 06:56
  • 1
    Do not get rail-roaded by the output of Nikto, just because these are potentially allowed does not mean you can exploit them. I advise you enumerate more and do some threat modelling matching information you find to vulnerabilities and then to exploits…particularly those found on Exploit DB. As much as I hate to say it…Try harder. Another point I do not advise posting this on here as OffSec may not take to kindly to it, they have student forums for a reason. ;) – TheJulyPlot Jun 27 '17 at 07:02

0 Answers0