o [NSE] Added a new script http-put.nse that allows uploading of local files

to remote web servers using the HTTP PUT method. Added HTTP PUT support to the http library. [Patrik]
2025-12-11 02:09:03 +00:00 · 2011-10-20 02:32:51 +00:00
parent 4fb375b96d
commit 005322c8d4
4 changed files with 83 additions and 0 deletions
--- a/4
+++ b/4
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 o [NSE] Added a new script http-put.nse that allows uploading of local files
  to remote web servers using the HTTP PUT method. Added HTTP PUT support to
  the http library. [Patrik]
 o Made nbase compile with the clang compiler that is a part of Xcode
  4.2. [Daniel J. Luke]
--- a/nselib/http.lua
+++ b/nselib/http.lua
@@ -1171,6 +1171,31 @@ function generic_request(host, port, method, path, options)
  return request(host, port, build_request(host, port, method, path, options), options)
 end
 ---Uploads a file using the PUT method and returns a result table. This is a simple wrapper
 -- around <code>generic_request</code>
 --
 -- @param host The host to connect to.
 -- @param port The port to connect to.
 -- @param path The path to retrieve.
 -- @param options [optional] A table that lets the caller control socket timeouts, HTTP headers, and other parameters. For full documentation, see the module documentation (above). 
 -- @param putdata The contents of the file to upload
 -- @return <code>nil</code> if an error occurs; otherwise, a table as described in the module documentation. 
 -- @see http.generic_request
 function put(host, port, path, options, putdata)
  if(not(validate_options(options))) then
    return nil
  end
  if ( not(putdata) ) then
 	return nil
  end
  local mod_options = {
    content = putdata,
  }
  table_augment(mod_options, options or {})
  return generic_request(host, port, "PUT", path, mod_options)
 end
 ---Fetches a resource with a GET request and returns the result as a table. This is a simple
 -- wraper around <code>generic_request</code>, with the added benefit of having local caching. 
 -- This caching can be controlled in the <code>options</code> array, see module documentation 
--- a/scripts/http-put.nse
+++ b/scripts/http-put.nse
@@ -0,0 +1,52 @@
 description = [[
 Uploads a local file to a remote web server using the HTTP PUT method.
 ]]
 ---
 -- @usage
 -- nmap -p 80 <ip> --script http-put --script-args http-put.url='/uploads/rootme.php',http-put.file='/tmp/rootme.php'
 --
 -- @output
 -- PORT     STATE SERVICE
 -- PORT   STATE SERVICE
 -- 80/tcp open  http
 -- |_http-put: /uploads/rootme.php was successfully created
 --
 -- @args http-put.file - The full path to the local file that should be uploaded to the server
 -- @args http-put.url  - The remote directory and filename to store the file to e.g. (/uploads/file.txt)
 --
 --
 --
 -- Version 0.1
 -- Created 10/15/2011 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
 --
 author = "Patrik Karlsson"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 categories = {"auth", "discovery", "safe"}
 require 'shortport'
 require 'stdnse'
 require 'http'
 portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")
 action = function( host, port )
 	local fname, url = stdnse.get_script_args('http-url.file', 'http-put.url')
 	if ( not(fname) or not(url) ) then return end 
 	local f = io.open(fname, "r")
 	if ( not(f) ) then return ("ERROR: Failed to open file: %s"):format(fname) end
 	local content = f:read("*all")
 	f:close()
 	local response = http.put(host, port, url,  nil, content)
 	if ( response.status == 200 or response.status == 204 ) then
 		return ("%s was successfully created"):format(url)
 	end
 	return ("ERROR: %s could not be created"):format(url)
 end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -96,6 +96,7 @@ Entry { filename = "http-methods.nse", categories = { "default", "safe", } }
 Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "safe", } }
 Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "http-php-version.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-put.nse", categories = { "auth", "discovery", "safe", } }
 Entry { filename = "http-robots.txt.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-title.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-trace.nse", categories = { "discovery", "safe", "vuln", } }
@@ -214,6 +215,7 @@ Entry { filename = "smtp-vuln-cve2011-1720.nse", categories = { "intrusive", "vu
 Entry { filename = "smtp-vuln-cve2011-1764.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "sniffer-detect.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "snmp-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "snmp-brute2.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "snmp-interfaces.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "snmp-ios-config.nse", categories = { "intrusive", } }
 Entry { filename = "snmp-netstat.nse", categories = { "default", "discovery", "safe", } }