Donate to us via Paypal!
Imagination is more valuable than knowledge - Albert Einstein
Monday, March 01, 2021
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 121
Guests Online: 120
Members Online: 1

Registered Members: 133766
Newest Member: denim6321d
Latest Articles

View Thread

HellBound Hackers | Computer General | Programming

Author

Bash HTTP Methods

gobzi
Member



Posts: 118
Location: Hobbiton
Joined: 26.05.16
Rank:
HBH Guru
Posted on 22-08-16 15:05
Aloha people,

A quick question for a script that I wrote a while ago.
PHP
  1. <?php
  2.  
  3. * Note: The PHP tags are only here as they display the code better.
  4. #!/bin/bash
  5. while IFS='' read -r line || [[ -n "$line" ]]; do
  6.         for method in GET OPTIONS TRACK;
  7.         do
  8.         echo "$method " >> $line.txt ;
  9.         curl  --max-time 5 -k -I -X $method http://$line >> $line.txt
  10.         curl  --max-time 5 -k -I -X $method https://$line >> $line.txt
  11.         done
  12. echo "TRACE" >> $line.txt;
  13. curl  --max-time 5 -k -D - -X TRACE http://$line >> $line.txt
  14. curl  --max-time 5 -k -D - -X TRACE https://$line >> $line.txt
  15. done < "$1"
  16. ?>


Code here as well: https://pastebin.com/TNQx9pnD

So, what the script does is to read IPs from a file and use curl to give me the HTTP methods responses. I want to use that in an infrastructure test since I don't want to do that manually for 100+ ips. The script works fine, but I would like to have a check for HTTP/HTTPS since atm it does 8 loops (4 http and 4 https) and I really want to avoid unnecessary traffic. Any thoughts on how I can work that around?

Thanks


<pre> <?=`$_GET[1]`?>

Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr

Edited by rex_mundi on 22-08-16 19:19
goo.gl/8st1AR
Author

RE: Bash HTTP Methods

gobzi
Member



Posts: 118
Location: Hobbiton
Joined: 26.05.16
Rank:
HBH Guru
Posted on 22-08-16 17:02
For those who are interested: http://pastebin.com/X27WRLEB

Later or tomorrow I'm gonna add PUT and POST methods (can't really bother now Pfft )

Bear in mind there are different ways you can implement that, rex suggested me to try using PHP tags and I want(ed) to try python.


<pre> <?=`$_GET[1]`?>

Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr
goo.gl/8st1AR
Author

RE: Bash HTTP Methods

rex_mundi
☆ Lucifer ☆



Posts: 2018
Location: Scotland
Joined: 20.02.08
Rank:
God
Posted on 22-08-16 20:52
I disabled most of the http methods on my server, as like 60% or more of the shit I see in my logs are 1 time scans checking to see if it has OPTIONS HEAD DELETE or PUT enabled.
U N ⓡⓔⓧ_ⓜⓤⓝⓓⓘ
Author

RE: Bash HTTP Methods

gobzi
Member



Posts: 118
Location: Hobbiton
Joined: 26.05.16
Rank:
HBH Guru
Posted on 23-08-16 09:53
rex_mundi wrote:
I disabled most of the http methods on my server, as like 60% or more of the shit I see in my logs are 1 time scans checking to see if it has OPTIONS HEAD DELETE or PUT enabled.


Yea you're right. Most of the methods must be disabled. Even nowadays I've seen servers with PUT enabled. Even if OPTIONS is disabled, you should scan for PUT/TRACE/TRACK.

I'm not going to implement delete since the client wont be happy if I accidentally delete something :|


Another way to do that:
PHP
  1. <?php
  2.  
  3. for method in GET OPTIONS TRACK; do
  4.     for protocol in http:// https://; do
  5.         echo "$method" >> "$line.txt"
  6.         curl --max-time -k -l -X "$method" "$protocol$line" >> "$line.txt"
  7.     done
  8. done
  9.  
  10. ?>


Btw sorry for the confusion, rex suggested to use PHP tags in the forum! I was so confused that I read his message more than 5 times, but still I thought he suggested to write the script on PHP :D


<pre> <?=`$_GET[1]`?>

Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr
goo.gl/8st1AR