Welcome to HBH V2 ! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Bash HTTP Methods


gobzi's Avatar
Member
0 0

Aloha people,

A quick question for a script that I wrote a while ago. [php]

  • Note: The PHP tags are only here as they display the code better. #!/bin/bash while IFS='' read -r line || [[ -n "$line" ]]; do for method in GET OPTIONS TRACK; do echo "$method " >> $line.txt ; curl –max-time 5 -k -I -X $method http://$line >> $line.txt curl –max-time 5 -k -I -X $method https://$line >> $line.txt done echo "TRACE" >> $line.txt; curl –max-time 5 -k -D - -X TRACE http://$line >> $line.txt curl –max-time 5 -k -D - -X TRACE https://$line >> $line.txt done < "$1"[/php]

Code here as well: https://pastebin.com/TNQx9pnD

So, what the script does is to read IPs from a file and use curl to give me the HTTP methods responses. I want to use that in an infrastructure test since I don't want to do that manually for 100+ ips. The script works fine, but I would like to have a check for HTTP/HTTPS since atm it does 8 loops (4 http and 4 https) and I really want to avoid unnecessary traffic. Any thoughts on how I can work that around?

Thanks


gobzi's Avatar
Member
0 0

For those who are interested: http://pastebin.com/X27WRLEB

Later or tomorrow I'm gonna add PUT and POST methods (can't really bother now :P )

Bear in mind there are different ways you can implement that, rex suggested me to try using PHP tags and I want(ed) to try python.


rex_mundi's Avatar
☆ Lucifer ☆
2,550 3

I disabled most of the http methods on my server, as like 60% or more of the shit I see in my logs are 1 time scans checking to see if it has OPTIONS HEAD DELETE or PUT enabled.


gobzi's Avatar
Member
0 0

rex_mundi wrote: I disabled most of the http methods on my server, as like 60% or more of the shit I see in my logs are 1 time scans checking to see if it has OPTIONS HEAD DELETE or PUT enabled.

Yea you're right. Most of the methods must be disabled. Even nowadays I've seen servers with PUT enabled. Even if OPTIONS is disabled, you should scan for PUT/TRACE/TRACK.

I'm not going to implement delete since the client wont be happy if I accidentally delete something :|

Another way to do that: [php] for method in GET OPTIONS TRACK; do for protocol in http:// https://; do echo "$method" >> "$line.txt" curl –max-time -k -l -X "$method" "$protocol$line" >> "$line.txt" done done [/php]

Btw sorry for the confusion, rex suggested to use PHP tags in the forum! I was so confused that I read his message more than 5 times, but still I thought he suggested to write the script on PHP :D