Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/wireghoul/htshells

Self contained htaccess shells and attacks
https://github.com/wireghoul/htshells

apache exploit htaccess penetration-testing polyglot security webshell

Last synced: 5 days ago
JSON representation

Self contained htaccess shells and attacks

Awesome Lists containing this project

README 

        
HTSHELLS - Self contained web shells and other attacks via .htaccess files.



Attacks are named in the following fashion, module.attack.htaccess and grouped

by attack type in directories. Pick the one you need and copy it to a new file

named .htaccess, check the file to see if it needs editing before you upload it.

Web shells executes commands from the query parameter c, unless the file states

otherwise.



To prepare run `./prepare.sh file` which will generate the .htaccess file

to be uploaded. Example:

```

$ ./prepare.sh shell/mod_php.shell.htaccess

┬ ┬┌┬┐┌─┐┬ ┬┌─┐┬  ┬  ┌─┐

├─┤ │ └─┐├─┤├┤ │  │  └─┐

┴ ┴ ┴ └─┘┴ ┴└─┘┴─┘┴─┘└─┘

 justanotherhacker.com



.htaccess file is ready

$ curl -F '[email protected]' -k https://target/upload.php

$ curl -k https://target/uploads/.htaccess?c=id

...

# uid=33(www-data) gid=33(www-data) groups=33(www-data)

```



== DOS/       # Denial of service attacks

- apache.dos.htaccess

  Makes all requests return a 500 internal server error



- mod_rewrite.dos.htaccess

  Regular expression dos condition in mod_rewrite consumes a child process



== INFO/      # Information disclosure attacks

- modcheck/

  Include additional response headers to indicate which Apache modules are active

  

- mod_caucho.info.htaccess *untested*

  Server status binding for the mod_caucho Resin java server module



- mod_clamav.info.htaccess

  Clamav status page binding



- mod_info.info.htaccess

  Server info binding for Apache



- mod_ldap.info.htaccess *untested*

  Server status binding for the mod_ldap server module



- mod_perl.info.htaccess

  Display the mod_perl status page



- mod_php.info.htaccess

  Make all php pages show source instead of executing



- mod_status.info.htacces

  Server status binding for Apache



== SHELL/       # Interactive command execution

- mod_caucho.shell.htaccess *untested*

  JSP based web shell



- mod_cgi.shell.bash.htaccess

  Shell using bash under the cgi handler, Requires exec flag to be set on the htaccess file.



- mod_cgi.shell.windows.htaccess *untested*

  Gives shell through php.exe via apache cgi configuration directives



- mod_include.shell.htaccess

  Server Side Include based web shell



- mod_multi.shell.htaccess

  Multiple shells in one .htaccess file, one attack fits all approach



- mod_perl.shell.htaccess *incomplete*

  TODO



- mod_php.shell.htaccess

  PHP based web shell access via http://domain/path/.htaccess?c=command



- mod_php.shell2.htaccess

  Alternate method of invoking a php shell from .htaccess file



- mod_php.stealth.shell.htaccess

  PHP based stealth backdoor - see http://www.justanotherhacker.com/2011/12/writing-a-stealth-web-shell.html for tutorial



- mod_python.shell.htaccess



- mod_ruby.shell.htaccess



- mod_suphp.shell.htaccess



== TRAVERSAL/   # Directory traversal attacks

- mod_hitlog.traversal.htaccess

  Directory traversal attack via hitlog module tries to read /etc/passwd



- mod_layout.traversal.htaccess

  Directory traversal attack reads /etc/passwd



== ./           # Various attacks

- mod_auth_remote.phish.htaccess *untested*

  Forward basic auth credentials to server of your choice



- mod_badge.admin.htaccess

  mod_badge admin page binding



- mod_sendmail.rce.htaccess *untested*

  Executes commands configured in the .htaccess file by specifying path and arguments to "sendmail" binary



Wireghoul - http://www.justanotherhacker.com