- Joined
- 11 yrs. 6 mth. 27 days
- Messages
- 5,381
- Reaction score
- 18,380
- Age
- 45
- Wallet
- 11,590$
- [email protected]
I wrote this tutorial myself under another nickname "Shirobi" on another forum French (and other)
It is even my old username here, thank you for your understanding: p
Bypassing a HTACCESS
This tutorial will aim to teach you a technique to bypass the HTACCESS. If you know other ways to bypass an htaccess, I invite you to write a tutorial Smile (and sorry for the spelling)
Summary:
0x01 ~ What is a HTACCESS?
0x02 ~ A little more ...
0x03 ~ Operation
0x04 ~ With the BIA ...
0x05 ~ Securing
0x01 ~ What is htaccess?
Nothing complicated. In fact, a system protects your htaccess files / folders on a website with a secure identification (user, password), which will both be housed in a "htpasswd." File.
0x02 ~ A little more ...
In fact, this issue is much common, but why? Google, we can copy / paste HTACCESS scripts that will allow us to protect our files ... Well, it depends, because most of these scripts are vulnerable!
0x03 ~ Operation
Until now, as you may have noticed, this is super hard! (irony)
We will exploit this vulnerability via telnet. To do this, open the command prompt and run telnet like this:
code:
telnet site.com 80
(instead of site.com, use the desired domain name)
A blank page is displayed in the command prompt. It is at this point that the operation will start.
The vulnerability is in the htaccess code:
AuthUserFile "c:\wamp\www\tutorial\zentrixplus\htaccessvuln\secure\.htpasswd"AuthGroupeFile /dev/nullAuthName "Protected page"AuthType Basic<Limit GET POST>require valid-user</Limit>
Explanation of lines:
1. It indicates where the users are located and passwords that are presented like this:
user: password
3. The message will appear here "Protected page"
5. This is where lies the vulnerability: <limit></limit>
We can see the presence of both GET and POST requests, and when they send one of these two applications, a user and a valid password* must be required to access the file / folder protected.
*require valid-user
Back to telnet. Once in the telnet session, we will write the GET request followed by htaccess error when you cancel it:
Once the GET request noted, made a SPACE (otherwise it will not work) and copy the url error, then press Enter:
GET [URL OF ERROR]
An error? Normal:.
In our htaccess file, the HTTP GET and POST requests are "blocked" because of the tags LIMIT (LIMIT GET POST: GET and POST requests are not allowed if a user / invalid password is given).
So by repeating the same operation, this time with a POST request, we will get the same error, which is quite logical.
To try to bypass this error we will try out the conditions of our <Limit> tag using a http request other than GET or POST.
For example: PUT. Redo the same approach:
PUT [URL D'ERREUR]
and ... it is won we have access to the file!
However, if the admin of the site is a bit smarter, it will record all types of HTTP requests possible between <limit> tag.
Quote
GET
This is the most common method to request a resource. A GET request has no effect on the resource, it must be possible to repeat the request without effect.
HEAD
This method requires only information about the resource, without requiring the resource itself.
POST
This method should be used when an application modifies the resource.
OPTIONS
This method provides the communication options of a resource or server in general.
CONNECT
This method allows the use of a proxy as a communication tunnel.
TRACE
This method asks the server to return what he has received in order to test and run diagnostics on the connection.
PUT
This method adds a resource on the server.
DELETE
This method removes a resource server.
But it is always possible to invent his own "type" query! For example, invent a query "zentrixplus"
ZENTRIXPLUS [URL OF ERROR]
0x04 With a LFI..
There is also a way not this time, a bypass htaccess, but read its contents and that of the. Htpasswd.
Observe this exploitable url to LFI:
Quotehttp://site.com/index.php?page=test.php
Suppose that the htaccess is located in a "secu /" folder.:
Quotehttp://sitecom/index...=secu/.htaccess
We have our htaccess content that appears with the line indicating the path of the htpasswd!
We will therefore incure in our url:
Quotehttp://site.com/inde...asswd/.htpasswd
Here it is: we have users and passwords as
user: pwd
It remains only to identify themselves! (after finding the password in clear if it was encrypted).
Online, use HTTP Live HEADER, it's a addon for firefox, this tool can change the HEADER and the HTTP Requests.
Download on:
https://addons.mozil...e-http-headers/
0x05 ~ Securing
We are at the last stage of this tutorial we will learn how to secure this widespread flaw on the tag limit.
Simply remove the <Limit> tag. Apache also the details of the doc:
http://httpd.apache....core.html#limit
Quote« In the general case, access control directives should not be placed within a <Limit> section. »
Other for protect ur htaccess (and htpasswd)
check it out http://zentrixplus.n...ected-htaccess/
Regards, Ek0h.
It is even my old username here, thank you for your understanding: p
Bypassing a HTACCESS
This tutorial will aim to teach you a technique to bypass the HTACCESS. If you know other ways to bypass an htaccess, I invite you to write a tutorial Smile (and sorry for the spelling)
Summary:
0x01 ~ What is a HTACCESS?
0x02 ~ A little more ...
0x03 ~ Operation
0x04 ~ With the BIA ...
0x05 ~ Securing
0x01 ~ What is htaccess?
Nothing complicated. In fact, a system protects your htaccess files / folders on a website with a secure identification (user, password), which will both be housed in a "htpasswd." File.
0x02 ~ A little more ...
In fact, this issue is much common, but why? Google, we can copy / paste HTACCESS scripts that will allow us to protect our files ... Well, it depends, because most of these scripts are vulnerable!
0x03 ~ Operation
Until now, as you may have noticed, this is super hard! (irony)
We will exploit this vulnerability via telnet. To do this, open the command prompt and run telnet like this:
code:
telnet site.com 80
(instead of site.com, use the desired domain name)
A blank page is displayed in the command prompt. It is at this point that the operation will start.
The vulnerability is in the htaccess code:
AuthUserFile "c:\wamp\www\tutorial\zentrixplus\htaccessvuln\secure\.htpasswd"AuthGroupeFile /dev/nullAuthName "Protected page"AuthType Basic<Limit GET POST>require valid-user</Limit>
Explanation of lines:
1. It indicates where the users are located and passwords that are presented like this:
user: password
3. The message will appear here "Protected page"
5. This is where lies the vulnerability: <limit></limit>
We can see the presence of both GET and POST requests, and when they send one of these two applications, a user and a valid password* must be required to access the file / folder protected.
*require valid-user
Back to telnet. Once in the telnet session, we will write the GET request followed by htaccess error when you cancel it:
Once the GET request noted, made a SPACE (otherwise it will not work) and copy the url error, then press Enter:
GET [URL OF ERROR]
An error? Normal:.
In our htaccess file, the HTTP GET and POST requests are "blocked" because of the tags LIMIT (LIMIT GET POST: GET and POST requests are not allowed if a user / invalid password is given).
So by repeating the same operation, this time with a POST request, we will get the same error, which is quite logical.
To try to bypass this error we will try out the conditions of our <Limit> tag using a http request other than GET or POST.
For example: PUT. Redo the same approach:
PUT [URL D'ERREUR]
and ... it is won we have access to the file!
However, if the admin of the site is a bit smarter, it will record all types of HTTP requests possible between <limit> tag.
Quote
GET
This is the most common method to request a resource. A GET request has no effect on the resource, it must be possible to repeat the request without effect.
HEAD
This method requires only information about the resource, without requiring the resource itself.
POST
This method should be used when an application modifies the resource.
OPTIONS
This method provides the communication options of a resource or server in general.
CONNECT
This method allows the use of a proxy as a communication tunnel.
TRACE
This method asks the server to return what he has received in order to test and run diagnostics on the connection.
PUT
This method adds a resource on the server.
DELETE
This method removes a resource server.
But it is always possible to invent his own "type" query! For example, invent a query "zentrixplus"
ZENTRIXPLUS [URL OF ERROR]
0x04 With a LFI..
There is also a way not this time, a bypass htaccess, but read its contents and that of the. Htpasswd.
Observe this exploitable url to LFI:
Quotehttp://site.com/index.php?page=test.php
Suppose that the htaccess is located in a "secu /" folder.:
Quotehttp://sitecom/index...=secu/.htaccess
We have our htaccess content that appears with the line indicating the path of the htpasswd!
We will therefore incure in our url:
Quotehttp://site.com/inde...asswd/.htpasswd
Here it is: we have users and passwords as
user: pwd
It remains only to identify themselves! (after finding the password in clear if it was encrypted).
Online, use HTTP Live HEADER, it's a addon for firefox, this tool can change the HEADER and the HTTP Requests.
Download on:
https://addons.mozil...e-http-headers/
0x05 ~ Securing
We are at the last stage of this tutorial we will learn how to secure this widespread flaw on the tag limit.
Simply remove the <Limit> tag. Apache also the details of the doc:
http://httpd.apache....core.html#limit
Quote« In the general case, access control directives should not be placed within a <Limit> section. »
Other for protect ur htaccess (and htpasswd)
check it out http://zentrixplus.n...ected-htaccess/
Regards, Ek0h.
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding