Wednesday, June 1, 2011

Htaccess Web Shell

Via Mubix I have found this post that describes a new way to upload a web shell to a server.

This method uploads .htaccess files to change how the server behaves. The nice trick here is that the file itself:

  • Allows the .htaccess files to be displayed
  • Tells Apache that the contents of the .htaccess files must be interpreted by PHP (the file itself will be  executed by the PHP interpreter)
  • The last part of the file contains PHP code that will pass commands to the operative system.

As a side note, the author also comments that this trick can also be applied to jsp and mod_perl installations.

Some information on securing file uploads, from OWASP.

No comments:

Post a Comment