Guest Kronzy Posted September 28, 2014 Report Posted September 28, 2014 Hey RST, today i will show you, how to bypass a .htaccess authentication. First of all if you don't know what it is a .htaccess file, here the description from Wikipedia, the free encyclopedia : A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration.The original purpose of .htaccess - reflected in its name - was to allow per-directory access control, by for example requiring a password to access the content. Nowadays however, the .htaccess files can override many other configuration settings including content type and character set, CGI handlers, etc.What does like a .htaccess file content ? AuthName "h4xx0r top security"AuthType BasicAuthUserFile "/home/site/www/r00t/.htpasswd"Require valid-userHow to bypass it ? That is the question ! First of all where is the vulnerability ? The vuln is when a .htaccess file use <Limit></limit> in the code.The <Limit> tag is used to restrict enclosed access controls to only certain HTTP methodsSo a vulnerable file would look like this : AuthName "h4xx0r top security"AuthType BasicAuthUserFile "/home/site/www/r00t/.htpasswd"<Limit GET POST> Require valid-user</Limit>So now how to bypass it ?When you want to access to a web page you have a request like this : GET http://127.0.0.1/index.phpHost: 127.0.0.1So, simply use another http method that GET or POST : Code:RW http://127.0.0.1/index.phpHost: 127.0.0.1To do this, you can use for example the addon on firefox : Live HTTP Headers1. Open Live HTTP Headers, make sure that Capture checkbox is checked.2. Go to a website with a .htaccess authentication page.3. When the pop up of login is prompted click cancel.4. Now find the website in the history of Live HTTP Headers's window5. Click on replay6. Where is written GET change it by another http method7. Click Replay of this window (6) Quote
aelius Posted September 28, 2014 Report Posted September 28, 2014 (edited) Ok. Fai aici un test. Daca treci de el, spune-ne ce scrie in site: http://geodns.ro/\ip address - - [28/Sep/2014:19:13:22 +0100] "GET //WEB-INF%20(copy)/jboss-web.xml HTTP/1.0" 401 342 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"ip address - - [28/Sep/2014:19:13:22 +0100] "GET //WEB-INF%20-%20Copy/jboss-web.xml HTTP/1.0" 401 342 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"ip address - - [28/Sep/2014:19:13:22 +0100] "GET //Copy%20of%20WEB-INF/jboss-web.xml HTTP/1.0" 401 342 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"ip address - - [28/Sep/2014:19:13:23 +0100] "GET /index.html HTTP/1.0" 401 342 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"ip address - - [28/Sep/2014:19:13:24 +0100] "GET / HTTP/1.0" 401 342 "http://some-inexistent-website.acu/some_inexistent_file_with_long_name%3F.jpg" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"ip address - - [28/Sep/2014:19:13:24 +0100] "GET / HTTP/1.0" 401 342 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"ip address - - [28/Sep/2014:19:13:25 +0100] "GET / HTTP/1.0" 401 342 "http://geodns.ro/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"ip address - - [28/Sep/2014:19:13:25 +0100] "GET / HTTP/1.0" 401 342 "................windowswin.ini" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"ip address - - [28/Sep/2014:19:13:26 +0100] "GET / HTTP/1.0" 401 342 "http://geodns.ro/" "T6g6q6Dd'; waitfor delay '0:0:9' --"ip address - - [28/Sep/2014:19:13:26 +0100] "GET / HTTP/1.0" 401 342 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36"Dude, mergi la doctor. Crezi ca saracia de acunetix trece de htpasswd ? Ahahaha "http://some-inexistent-website.acu/some_inexistent_file_with_long_name%3F.jpg" " Edited September 28, 2014 by aelius Quote
Ganav Posted September 28, 2014 Report Posted September 28, 2014 Mai degraba folosesti un directory bruteforcer dirbuster:https://www.owasp.org/index.php/Category:OWASP_DirBuster_Projectai sanse mai ridicate de a gasi ceva. Quote
