Check Order status | Verified Sales | Escrow Service | Advertise
westernunion carding gold carding
revolut carding electronics carding
paypal carding payoneer carding
advertise on cracking forums

Bypassing .htaccess/.htpasswd Based Authentication Systems [Tutorial]

Prince

[ Verified Seller ]
Staff member
Trusted Seller
Joined
10 yrs. 6 mth. 9 days
Messages
5,386
Reaction score
18,373
Age
44
Wallet
11,590$
Introduction:

Though, the title is not entirely correct, the actual authentication method is called BA (abbreviated for Basic Access). The form itself requests an HTTP user-agent to supply the credentials. Also there are no active sessions established during your activity within the system. If you still don't know what I'm talking about take a look at the image I included at the beginning (deliberately).

Exploitation:

Basically, I could just skip all the redundant information and briefly describe how to exploit it but the idea is different. I want the members who read this to gain the actual logic of how the things are being processed and how the whole scheme is being organised. First off, imagine we have the following .htaccess rules:

Code:
Please, Log in or Register to view codes content!


The above rules enable the most basic, yet successful logging. The URL that is being parsed to the server is being handled by mod_php. What PHP does is render the request method, either as HEAD or POST. In the case of sending the method as "GETS", that leads to the invalid method used to send the payload not being checked further (since PHP does not validate that) and resulting in the standard output of the shell. Therefore, the status code that we receive is equal to 200 which pretty much means the request has been successful.



Now in order to escape such cases, we need to define the limit of methods that are permitted to be used for the request, denying everything except the two methods - POST & GET.
Code:
Please, Log in or Register to view codes content!


The part of the actual exploitation pretty much consists of replaying the request to the directory that is using the authentication system. You could do that in numerous ways, but for the sake of this tutorial, I'm going to go through two of them. The easier one is using the add-on Live HTTP Headers, which allows you to view or/and modify the headers in the request and the other one is using a PHP-based script for opening/establishing a raw socket connection to the specified server.

Using HTTP Live Headers, just specify the method (which is ought to be different than POST or GET) and replay the request beforehand so that you get enabled to modify that.



Once this is achieved, you will automatically get authorized without any supplied credentials to the form. The other way round this, that I'm going to explain is the already mentioned socket connection.
Code:
Please, Log in or Register to view codes content!

The socket establishes a connection to the target and returns the status of the request for confirmatory reason. Firstly, we define the headers under the variable $request. Then we specify that the target URL should be a POST value of a form supplied input (you can put the three lines of HTML in order to visualize that or neglect the usage of $_POST and just use the URL directly). Then we establish the actual connection with the function fsockopen() and fwrite(). We store the result under the variable $received which is receiving the request with 1MB of size (just to make sure we receive the whole of it).

And let's actually see through telnet how our method is processed.



Using "GETS" as method we receive the 501 status code which means that the server either does not recognize the request method, or it lacks the ability to fulfill it thus getting us authorized.

Conclusion:

That's what I wanted to share. Of course, we could've gone much deeper but the point is to understand the basic scheme of the whole process, not just to implement random queries, vectors, payloads or what not (as is the case of SQLi and XSS..).
 
Paid adv. expire in 2 months
CLICK to buy Advertisement !
westernunion carding Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
electronics carding Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding
Top Bottom