.htaccess Backdoor

    I was looking up information on .htaccess and .htpasswd when I came across a link that described how to leverage .htaccess for persistence with a backdoor.  It piqued my curiosity but after playing around with it for a few minutes, I couldn't get it to work.  I did some Googling and I still couldn't figure out whether or not the post had old information, was incorrect, or what.  But then after thinking about it, I realized, it was far too complicated for what we're really trying to accomplish. 

    Odds are pretty good that someone is going to dig through their .htaccess file sooner than say some random .txt file that ends up in the webroot after install.  So let's go that route. 

    I fire up a brand new Joomla install:


    When we look at the /html directory, we see the following:


    Just in the root folder, we see five text files.  Not all of these are ideal for a number of reasons but let's focus on README.txt -- but first, we need to do a little something with our .htaccess file:


    When we peer inside, we see a lot of rules for a default Joomla install.  Let's say we scroll down a bit and we bury the following:


    Basically, what we're saying is this -- if the file ends in .txt, let's treat it like it's PHP.  Back to our README.txt file:


    Let's open this up and bury the following:


    When we browse README.txt, we can now get code execution:


    I think that's a lot cleaner and easier.


    © 2020 sevenlayers.com