Bypassing file upload filter using .htaccess file(CTF)

Hello, everyone myself Rahul Bogar, beginner in cybersecurity. This is my first writeup about how I bypass the file upload filters by using “.htaccess” file.

overview of file upload vulnerability

File upload Vulnerability:

File upload vulnerability is a security flaw that arises when an application improperly handles user-uploaded files. This type of vulnerability can allow attackers to upload malicious files, which can lead to various exploits, such as executing arbitrary code, data theft, or even full server compromise.

This is CTF challenge held by metactf.

challenge

This challenge contain the file upload functionality.

normally I uploaded the “.txt” file it gives the path, when I visit that path it display the content of the file.

.txt file

then I tried to upload “.php” file, but it not allowing PHP and it’s variations. so, I opened my burp, intercept the request and send to the repeater and tried double extension, null bytes, changing content but nothing works.

In the response we can see it reveals the backend server is running on Apache/2.4.62

black listed php file

I thought this can be bypass using “.htaccess” configuration file.

you can read more about .htaccess file using below link

Apache HTTP Server Tutorial: .htaccess files

lets come back to story, I created .htaccess file with content of

AddType application/x-httpd-php .evil

It means any arbitary file with extention “.evil” can run as PHP.

.htaccess file

so, I created backdoor.evil file which contain the simple PHP backdoor code and uploaded it. and also it was successfully uploaded.

backdoor.evil file uploaded successfully

now time to execute the commands on the web server by using the backdoor, go to file path with parameter uploads/backdoor.evil?cmd= and result is

listing files

displaying /etc/passwd file

final flag

finally I got the flag.

Thank you…