description |
---|
Note : A JOURNEY TO GAIN KNOWLEDGE |
Missing Authorization to .htaccess File lead to RCE
The minimum permission that a subscriber should have typically doesn't include the ability to upload or overwrite files like .htaccess. However, if there is a vulnerability or misconfiguration that allows a subscriber to perform such actions, it could potentially lead to a successful Remote Code Execution (RCE) attack on the server.
- In the
register
function, using any of the three different methods, we can completely upload the .htaccess file by utilizing one of the parameters: htaccess_root, htaccess_includes, and htaccess_content.
if (!empty($_POST['save_root'])) {
if (isset($_POST['wp_extra']['htaccess_root'])) {
$htaccess_root = trim(stripslashes($_POST['wp_extra']['htaccess_root']));
if ($htaccess_root) {
@file_put_contents($path_root, $htaccess_root);
}
if (!empty($_POST['save_content'])) {
if (isset($_POST['wp_extra']['htaccess_content'])) {
$htaccess_content = trim(stripslashes($_POST['wp_extra']['htaccess_content']));
if ($htaccess_content) {
if (!file_exists($path_content)) {
@file_put_contents($path_content, $htaccess_content);
}
} else {
unlink($path_content);
}
}
}
if (!empty($_POST['save_includes'])) {
if (isset($_POST['wp_extra']['htaccess_includes'])) {
$htaccess_includes = trim(stripslashes($_POST['wp_extra']['htaccess_includes']));
if ($htaccess_includes) {
if (!file_exists($path_includes)) {
@file_put_contents($path_includes, $htaccess_includes);
}
} else {
unlink($path_includes);
}
}
}
Despite being blacklisted, it is still possible to configure the .htaccess file to treat this file extension as executable, similar to a regular PHP file, enabling Remote Code Execution (RCE) to be performed.
Thanks for reading, have a nice day ❤️