Bypassing .htaccess/.htpasswd Based Authentication

Little off-topic:

It’s been some time since I posted some decent stuff related to hacking and as a whole in this section. Most of my recent activity was aimed at the PHP development section and mainly coding.

Introduction:

Though, the title is not entirely correct, the actual authentication method is called BA (abbreviated for Basic Access). The form itself requests an HTTP user-agent to supply the credentials. Also there are no active sessions established during your activity within the system. If you still don’t know what I’m talking about take a look at the image I included at the beginning (deliberately).

Exploitation:

Basically, I could just skip all the redundant information and briefly describe how to exploit it but the idea is different. I want the members who read this to gain the actual logic of how the things are being processed and how the whole scheme is being organised. First off, imagine we have the following .htaccess rules:

AuthUserFile /mnt/web/guide/somewhere/somepath/.htpasswd  
AuthGroupFile /dev/null  
AuthName [Directory we want to restrict access to]  
AuthType Basic  

The above rules enable the most basic, yet successful logging. The URL that is being parsed to the server is being handled by mod_php. What PHP does is render the request method, either as HEAD or POST. In the case of sending the method as “GETS”, that leads to the invalid method used to send the payload not being checked further (since PHP does not validate that) and resulting in the standard output of the shell. Therefore, the status code that we receive is equal to 200 which pretty much means the request has been successful.

Now in order to escape such cases, we need to define the limit of methods that are permitted to be used for the request, denying everything except the two methods - POST & GET.

<LimitExcept GET POST>  
  Order Allow,Deny  
  Deny from all  
</LimitExcept>  

The part of the actual exploitation pretty much consists of replaying the request to the directory that is using the authentication system. You could do that in numerous ways, but for the sake of this tutorial, I’m going to go through two of them. The easier one is using the add-on Live HTTP Headers, which allows you to view or/and modify the headers in the request and the other one is using a PHP-based script for opening/establishing a raw socket connection to the specified server.

Using HTTP Live Headers, just specify the method (which is ought to be different than POST or GET) and replay the request beforehand so that you get enabled to modify that.

Once this is achieved, you will automatically get authorized without any supplied credentials to the form. The other way round this, that I’m going to explain is the already mentioned socket connection.

<?php  
error_reporting(0);  

$request = "Keeper / HTTP/1.1\r\n  
User-Agent: Mozilla/4.0 (Compatible; whatever)\r\n  
Host: google.com\r\n  
Accept: */*\r\n";  

$urltarget = $_POST['url'];  

$socket = fsockopen($urltarget);  
fwrite($socket,$request);  
$received = fread($socket,1024*1024);  
echo $received;  

?>  

The socket establishes a connection to the target and returns the status of the request for confirmatory reason. Firstly, we define the headers under the variable $request. Then we specify that the target URL should be a POST value of a form supplied input (you can put the three lines of HTML in order to visualize that or neglect the usage of $_POST and just use the URL directly). Then we establish the actual connection with the function fsockopen() and fwrite(). We store the result under the variable $received which is receiving the request with 1MB of size (just to make sure we receive the whole of it).

And let’s actually see through telnet how our method is processed.

Using “GETS” as method we receive the 501 status code which means that the server either does not recognize the request method, or it lacks the ability to fulfill it thus getting us authorized.

Conclusion:

That’s what I wanted to share. Of course, we could’ve gone much deeper but the point is to understand the basic scheme of the whole process, not just to implement random queries, vectors, payloads or what not (as is the case of SQLi and XSS..).