.htaccess (Apache) / web.config (IIS)

Servers typically won't execute files unless they have been configured to do so.

Before an Apache server will execute PHP files requested by a client, developers might have to add the following directives to their /etc/apache2/apache2.conf file:

LoadModule php_module /usr/lib/apache2/modules/libphp.so
AddType application/x-httpd-php .php

Many servers also allow developers to create special configuration files within individual directories in order to override or add to one or more of the global settings. Apache servers, for example, will load a directory-specific configuration from a file called .htaccess if one is present.

Similarly, developers can make directory-specific configuration on IIS servers using a web.config file. This might include directives such as the following, which in this case allows JSON files to be served to users:

<staticContent>
    <mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>

Web servers use these kinds of configuration files when present, but you're not normally allowed to access them using HTTP requests. However, you may occasionally find servers that fail to stop you from uploading your own malicious configuration file. In this case, even if the file extension you need is blacklisted, you may be able to trick the server into mapping an arbitrary, custom file extension to an executable MIME type. For example, on Apache, the attack will be:

  1. Upload a .htaccess file that contains AddType application/x-httpd-php .l33t.

  2. Upload a webshell named webshell.l33t.

  3. Visit weshell.l33t and RCE.

Last updated