What to write in .htaccess so that the server does not issue an executable file for download?

A

Alexey Zorin2014-07-03 01:35:17

htaccess

Alexey Zorin, 2014-07-03 01:35:17

Hello
I am testing a financial project for vulnerabilities. The main programmer is a terrible bore, so getting access to the configs is a problem.
There is a script for filling images. The mime type check was successfully bypassed. Check that the file name does not contain case-insensitive .php and .shtm - successfully bypassed.
Actions:
- Added the line AddType application/x-httpd-php .php .htm .html .phtml .hack
to .htaccess - Uploaded the test.hack file
- Uploaded .htaccess
When switching to test.hack, the file is simply issued for downloading
How to get around this protection? I have access to the server scripts, I have all the source codes. I can execute arbitrary php code on the server. No config files

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Alexander Borisovich, 2014-07-03
@Alexufo

Are you sure htaccess is up and running?

A

Andrey Burov, 2014-07-03
@BuriK666

AddHandler application/x-httpd-php .hack

V

Vlad Zhivotnev, 2014-07-03
@inkvizitor68sl

Add this line to your apache config.