Note

web php apache htaccess blind-oracle file-read exfiltration

Turn an .htaccess injection into a boolean exfiltration oracle using Apache expression syntax over a sensitive file.

Blind File Oracle via Header set ... "expr=..."

Apache expression syntax can inspect files and request data. Even if you cannot print the file, you can turn a regex match into a header/no-header boolean oracle — effectively server-side blind exfiltration through configuration side effects.

Why It Works

Header set X yes "expr=file('/flag') =~ m#...#" emits the header only when the regex matches, so each request leaks one bit about the file.

Vulnerable Pattern

Any successful .htaccess injection or header-directive control in front of a readable sensitive file.

Exploit Flow

Prove the header expression executes at all with a constant Header set X yes.
Switch to file(...) and regex prefix checks on the target file.
Brute-force the secret one character at a time by checking whether the header appears for a given prefix.

Variations

Exact prefix regex, character-class probing, or multiple headers to parallelize bits if the parser allows it.

Common Blockers

AllowOverride restrictions, file path permissions, or regex-dialect surprises inside Apache expressions.

PoC Sketch

Header set Flag yes "expr=file('/flag.txt') =~ m#^FCSC\{a#"
# brute-force the next char by checking if response header `Flag: yes` is present

Good Situations To Use It

You already have .htaccess / header-directive injection.
A sensitive file is readable by the Apache process.
No direct read primitive exists, but a boolean oracle is acceptable.

Sources

fcsc2026/web/secure_mood_notes_1
fcsc2026/web/secure_mood_notes_2/part_1