Summary of common Web source leaks in CTF

Catalog 00x1. ng Source Leaks 00x2 git source leaks 00x3. Ds_store file Leaks 00x4 website Backup zip file 00x5 svn causes file leaks 00x6 Web-inf/web.xml leaked 00x7 CVS Leak Tools Recommended Reference 0x01 HG Source code leak

Causes of vulnerability:

HG Init is generated when the. HG

class class class class class class class= "com" >//www.am0s.com/.hg/</span>

Exploit:

Tool: Dvcs-ripper

class class class class class class class class class class class= "com" >//www.am0s.com/.hg/</span>

0x02. Git source leaks

Causes of vulnerability:

When running git init initialization code base, a. Git hidden file is generated under the current directory to record changes to the code and so on. When the code was released, the. git directory was not deleted and was published directly. Using this file, you can use it to restore the source code.

PHP

class class class class class class class= "com" >//www.am0s.com/.git/config</span>

Exploit:

Tools:

Githack

class class class class class= "com" >//www.am0s.com/.git/</span>

Dvcs-ripper

class class class class class class class class class class class= "com" >//www.am0s.com/.git/</span>

0x03. Ds_store file leaks

Causes of vulnerability:

Hidden in folders that were not deleted when the code was published. Ds_store, after being found, gets the sensitive file name and other information.

Exploit:

PHP

class class class= "com" >//www.am0s.com/.ds_store</span>

Note Path checking

Tools:

Dsstoreexp

PHP

class class class= "PLN" >p

0X04 website Backup zip file

In the use of the site, often need to modify the files in the site, upgrade. In this case, you need to back up the site or one of the pages. When the backup file or the modification process of the cache file is left in the Web directory for various reasons, and the directory does not set access permissions, it is possible to cause the backup file or the editor's cache file is downloaded, resulting in the disclosure of sensitive information, to the security of the server buried hidden trouble.

Causes and harms of vulnerability:

The main causes of the vulnerability are the following two kinds:

1. The server administrator mistakenly places the backup file of the Web site or Web page under the Server Web directory.
2. The backup files or temporary files that the editor saves automatically during use are saved in the Web directory for a variety of reasons that are not deleted.

Vulnerability Detection:

This vulnerability often causes the server to complete the source code of the station or the source of some pages are downloaded, use. The source code contains a variety of sensitive information, such as server database connection information, server configuration information and so on will be leaked, resulting in a huge loss. The leaked source code can also be used to audit the codes, and further exploit the security of the entire system to bury hidden dangers.

<spanclass= "Pun" >.</span><spanclass= "PLN" >rar</span><spanclass= "Pun" >.</span><spanclass= "PLN" >Zip</span><spanclass= "Pun" >.</span><spanclass= "Lit" >7z</span><spanclass= "Pun" >.</span><spanclass= "PLN" >tar</span><spanclass= "Pun" >.</span><spanclass= "PLN" >GZ</span><spanclass= "Pun" >.</span><spanclass= "PLN" >Bak</span><spanclass= "Pun" >.</span><spanclass= "PLN" >SWP</span><spanclass= "Pun" >.</span><spanclass= "PLN" >txt</span><spanclass= "Pun" >.</span><spanclass= "PLN" >html</span>

0x05 svn causes file leaks

Subversion, or SVN, is an open source version control system that uses a branch management system relative to RCS and CVS, and is designed to replace CVS. More and more control services are being transferred from CVS to subversion on the Internet.

Subversion uses the server-client structure, and of course the servers and clients can both be running on the same service. On the server is the Subversion repository that holds all the controlled data, and the Subversion client program, which manages a local mapping (called a "working copy") of the controlled data. Between these ends, it is accessed through multiple channels of the various warehouse access layers (Repository access, referred to as RA). In these channels, the warehouse can be manipulated through different network protocols, such as HTTP, SSH, or local files.

class class class class class class class= "com" >//Www.am0s.com/admin/scripts/fckeditor.266/editor/.svn/entries</span >

Exploit:

Tools:

Dvcs-ripper

PHP

class class class class class class class class class class class= "com" >//www.am0s.com/.svn/</span>

Seay-svn

0x06 Web-inf/web.xml leaked

Web-inf is a secure directory for Java Web applications. If you want to access the files directly in the page, you must map the files you want to access through the Web. xml file to access them.

Web-inf mainly include files or directories:

• /WEB-INF/web.xml: Web application configuration file that describes the servlet and other application component configuration and naming conventions.
• /WEB-INF/classes/: Contains all of the site's class files, including Servlet class and non-servlet class, they cannot be included in the. jar file
• /WEB-INF/lib/: Store the various jar files required by the Web application, and place the jar files that are required only in this application, such as database-driven jar files
• /WEB-INF/src/: Source directory, according to the package name structure to place each Java file.
• /WEB-INF/database.properties: Database configuration file

Causes of vulnerability:

In general, some Web applications are used with multiple Web servers to address the performance flaws of one of the Web servers, the benefits of doing a balanced load, and the security policies of some layered structures. When using this architecture, some security issues may arise due to improper mapping of static resources to directories or files, which can cause files such as Web. XML to be read.

Vulnerability detection and how to use:

By finding the Web. xml file, infer the path to the class file, and finally the direct class file, in the anti-compile class file, get the website source code.
In general, the JSP engine by default is forbidden to access the Web-inf directory, Nginx with Tomcat to do a balanced load or cluster situation, the problem is actually very simple, Nginx does not consider the configuration of other types of engine (Nginx is not the JSP engine) caused by security problems introduced into their own security specifications (so high coupling), modify Nginx configuration file to prohibit access to the Web-inf directory is good: location ~ ^/web-inf/ * {deny all;} or return 404; or something!

0x07 CVS leak

Exploit exploits

Catalog of tests

PHP

class class class= "com" >//www.am0s.com/CVS/Root return root information </span><span class= "PLN" >  Classclass= "com" >//Www.am0s.com/CVS/Entries Returns the structure of all files </span>

command to retrieve source code

PHP

class Clone class class= "com" >//www.am0s.com/name dir</span>

The meaning of this command is to put a remote name named Repo clone to the local directory named Dir.

View all the changed commands, go to the download directory

PHP

class= "PLN" >BK changes</span>

Bazaar/bzr

Tools:

Dvcs-ripper

class class class class class class class class class class class= "com" >//www.am0s.com/.bzr/</span>

Tools recommended

• Bitkeeper
• Weakfilescan

Reference

• https://zhuanlan.zhihu.com/p/21296806
• http://www.s2.sshz.org/post/source-code-leak/

Reprint: http://www.am0s.com/ctf/175.html

Summary of common Web source leaks in CTF