Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Interpret it!
Search
Bo0oM
August 15, 2020
Research
0
1.2k
Interpret it!
Let's look at the source code that wasn't interpriposed.
Bo0oM
August 15, 2020
Tweet
Share
More Decks by Bo0oM
See All by Bo0oM
Носок на сок
bo0om
0
1.9k
Выйди и зайди нормально
bo0om
0
88
Защита от вредоносной автоматизации сегодня
bo0om
0
610
Defending against automatization using nginx
bo0om
0
850
Antibot pitch deck
bo0om
0
170
31337
bo0om
0
200
Your back is white
bo0om
0
380
FTP2RCE
bo0om
1
7.6k
At Home Among Strangers
bo0om
1
3.9k
Other Decks in Research
See All in Research
製造業主導型経済からサービス経済化における中間層形成メカニズムのパラダイムシフト
yamotty
0
430
財務諸表監査のための逐次検定
masakat0
0
220
長期・短期メモリを活用したエージェントの個別最適化
isidaitc
0
370
"主観で終わらせない"定性データ活用 ― プロダクトディスカバリーを加速させるインサイトマネジメント / Utilizing qualitative data that "doesn't end with subjectivity" - Insight management that accelerates product discovery
kaminashi
15
18k
日本語新聞記事を用いた大規模言語モデルの暗記定量化 / LLMC2025
upura
0
400
Aurora Serverless からAurora Serverless v2への課題と知見を論文から読み解く/Understanding the challenges and insights of moving from Aurora Serverless to Aurora Serverless v2 from a paper
bootjp
6
1.3k
A History of Approximate Nearest Neighbor Search from an Applications Perspective
matsui_528
1
120
Satellites Reveal Mobility: A Commuting Origin-destination Flow Generator for Global Cities
satai
3
320
AIスーパーコンピュータにおけるLLM学習処理性能の計測と可観測性 / AI Supercomputer LLM Benchmarking and Observability
yuukit
1
420
Unsupervised Domain Adaptation Architecture Search with Self-Training for Land Cover Mapping
satai
3
500
20251023_くまもと21の会例会_「車1割削減、渋滞半減、公共交通2倍」をめざして.pdf
trafficbrain
0
150
AIスパコン「さくらONE」のLLM学習ベンチマークによる性能評価 / SAKURAONE LLM Training Benchmarking
yuukit
2
930
Featured
See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Java REST API Framework Comparison - PWX 2021
mraible
34
9.1k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Into the Great Unknown - MozCon
thekraken
40
2.2k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
53
Stop Working from a Prison Cell
hatefulcrawdad
273
21k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.6k
Information Architects: The Missing Link in Design Systems
soysaucechin
0
730
YesSQL, Process and Tooling at Scale
rocio
174
15k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
58
41k
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
1
1.4k
How to Ace a Technical Interview
jacobian
281
24k
Transcript
How do I see the source code? • Include files
(header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading
Interpret it! Anton “Bo0oM” Lopanitsyn
Server configuration errors Multiple routing and microservices location / {
try_files $uri $uri/ /index.html; ... } location /blog { … }
Server configuration errors Multiple routing and microservices
How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -
200, 3KB Content-type: application/octet-stream text/plain
Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }
Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info
Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP
location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200
Nginx /etc/nginx/site-enabled/default server { listen 80 default_server; listen
[::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
None
None
None
Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php
</FilesMatch> …
How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php
http://123.123.123.123/example.com/config.php
CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some
move the whole project to cdn!
0day
Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn
bo0om
yamotty
masakat0
isidaitc
kaminashi
upura
bootjp
matsui_528
.png){kind=avatar}
satai
yuukit
trafficbrain
sstephenson
mraible
cassininazir
thekraken
marketingsoph
hatefulcrawdad
marktimemedia
soysaucechin
rocio
rkaga
aleyda
jacobian
![Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php](https://files.speakerdeck.com/presentations/0ecb1a2e4df24c39acaf78fbcdfe9557/slide_13.jpg){kind=link}
