Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Interpret it!
Search
Bo0oM
August 15, 2020
Research
1.2k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Interpret it!
Let's look at the source code that wasn't interpriposed.
Bo0oM
August 15, 2020
More Decks by Bo0oM
See All by Bo0oM
Носок на сок
bo0om
0
1.9k
Выйди и зайди нормально
bo0om
0
110
Защита от вредоносной автоматизации сегодня
bo0om
0
660
Defending against automatization using nginx
bo0om
0
900
Antibot pitch deck
bo0om
0
190
31337
bo0om
0
240
Your back is white
bo0om
0
410
FTP2RCE
bo0om
1
7.7k
At Home Among Strangers
bo0om
1
4k
Other Decks in Research
See All in Research
Unified Audio Source Separation (Defense Slides)
kohei_1979
1
620
R&Dチームを起ち上げる
shibuiwilliam
1
270
世界モデルにおける分布外データ対応の方法論
koukyo1994
7
2.2k
NII S. Koyama's Lab Research Overview AY2026
skoyamalab
0
340
正規分布と最適化について
koide3
1
270
AI Agentの精度改善に見るML開発との共通点 / commonalities in accuracy improvements in agentic era
shimacos
6
1.7k
FUSE-RSVLM: Feature Fusion Vision-Language Model for Remote Sensing
satai
3
880
Anthropic が提案する LLM の内部状態を自然言語で説明可能にした Natural Language Autoencoders / Natural Language Autoencoders Produce Unsupervised Explanations of LLM Activations
shunk031
0
130
LLM Compute Infrastructure Overview
karakurist
2
1.5k
Apache Gravitinoで実現する Icebergカタログ統合とアクセスの一元化
matsumooon
0
300
Harness Engineering and Al Agent
kzinmr
3
1.7k
人間中心の意思決定支援AI
yukinobaba
PRO
6
3k
Featured
See All Featured
Navigating Team Friction
lara
192
16k
More Than Pixels: Becoming A User Experience Designer
marktimemedia
3
450
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
10k
The Curse of the Amulet
leimatthew05
2
13k
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
380
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
133
19k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.5k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
220
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
28
3.5k
Claude Code のすすめ
schroneko
67
230k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.8k
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
400
Transcript
How do I see the source code? • Include files
(header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading
Interpret it! Anton “Bo0oM” Lopanitsyn
Server configuration errors Multiple routing and microservices location / {
try_files $uri $uri/ /index.html; ... } location /blog { … }
Server configuration errors Multiple routing and microservices
How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -
200, 3KB Content-type: application/octet-stream text/plain
Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }
Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info
Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP
location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200
Nginx /etc/nginx/site-enabled/default server { listen 80 default_server; listen
[::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
None
None
None
Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php
</FilesMatch> …
How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php
http://123.123.123.123/example.com/config.php
CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some
move the whole project to cdn!
0day
Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn