$30 off During Our Annual Pro Sale. View Details »

Interpret it!

Bo0oM
August 15, 2020
Research
0
980

Interpret it!

Let's look at the source code that wasn't interpriposed.

Bo0oM

August 15, 2020
Tweet

More Decks by Bo0oM

See All by Bo0oM
Защита от вредоносной автоматизации сегодня
bo0om
0
370
Defending against automatization using nginx
bo0om
0
630
Antibot pitch deck
bo0om
0
89
31337
bo0om
0
75
Your back is white
bo0om
0
190
FTP2RCE
bo0om
0
6.4k
At Home Among Strangers
bo0om
1
3.3k
2000day in Safari
bo0om
2
2k
Partyhack 3.0 - Telegram bugbounty writeup
bo0om
0
3.8k

Other Decks in Research

See All in Research
【論文紹介】gSASRec_Reducing Overconfidence in Sequential Recommendation Trained with Negative Sampling / recsys2023-gsasrec
yuya4
0
330
Conservation Laws for Gradient Flows
gpeyre
1
710
Google Cloud Next’23「Title:出店ブースで10社以上におすすめ機能を質問してきた」
yasumuusan
0
390
LLM Fine-Tuning (東大松尾研LLM講座 Day5資料)
schulta
20
7.7k
熊本都市交通リノベーション_熊本青年会議所ローカルマニフェスト検証会
trafficbrain
0
360
阪神タイガース優勝のひみつ - Pythonでシュッと調べた件 / SABRmetrics for Python
shinyorke
1
280
Elix, CBI 2023, フォーカストセッション, 生成モデルを中心としたElixにおけるAI創薬
elix
0
140
行動変容 自分と世界を変える技術 / Behavior change techniques
dmattsun
28
16k
RecSys2023論文読み会 - Augmented Negative Sampling for Collaborative Filtering
yudai00
1
230
Volume Expression GGX(Microfacet)
kinakomoti321
1
880
Trust, Accountability, and Autonomy in Knowledge Graph-based AI for Self-determination
kirrane
0
230
最先端NLP勉強会2023
miyuoba
3
220

Featured

See All Featured
WebSockets: Embracing the real-time Web
robhawkes
58
6.6k
Navigating Team Friction
lara
177
13k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
656
120k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
How STYLIGHT went responsive
nonsquared
89
4.5k
Become a Pro
speakerdeck
PRO
8
3.6k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
900
Done Done
chrislema
178
15k
What's new in Ruby 2.0
geeforr
335
30k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.6k

Transcript

  1. How do I see the source code?
    • Include files (header.inc)
    • Backup files
    • Temp files (nano, vim, etc)
    • .git or another version-control system
    • Arbitrary file reading

    View Slide

  2. Interpret it!
    Anton “Bo0oM” Lopanitsyn

    View Slide

  3. Server configuration errors
    Multiple routing and microservices
    location / {
    try_files $uri $uri/ /index.html;
    ...
    }
    location /blog {

    }

    View Slide

  4. Server configuration errors
    Multiple routing and microservices

    View Slide

  5. How to find it?
    https://example.com/config.php - 200, 0B
    https://example.com/config.php - 200, 3KB
    Content-type:
    application/octet-stream
    text/plain

    View Slide

  6. Find a vulnerability in the config!
    location ~ ^(.+\.php)(.*)$ {
    fastcgi_split_path_info ^(.+\.php)(.*)$;
    fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT /var/www/html;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_index index.php;
    }

    View Slide

  7. Nope
    https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info

    View Slide

  8. Windows + Nginx = <3
    https://example.com/config.php - 200, 0B
    https://example.com/config.pHP
    location ~ ^(.+\.php)(.*)$
    location ~ ^(.+\.php)(.*)$
    Linux (case sensitive):
    https://example.com/config.pHP - 404
    Windows:
    https://example.com/config.pHP - 200

    View Slide

  9. Nginx
    /etc/nginx/site-enabled/default



    server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name _;
    location / {
    try_files $uri $uri/ =404;
    }
    }

    View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. Apache
    /etc/apache2/sites-enabled/000-default.conf

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    View Slide

  14. Apache
    /etc/apache2/sites-enabled/example.conf

    DocumentRoot /var/www/html/example.com

    SetHandler application/x-httpd-php


    View Slide

  15. How to find it?
    example.com, IP: 123.123.123.123
    Check
    http://123.123.123.123/config.php
    http://123.123.123.123/example/config.php
    http://123.123.123.123/example.com/config.php

    View Slide

  16. CDN’s
    https://forum.example.com
    https://cdn.example.com/forum/static/123/123.jpg
    https://cdn.example.com/forum/config.php
    Unbelievable, but the fact is, some move the whole project to cdn!

    View Slide

  17. 0day

    View Slide

  18. Blog: https://bo0om.ru
    Twitter: @i_bo0om
    Telegram channel: @webpwn

    View Slide