Speaker Deck
Sign in
Sign up
for free
Interpret it!
Bo0oM
August 15, 2020
Research
0
590
Interpret it!
Let's look at the source code that wasn't interpriposed.
Bo0oM
August 15, 2020
Tweet
Share
More Decks by Bo0oM
See All by Bo0oM
bo0om
1
2.1k
bo0om
2
1.6k
bo0om
0
3.5k
bo0om
0
1.4k
Other Decks in Research
See All in Research
kayceesrk
0
1k
eumesy
2
1.4k
holokeum
0
760
shinyorke
0
1.3k
tomoyanonymous
1
320
chokkan
1
4k
hiroki13
0
120
matsumoto_r
0
390
sobamchan
1
410
ritsu2891
0
200
masakat0
2
310
lcolladotor
0
380
Featured
See All Featured
denniskardys
219
110k
dougneiner
119
7.7k
phodgson
86
3.8k
samanthasiow
54
6k
chriscoyier
682
180k
shpigford
165
18k
maggiecrowley
5
310
mza
80
4k
kneath
218
14k
jcasabona
7
470
eileencodes
112
24k
reverentgeek
24
1.7k
Transcript
How do I see the source code? • Include files
(header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading
Interpret it! Anton “Bo0oM” Lopanitsyn
Server configuration errors Multiple routing and microservices location / {
try_files $uri $uri/ /index.html; ... } location /blog { … }
Server configuration errors Multiple routing and microservices
How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -
200, 3KB Content-type: application/octet-stream text/plain
Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }
Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info
Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP
location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200
Nginx /etc/nginx/site-enabled/default server { listen 80 default_server; listen
[::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
None
None
None
Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php
</FilesMatch> …
How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php
http://123.123.123.123/example.com/config.php
CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some
move the whole project to cdn!
0day
Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn
bo0om
kayceesrk
eumesy
holokeum
shinyorke
tomoyanonymous
chokkan
hiroki13
matsumoto_r
sobamchan
ritsu2891
masakat0
lcolladotor
denniskardys
dougneiner
phodgson
samanthasiow
chriscoyier
shpigford
maggiecrowley
mza
kneath
jcasabona
eileencodes
reverentgeek
![Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php](https://files.speakerdeck.com/presentations/0ecb1a2e4df24c39acaf78fbcdfe9557/slide_13.jpg){kind=link}
