Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Interpret it!
Search
Bo0oM
August 15, 2020
Research
0
1k
Interpret it!
Let's look at the source code that wasn't interpriposed.
Bo0oM
August 15, 2020
Tweet
Share
More Decks by Bo0oM
See All by Bo0oM
Защита от вредоносной автоматизации сегодня
bo0om
0
410
Defending against automatization using nginx
bo0om
0
690
Antibot pitch deck
bo0om
0
98
31337
bo0om
0
93
Your back is white
bo0om
0
230
FTP2RCE
bo0om
0
6.8k
At Home Among Strangers
bo0om
1
3.4k
2000day in Safari
bo0om
2
2k
Partyhack 3.0 - Telegram bugbounty writeup
bo0om
0
3.9k
Other Decks in Research
See All in Research
「歴史的農業環境閲覧システム」と「迅速測図」について
wata909
1
530
Target trial emulationの概要
shuntaros
2
1.1k
NeurIPS-23 参加報告 + DPO 解説
akifumi_wachi
4
1.3k
Refactoring Mining - The key to unlock software evolution
tsantalis
0
210
近似最近傍探索とVector DBの理論的背景
matsui_528
2
780
20240209 データを肴に熊本の交通を考える会「車1割削減、渋滞半減、公共交通2倍」をめざし世界に学ぼう
trafficbrain
0
690
F0に基づいて伸縮された画像文字からの音声合成 [ASJ2024春]
nehi0615
0
110
第4回ナレッジグラフ勉強会:ISWC2023論文読み会
kg_wakate
1
180
Azure Arc-enabled Serversを利用した ハイブリッド・マルチクラウド環境の管理 / Managing Hybrid Multi-cloud Environments with Azure Arc-enabled Servers
nttcom
0
190
生成AIを用いたText to SQLの最前線
masatoto
1
1.2k
論文紹介: Generating News-Centric Crossword Puzzles As A Constraint Satisfaction and Optimization Problem
upura
0
140
熊本都市交通リノベーション_熊本青年会議所ローカルマニフェスト検証会
trafficbrain
1
510
Featured
See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
How GitHub Uses GitHub to Build GitHub
holman
467
290k
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.6k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
1
3.3k
How To Stay Up To Date on Web Technology
chriscoyier
781
250k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
Become a Pro
speakerdeck
PRO
8
4.4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
14
1.3k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
BBQ
matthewcrist
78
8.7k
How to name files
jennybc
62
92k
Transcript
How do I see the source code? • Include files
(header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading
Interpret it! Anton “Bo0oM” Lopanitsyn
Server configuration errors Multiple routing and microservices location / {
try_files $uri $uri/ /index.html; ... } location /blog { … }
Server configuration errors Multiple routing and microservices
How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -
200, 3KB Content-type: application/octet-stream text/plain
Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }
Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info
Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP
location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200
Nginx /etc/nginx/site-enabled/default server { listen 80 default_server; listen
[::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
None
None
None
Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php
</FilesMatch> …
How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php
http://123.123.123.123/example.com/config.php
CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some
move the whole project to cdn!
0day
Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn