Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Interpret it!

Avatar for Bo0oM Bo0oM
August 15, 2020
Research
0
1.2k

Interpret it!

Let's look at the source code that wasn't interpriposed.

Avatar for Bo0oM

Bo0oM

August 15, 2020
Tweet

More Decks by Bo0oM

See All by Bo0oM
Носок на сок
Avatar for Bo0oM bo0om
0
1.9k
Выйди и зайди нормально
Avatar for Bo0oM bo0om
0
98
Защита от вредоносной автоматизации сегодня
Avatar for Bo0oM bo0om
0
630
Defending against automatization using nginx
Avatar for Bo0oM bo0om
0
870
Antibot pitch deck
Avatar for Bo0oM bo0om
0
180
31337
Avatar for Bo0oM bo0om
0
220
Your back is white
Avatar for Bo0oM bo0om
0
380
FTP2RCE
Avatar for Bo0oM bo0om
1
7.6k
At Home Among Strangers
Avatar for Bo0oM bo0om
1
4k

Other Decks in Research

See All in Research
通時的な類似度行列に基づく単語の意味変化の分析
Avatar for hajime kiyama rudorudo11
0
200
「行ける・行けない表」による地域公共交通の性能評価
Avatar for 萬創社 bansousha
0
130
【NICOGRAPH2025】Photographic Conviviality: ボディペイント・ワークショップによる 同時的かつ共生的な写真体験
Avatar for Chinatsu Ozawa toremolo72
0
200
LiDARセキュリティ最前線(2025年)
Avatar for Yoshioka Lab (Keio CSG) kentaroy47
0
290
When Learned Data Structures Meet Computer Vision
Avatar for Yusuke Matsui matsui_528
1
4.2k
生成AI による論文執筆サポート・ワークショップ 論文執筆・推敲編 / Generative AI-Assisted Paper Writing Support Workshop: Drafting and Revision Edition
Avatar for Kenji Saito ks91
PRO
0
170
"主観で終わらせない"定性データ活用 ― プロダクトディスカバリーを加速させるインサイトマネジメント / Utilizing qualitative data that "doesn't end with subjectivity" - Insight management that accelerates product discovery
Avatar for 株式会社カミナシ kaminashi
16
23k
都市交通マスタープランとその後への期待@熊本商工会議所・熊本経済同友会
Avatar for Traffic Brain trafficbrain
0
170
Φ-Sat-2のAutoEncoderによる情報圧縮系論文
Avatar for SatAI.challenge satai
3
150
2026年1月の生成AI領域の重要リリース&トピック解説
Avatar for KAJI | 梶谷健人 kajikent
0
850
Proposal of an Information Delivery Method for Electronic Paper Signage Using Human Mobility as the Communication Medium / ICCE-Asia 2025
Avatar for yumulab yumulab
0
250
R&Dチームを起ち上げる
Avatar for shibuiwilliam shibuiwilliam
1
200

Featured

See All Featured
Redefining SEO in the New Era of Traffic Generation
Avatar for Szymon Słowik szymonslowik
1
250
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.6k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.7k
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
Avatar for David Carrasco davidcarrasco
0
89
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
130
What does AI have to do with Human Rights?
Avatar for Per Axbom axbom
PRO
1
2k
Measuring Dark Social's Impact On Conversion and Attribution
Avatar for Stephen Akadiri stephenakadiri
1
160
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
163
24k
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
Avatar for Beat Signer signer
PRO
0
3.3k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
Avatar for Aleyda Solis aleyda
1
1.9k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
269
14k
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
Avatar for Szymon Słowik szymonslowik
1
980

Transcript

  1. How do I see the source code? • Include files

    (header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading

  2. Interpret it! Anton “Bo0oM” Lopanitsyn

  3. Server configuration errors Multiple routing and microservices location / {

    try_files $uri $uri/ /index.html; ... } location /blog { … }

  4. Server configuration errors Multiple routing and microservices

  5. How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -

    200, 3KB Content-type: application/octet-stream text/plain

  6. Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {

    fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }

  7. Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info

  8. Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP

    location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200

  9. Nginx /etc/nginx/site-enabled/default
 
 
 server { listen 80 default_server; listen

    [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
  10. None
  11. None
  12. None

  13. Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>

  14. Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php

    </FilesMatch>
 …

  15. How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php

    http://123.123.123.123/example.com/config.php

  16. CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some

    move the whole project to cdn!

  17. 0day

  18. Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn