Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Interpret it!

Bo0oM
August 15, 2020

Interpret it!

Let's look at the source code that wasn't interpriposed.

Bo0oM

August 15, 2020
Tweet

More Decks by Bo0oM

Other Decks in Research

Transcript

  1. How do I see the source code? • Include files

    (header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading
  2. Server configuration errors Multiple routing and microservices location / {

    try_files $uri $uri/ /index.html; ... } location /blog { … }
  3. How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -

    200, 3KB Content-type: application/octet-stream text/plain
  4. Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {

    fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }
  5. Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP

    location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200
  6. Nginx /etc/nginx/site-enabled/default
 
 
 server { listen 80 default_server; listen

    [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }