Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Interpret it!
Search
Bo0oM
August 15, 2020
Research
0
1.1k
Interpret it!
Let's look at the source code that wasn't interpriposed.
Bo0oM
August 15, 2020
Tweet
Share
More Decks by Bo0oM
See All by Bo0oM
Защита от вредоносной автоматизации сегодня
bo0om
0
520
Defending against automatization using nginx
bo0om
0
790
Antibot pitch deck
bo0om
0
120
31337
bo0om
0
130
Your back is white
bo0om
0
310
FTP2RCE
bo0om
1
7.3k
At Home Among Strangers
bo0om
1
3.8k
2000day in Safari
bo0om
2
2.2k
Partyhack 3.0 - Telegram bugbounty writeup
bo0om
0
4k
Other Decks in Research
See All in Research
2024/10/30 産総研AIセミナー発表資料
keisuke198619
1
450
Intrinsic Self-Supervision for Data Quality Audits
fabiangroeger
0
290
Weekly AI Agents News! 10月号 論文のアーカイブ
masatoto
1
500
CUNY DHI_Lightning Talks_2024
digitalfellow
0
440
言語と数理の交差点:テキストの埋め込みと構造のモデル化 (IBIS 2024 チュートリアル)
yukiar
5
1.1k
SpectralMamba: Efficient Mamba for Hyperspectral Image Classification
satai
2
150
VisFocus: Prompt-Guided Vision Encoders for OCR-Free Dense Document Understanding
sansan_randd
1
460
Segment Any Change
satai
2
210
o1 pro mode の調査レポート
smorce
0
110
Weekly AI Agents News! 12月号 プロダクト/ニュースのアーカイブ
masatoto
0
320
Remote Sensing Vision-Language Foundation Models without Annotations via Ground Remote Alignment
satai
2
120
The Economics of Platforms 輪読会 第1章
tomonatu8
0
140
Featured
See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Rails Girls Zürich Keynote
gr2m
94
13k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.2k
YesSQL, Process and Tooling at Scale
rocio
172
14k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
Java REST API Framework Comparison - PWX 2021
mraible
28
8.4k
How to train your dragon (web standard)
notwaldorf
91
5.8k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k
How to Think Like a Performance Engineer
csswizardry
22
1.3k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Transcript
How do I see the source code? • Include files
(header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading
Interpret it! Anton “Bo0oM” Lopanitsyn
Server configuration errors Multiple routing and microservices location / {
try_files $uri $uri/ /index.html; ... } location /blog { … }
Server configuration errors Multiple routing and microservices
How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -
200, 3KB Content-type: application/octet-stream text/plain
Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }
Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info
Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP
location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200
Nginx /etc/nginx/site-enabled/default server { listen 80 default_server; listen
[::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
None
None
None
Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php
</FilesMatch> …
How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php
http://123.123.123.123/example.com/config.php
CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some
move the whole project to cdn!
0day
Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn
bo0om
keisuke198619
fabiangroeger
masatoto
digitalfellow
yukiar
.png){kind=avatar}
satai
sansan_randd
smorce
tomonatu8
sugarenia
thoeni
smashingmag
gr2m
marktimemedia
rocio
eileencodes
mraible
notwaldorf
philnash
csswizardry
pedronauck
![Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php](https://files.speakerdeck.com/presentations/0ecb1a2e4df24c39acaf78fbcdfe9557/slide_13.jpg){kind=link}
