Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Interpret it!
Bo0oM
August 15, 2020
Research
0
780
Interpret it!
Let's look at the source code that wasn't interpriposed.
Bo0oM
August 15, 2020
Tweet
Share
More Decks by Bo0oM
See All by Bo0oM
bo0om
0
32
bo0om
0
2.3k
bo0om
1
2.5k
bo0om
2
1.7k
bo0om
0
3.6k
bo0om
0
1.5k
Other Decks in Research
See All in Research
kyoun
1
270
mu_mu_mu
3
780
shuntaros
0
750
butsugiri
39
12k
tosho
0
120
kitachan_black
0
3.2k
cpsymap
4
2.9k
masakat0
0
120
eumesy
13
4.1k
resnant
2
2.2k
butsugiri
0
120
tkym1220
0
130
Featured
See All Featured
geoffreycrofte
42
1.9k
colly
190
14k
jonrohan
1021
400k
lemiorhan
633
49k
philhawksworth
196
17k
samanthasiow
61
6.8k
keithpitt
405
20k
holman
464
280k
kneath
298
39k
addyosmani
1352
200k
kneath
224
15k
tenderlove
58
3.8k
Transcript
How do I see the source code? • Include files
(header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading
Interpret it! Anton “Bo0oM” Lopanitsyn
Server configuration errors Multiple routing and microservices location / {
try_files $uri $uri/ /index.html; ... } location /blog { … }
Server configuration errors Multiple routing and microservices
How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -
200, 3KB Content-type: application/octet-stream text/plain
Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }
Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info
Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP
location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200
Nginx /etc/nginx/site-enabled/default server { listen 80 default_server; listen
[::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
None
None
None
Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php
</FilesMatch> …
How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php
http://123.123.123.123/example.com/config.php
CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some
move the whole project to cdn!
0day
Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn
bo0om
kyoun
mu_mu_mu
shuntaros
butsugiri
tosho
kitachan_black
cpsymap
masakat0
eumesy
resnant
tkym1220
geoffreycrofte
colly
jonrohan
lemiorhan
philhawksworth
samanthasiow
keithpitt
holman
kneath
addyosmani
tenderlove
![Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php](https://files.speakerdeck.com/presentations/0ecb1a2e4df24c39acaf78fbcdfe9557/slide_13.jpg){kind=link}
