Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Interpret it!
Search
Bo0oM
August 15, 2020
Research
0
1.1k
Interpret it!
Let's look at the source code that wasn't interpriposed.
Bo0oM
August 15, 2020
Tweet
Share
More Decks by Bo0oM
See All by Bo0oM
Защита от вредоносной автоматизации сегодня
bo0om
0
450
Defending against automatization using nginx
bo0om
0
730
Antibot pitch deck
bo0om
0
110
31337
bo0om
0
110
Your back is white
bo0om
0
270
FTP2RCE
bo0om
0
7k
At Home Among Strangers
bo0om
1
3.6k
2000day in Safari
bo0om
2
2.1k
Partyhack 3.0 - Telegram bugbounty writeup
bo0om
0
3.9k
Other Decks in Research
See All in Research
独立成分分析を用いた埋め込み表現の視覚的な理解
momoseoyama
3
770
機械学習を用いたポケモン対戦選出予測
fufufukakaka
1
560
研究効率化Tips_2024 / Research Efficiency Tips 2024
ryo_nakamura
5
4.1k
DroidKaigi CfP分析
yukihiromori
0
110
LINEチャットボット「全力肯定彼氏くん(LuC4)」の 1年を振り返る
o_ob
0
680
ソースコード問い合わせのための長コンテキストLLM向けRAG手法の提案
toskamiya
0
140
SSII2024 [OS1] 現場の課題を解決する ロボットラーニング
ssii
PRO
0
420
動物倫理学ことはじめ:人間以外の動物との倫理的な付き合い方を考える
takeshit_m
0
350
大規模言語モデル (LLM) の技術と最新動向
ikuyamada
30
15k
SSII2024 [OS3] 企業における基盤モデル開発の実際
ssii
PRO
0
490
インタビューだけじゃない!ユーザーに共感しユーザーの目👀を手に入れるためのインプット
moco1013
0
430
The Future of AI: Beyond Completion Models to Systematic Innovation
sunghopark0
0
120
Featured
See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
23
1.9k
Speed Design
sergeychernyshev
9
270
Build your cross-platform service in a week with App Engine
jlugia
227
17k
Learning to Love Humans: Emotional Interface Design
aarron
269
39k
Building Flexible Design Systems
yeseniaperezcruz
323
37k
A Philosophy of Restraint
colly
200
16k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
224
21k
Stop Working from a Prison Cell
hatefulcrawdad
266
20k
How to Ace a Technical Interview
jacobian
274
23k
Scaling GitHub
holman
458
140k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
121
18k
Teambox: Starting and Learning
jrom
130
8.6k
Transcript
How do I see the source code? • Include files
(header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading
Interpret it! Anton “Bo0oM” Lopanitsyn
Server configuration errors Multiple routing and microservices location / {
try_files $uri $uri/ /index.html; ... } location /blog { … }
Server configuration errors Multiple routing and microservices
How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -
200, 3KB Content-type: application/octet-stream text/plain
Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }
Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info
Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP
location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200
Nginx /etc/nginx/site-enabled/default server { listen 80 default_server; listen
[::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
None
None
None
Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php
</FilesMatch> …
How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php
http://123.123.123.123/example.com/config.php
CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some
move the whole project to cdn!
0day
Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn