This article contains three types of information leaks that have occurred in web security and ctf, and describes the points to pay attention to when using python scripts to clone, and some advanced operations that do not appear in readme.md but can be.
1. Svn source code leaked
When developers use SVN for version control, the site is automatically deployed. If the configuration is improper, the .svn folder may be deployed directly to the online environment. This caused the SVN leak vulnerability.
Version control tool: dvcs-ripper
https://github.com/kost/dvcs-rippeLinuxr
Note that running .plfiles under Linux need to be downloaded onlineperl
apt-get install perl
Switch to the working directory, perl xxx.pl can be executed
-
Scan the target URL first and confirm that the .svn is leaked, then use the rip-svn.pl script in the dvcs-ripper tool to clone.
For example:
index.html and svn directories are cloned -
svn/pristine/ The original files stored in the
.svn folder
pristine may contain backup files.
ps: Generally use: grep to find what you need in the backup file. For example:
cat wc.db | grep flag
However, it may happen that the binary file cannot be output to the terminal.
at this time;
cat wc.db | grep -a flag
Can
There are only so many operations that svn source code can do temporarily.
2. Git source code leaked
Index
Git download address, some addresses have a single download function, which is not applicable to the latter two situations, just use this
https://github.com/BugScanTeam/GitHack
Just execute the command
https://github.com/BugScanTeam/GitHack
log
- The same is the first scan found. Git leaked
- Use the GitHack tool to clone the target source code to the local
Git source code leaks are not only related to the current git version, you need to check the history
- View history
git log
- Switch version
git reset
- Compare two submissions
git diff
The previous version information will appear in git log. Be careful to switch to the source leak folder~, /dist/xxx.
Each version has a corresponding id mark, use to git diff +id号view the version difference
Stash
When a project is being developed on the dev branch, there is a bug in the project that needs to be urgently fixed, but the content being developed is only half completed and you don’t want to submit it yet. At this time, you can use the git stash command to save the modified content to the stack area , And then smoothly switch to the hotfix branch to fix the bug. After the repair is completed, switch back to the dev branch again to restore the just saved content from the stack.
Simply put, stash is used to save the git working status to the git stack, and restore it when needed.
git stash
备份当前工作区的内容,保存到git 栈中,从最近的一次commit中读取相关内容
git stash pop
从git栈中获取到最近一次stash进去的内容,恢复工作区的内容。。获取之后,会删除栈中对应的stash。
由于可能会stash多次,git使用栈管理,我们可以使用git stash list查看所有的stash
git stash clear
清空git栈
3. Website information backup file
This kind of seldom appears, and the value of appearing is not great, because the website with this kind of error is originally worthless:)
- Website source code
- bak file
- vim cache
- .DS_Store
When a developer backs up the source code in the online environment and puts the backup file in the web directory, it will cause the source of the website to leak.
Sorted out a bit
/robots.txt /index.php~ /index.php.bak /www.zip /wwwroot.zip
/htdocs.zip /.rar /.zip /.7z /.tar.gz /.bak /.swp /.txt
bak file
When a developer backs up the source code in the online environment and puts the backup file in the web directory, it will cause the source of the website to leak.
http://url/index.php.bak等
vim cache (.swp backup file)
当开发人员在线上环境中使用 vim 编辑器,在使用过程中会留下 vim 编辑器缓存,当vim异常退出时,缓存会一直留在服务器上,引起网站源码泄露。
Try URL: xxx/index.php.swp to download the code of the .swp file
and open it with vim. Open the command: vim -r index.php.swp.
After opening, the source code will be found, and the code will be audited.
.DS_Store
.DS_Store is a hidden file with custom attributes of the Mac OS save folder. You can know the list of all files in this directory through .DS_Store.
Use the tool Python-dsstore (https://github.com/gehaxelt/Python-dsstore) to complete the analysis of the .DS_Store file:
wget http://xxx.com/.DS_Store -qO samples/.DS_Store.ctfxxx
If it is normal, the file has been stored in the samples folder and viewed by ls-al
python main.py samples/.DS_Store.ctfxxx
ps: The original .DS_Store.ctf is already in the file, so take another name
end
The probability of information leakage appearing on the website is getting lower and lower, which has a lot to do with the improvement of developers’ security awareness and development specifications, but as a security personnel, we must be alert to its emergence, because once it does, the harm will be greater. It is also necessary to find possible vulnerabilities in the more hidden leaked information such as the stack.