Table of contents
1-2. Leakage of sensitive files
1-2-1. Backup (.swp/.bak/.beifen/~/phps, etc.)
1-2-3. Compressed package (zip/tar.gz/rar/7z, etc.)
1-2-4. Path (.git/.svn/.hg/.DS_Store/WEBINF/web.xml/cvs/Bazaar/bzr)
5. Other matters needing attention
1. Source code leaked
1-1. Page source code leaked
Directory traversal, use Crtl+F to search for sensitive keyword flags.
1-2. Leakage of sensitive files
1-2-1. Backup (.swp/.bak/.beifen/~/phps, etc.)
When scanning to find an entry page in the shape of index.php, you can try to access its backup files (such as /.index.php.swp, /.index.php.bak, /index.php~, /index.phps, etc. ), view the source code and retrieve sensitive keyword flags.
Note 1: Backup files
By default, Vim is used for programming. After modifying the file, the system will automatically generate a backup file with ~.
Note 2: Abnormal exit
When using the vim editor to write the index.php file, there will be an .index.php.swp file. If the file exits normally, the file will be deleted; if it exits abnormally, the file will be saved. This file can be used Restore index.php that exited abnormally. At the same time, multiple unexpected exits will not overwrite the old .swp file, but will generate a new one, such as a .swo file. Taking index.php as an example, the cache file generated for the first time is named .index.php.swp; after the second unexpected exit, the file name is .index.php.swo; the cache file generated for the third time is . index.php.swn. Note: There is "." before index.
Note 3: The phps file is the source code file of PHP and is usually used to provide users (visitors) to view the content of the PHP code directly through a web browser.
1-2-2. Database (mdb)
The database file of the early asp+access architecture was db.mdb. You can directly check the URL path and add /db/db.mdb to download the file. You can open it with Notepad and search for the flag.
1-2-3. Compressed package (zip/tar.gz/rar/7z, etc.)
After using dirsearch to scan and download www.zip on the website, it is found that there is flag.txt in the compressed package but no actual content. At this time, you can try to enter the file name into the URL and access it.
1-2-4. Path (.git/.svn/.hg/.DS_Store/WEBINF/web.xml/cvs/Bazaar/bzr)
First use dirsearch to blast the URL directory and observe the vulnerability characteristics.
例1:dirsearch -u http:/ip:port/.xx/
Then choose the appropriate response tool based on the vulnerability situation.
Example 2: python3 GitHack.py http:/ip:port/.xx/
例3:perl rip-xxx.pl -v -u http:/ip:port/.xx/
例4:python3 ds_store_exp.py http://ip:port/.DS_Store
Note 1: git leak vulnerability
git leak vulnerability_TItaniumx's blog-CSDN blog_.git file leak vulnerability
As a version control tool, git will record the modifications of each commit, so when the problem is git leaked, the flag file may be deleted or overwritten during the modification. At this time we can use git's "git reset" command to restore to the previous version. Or use a simpler method, use the "git log --stat" command to see which files have been modified in each submission, and then use "git diff HEAD commit-id" to compare the changes between the current version and the version you want to view.
Every time you commit, git will automatically string them together into a timeline, and this timeline is a branch. Git allows the use of multiple branches, allowing users to separate work from the main development line so as not to affect the main development line. If there is no new branch, there is only one timeline, that is, there is only one branch. The default in git is the master branch. Therefore, the flag or sensitive file we are looking for may not be hidden in the current branch. In this case, using the "git log" command can only find the modifications on the current branch, so we need to switch branches to find the files we want.
If you only access .git, 403 will be returned. At this time, try to access .git/config. If the file content is returned, it means that there is a git leak. On the contrary, it generally does not exist. In SVN leaks, the source code is usually crawled in the entries, but sometimes the entries are empty. At this time, pay attention to whether the wc.db file exists, and you can obtain the source code in the pristine folder through the checksum in it. .
Note 2: .svn leak vulnerability
After downloading the .svn, you can browse the directory directly, but if the flag file is deleted on the server, you can try to find it in the history. The path is http:/ip:port/.hg/store/data/flag__61.txt.i. Note that there are two underlines.
Note 3: Summary of common web source code leaks in CTF
Summary of common web source code leaks in CTF - Cherish your youth - Blog Garden
Information leakage in CTF_meteox's blog-CSDN blog_ctf information leakage
CTF-WEB-Information Leakage Question Summary-Take a look
CTF information collection/leakage_Skn1fe’s blog-CSDN blog_Information leakage ctf
Note 4: Common Git commands (1)
Obtain the contents of the latest stash from the git stack and restore the contents of the workspace. After acquisition, the corresponding stash in the stack will be deleted. Since stash may occur multiple times, git uses stack management, and we can use git stash list to view all stashes.
Example 2: git stash list
Displays the backup of all workspace contents in the git stack. For example, using git stash apply stash@{1}, you can take out the backup with version number stash@{1} without deleting the corresponding stash 0 as the latest version.
Example 3: In addition to the common exploitation method of viewing source code, the leaked git may also contain other useful information. For example, the .git/config folder may contain access_token information, which allows access to other repositories of this user.
2.robots.txt leaked
Tell the crawler which pages should not be crawled. During the question-taking process, in addition to paying attention to the leakage of robots.txt, you also need to pay attention to files with strange names such as config, and click more to view the source code and search for flags.
3.404 page leaked
Leak Apache version or server version.
4. Protocol header leakage
For the leakage of protocol headers (response/request), you can use Burpsuite to capture packets to view the requests and responses.
5. Other matters needing attention
Use netdiscover -r 192.168.253.1/24 to detect the range IP
Use nmap -sV ip to mine open service information
Use nikto -host ip to detect shooting range information
Use dirb http://ip:port/ to detect hidden pages
Note 1: If no effective harvest is obtained from information leakage, conduct a code audit to see if there are other types of web attack methods such as SQL injection, file upload vulnerabilities, file inclusion vulnerabilities, etc.
Note 2: X-Forwarded-For is an HTTP extension header, mainly to allow the web server to obtain the real IP address of the visiting user, but this IP may not be real. In the http request, if local users are required to access or the cookie content needs to be modified, X-Forwarded-For:127.0.0.1 needs to be used to deceive the browser.
Note 3: Suitable practice platform (CTFHub)
CTFHub—Web—Information leakage (√)
Attached are several shooting range penetrations to be studied later.
Vulnhub actual shooting range covfefe practice - bonga - Blog Park
Shooting Range Penetration (1)_Honey Pot Xiao Mingge’s Blog-CSDN Blog_Shooting Range Penetration