1. Web architecture assets-platform fingerprint identification-source code
Code auditing, digging out loopholes in the code, can only be done with code, without code (black box), with code (white box)
Without source code, you can only make black boxes. With source code, you can make black and white boxes.
Having source code has a high success rate and can help you with many ideas. One is to find loopholes in the source code. The other is that the architecture system of the source code is also very helpful for black box testing. Obtaining source code can increase the success of security testing holes. possibility.
Get back-end source code: PHP, JAVA
Obtain front-end source code: VUE, JS, mobile program APP
Front-end language is to get more JS and get more points from JS
Open source: can be found and downloaded directly online
Closed source: cannot be found online/not easy to download/cannot be found at all, only for internal use
1. Open source-fingerprint recognition-plug-in
Follow CMS information: Zblog Middleware: Apache Language: PHP
Baidu search: If Zblog has open source, you can download the source code
Visit the website according to the directory structure of the source code to see if it is the source code corresponding to the website.
The source code directory is as follows:
Visit www.xiaodi8.com/zb_system, the returned status code is 403, indicating that the folder exists
It can correspond to the source code. It can basically be determined that this set of source code is the source code of the program.
After collecting the information, conduct vulnerability mining on the source code, or access and operate based on the security issues in the source code.
The above is the most direct way to obtain the source code, which is to identify the CMS information through the fingerprint platform, then go to the official website to download the source code, download it and compare it to see if it is the source code of the website.
2. Closed source-CMS information is No Found
Several common ways for website source code files to leak: Administrators’ development habits or lack of management lead to source code leaks
When developers use development tools or some features in the development system, this feature will contain information such as some descriptions or structural architecture of the project source code. Through this information, the project source code can be restored.
Information collection source code leakage - Zhihu (zhihu.com)
2.1 Website backup files leaked
Website backup files are placed in the website directory and are easily scanned by website directory scanning tools such as Yujian
2.2 git source code leaked
Git is an open source distributed version control system. When executing git init to initialize the directory, it will automatically create a .git directory in the current directory. , used to record code change records, etc. When publishing the code, if the directory .git is not deleted and is published directly to the server, the attacker can use it to restore the source code.
How to determine whether the website has a .git directory?
Add .git after the website address to access it. If it exists, it will be available. If not, it means it does not exist.
Related case demonstrations:
Accessing the ./git directory returns a 403 error, indicating that the folder exists
If you access a directory that does not exist, a 404 error will be returned.
Therefore, you can use GitHack, the tool corresponding to git leaks, for analysis.
python GitHack.py http://121.36.49.234/.git
Comparison of the tool display results and the corresponding directory of the website:
You can check to see if there is any sensitive configuration information or interface information, etc.
2.3 SVN source code leaked
SVN is an open source version control system. In the process of using SVN to manage local code, a hidden folder named .svn is automatically generated, which contains important source code information. When the website administrator published the code, he did not use the 'export' function, but directly copied the code folder to the WEB server. This exposed the .svn hidden folder to the external network environment, and the .svn/entries file could be used. Obtain the server source code.
How to determine whether there is SVN source code leakage?
Add /.svn/ after the website address. If it exists, it means it exists. If it does not, it means it does not exist.
Related case demonstrations:
This file is its exploit file
Tool SvnHack-master (python2 environment)
python.exe SvnHack.py -u https://traffichonus.com/.svn/entries
After using the tool, some files will be displayed:
Add the parameter --doewnload to download these files
python.exe SvnHack.py -u https://traffichonus.com/.svn/entries --downloadAfter downloading, we pay attention to the following tool directory, and we can see the directory of the target URL. We can open the downloaded content and match it with the website to see if the website directory is this result directory.
Check to see if the corresponding file or directory exists
It does not mean that if you access this file, it will definitely be triggered. It is related to routing. If you have learned Java routing, you will know that the local file is not here. If you access this directory, you will definitely be able to access this file.
Source code encryption: The more common PHP program encryption is zend encryption. You can try zend encryption to decrypt it.
2.4 DS_Store file leak
.DS_Store is a data file used by Finder under Mac to save how to display files/folders, one for each folder. If .DS_Store is uploaded and deployed to the server, the file directory structure may be leaked, especially backup files and source code files.
Visiting this address has some information about DS_Store
Copy this DS_Store information to the URL and it will be downloaded.
I recorded the path and used the DS_Store exploit tool to go directly to
python ds_store_exp.py https://43.225.92.100:4700/6vip/.DS_Store
There is an error connection here, because this website is https, this code may need to be modified, so change the site to test
Change the site to test:
This is also https, it’s https for the domain name.
The results will be generated in the tool directory. What you get is the directory structure, and there are no source code files in it.
2.5 Developed self-contained files, composer.json for easy development
Accessing this json file returns some information, including the address and some interface information.
This is actually an introduction to a copyright document. It will mark some versions called by some programs and some information about program EDA.
3. Code cloud resource search
[1] It is recognized that the general information cannot be downloaded, the resource is charged, or there is no download interface available online.
[2] Unrecognized, using the bad habits of administrators to obtain the source code
[3] Not recognized, but can be found through code cloud resources: github, OSCHINA, gitee
[4] Solve the development of other industries, such as illegal production, dedicated personnel to develop source code, and inter-site network
Programmers have some of their own personal web pages, personal blogs, and personal spaces on the code cloud resource platform. Sometimes it may be to ensure communication or backup, or for various purposes, causing him to transfer his source code to code cloud resources. On the platform, at this time we can find the outlet for these people. They like these websites and are programmers we like. I will search some keywords on the Internet to see if I can find the developer. If I find it under the developer Congratulations if you got the target source code
Find a website that is liked by programmers at home and abroad. See if you can find information about your target developer or the source code information he developed. I don’t know what program the other person uses, but I can use it. Search for some information
Geogle and bing websites search for chess and card gambling source codes and city dating source codes
Source code takes the lead: exchanges and currency withdrawals are marginal industries
Many of these source code addresses have to be collected by themselves, because they also know the illegality, so many of them are shut down for a period of time, because they are all source codes of some gray industries.
Case demonstration:
3.1 The general information is recognized but the resource cannot be downloaded. Take www.xiaodi8.com as an example.
If I don’t know the source code of the website, we can open the developer tools, search through some loaded files, and select some more representative files. This selection is very important. Generally, the files selected are some script files or JS files. You If you look at this image file, I won’t select it because the image file is not fixed and can be uploaded later.
We choose zblogphp.js instead of jquery-2.24.min.js. Anyone who understands JS development knows that this is included in the program. It is found in many programs because it is written by the JS framework, so it is The source code of the system program comes with it. For example, I searched for jquery-2.24.min.js on github. Some of the codes are 17K. You have to check for the year of the monkey and the month of the horse.
We want to search for this kind of unpopular one. I can search for this name or this complete path, but I don’t go to the official website to search. I look for code cloud resources to see if there is any program source code left behind by anyone.
Then we find this Zblog.php
Search for an unpopular unique file on github or gitee or OSchina. If there is something related to it in this unique file, I will click on it. Click on it and you will find its source code download address. You can download it from here. In order to verify my guess, I visited the official website. The official download address is also this, which means I found the right one.
3.2 Real case: Panwei’s OA platform
Even if I don’t know now that it is Pan Micro, we should also pay attention to its icon information, clear program introduction and name when looking at the website. These should be paid attention to.
It’s still the same. Open the developer tools and search for some unique and unpopular files. If you don’t find them, click on other elements on the website and search in other directories. Search slowly and bit by bit. There are always some key points. Documentary
It is important to select files. Don’t select which image files are not important, because the image files may be added later. They are not fixed and are dispensable. The main ones to choose are script files, JS files and some unique features. The characteristics are those that are very obvious, not just some files with common names. These are your keys.
Can this file be found?
It’s best not to look for it. You can see from the Request URL that there is no suffix after it, indicating that this place may not be a file, it is just a parameter.
Some website directories will not correspond to the URL you visit. This is because some programs, such as Java programs, have routes in them. You must follow a specific route to trigger the file. Instead of following this directory relationship, it may be accessed in another way.
Look, I searched and found nothing.
When searching, you should pay attention to the corresponding. For example, the website will also load some other addresses. This is the third-party interface called by the website.
There is a Jsp here. The name of this Jsp file is quite special. First, it fixes the file name, indicating that the file does indeed exist. Second, it is also a bit special. It is not named like login.
I searched in github and found two items under the code. Both items are from the same project, but they appear in different folders.
Click in and take a look, right? Click to see its structure. We need to determine whether it is the source code of this website. First of all, it is JSP and conforms to its JSP structure directory. Then what?
The corresponding website finds the path of the trigger file in the source code structure.
Access the wrong one first and display 404
Then access the correct one and there will be data echoed. Try a few more.
This does not mean that this source code was developed by this person. It may also be that this person also used this source code program and spread it. This needs to be clarified.
3.3 What information does Code Cloud Resources search for?
Email, comment information, all kinds of things are available
I use the development tool to open a source code directory and search for qq.com in it.
These are the files that programmers sometimes refer to when writing programs. Some authors will leave their own contact information, their author's information, etc. Then when you scan through the website, for example, I crawl through the website , such as burpsuit and AWVS, when they crawl this website, they will crawl all the mailboxes with personal information. You can also use this information as a search in the code cloud resources github or gitee or OSChina Go to search
All I found were zblogs. The website I visited was also zblog, which means that the website corresponded.
In fact, it is based on some keywords and key files of the source code characteristics. I captured the key files using packet capture. When scanning the website through some security tools mentioned later, it will reveal some email and other information leaked by some websites, and then you can find it on github
3.4 Other industries
Find the source code of the website: If you are searching for friends on the Internet, click in to see if the interface setting frame structure is similar to the target.
If you can't find it, use other methods: scan its directory, check its specific files, and look at its industry. If it's a sideline industry, search on relevant websites to see what source code has been released and corresponds to your industry. See if you can find something related to the target, but you can only find small and medium-sized black industries. Small and medium-sized companies have no money but want to engage in this kind of business, and do not have this kind of technology, so they buy online products that are better than written by people and independently developed by large dedicated teams.