Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Interpret it!

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Bo0oM Bo0oM
August 15, 2020
Research
1.2k
0

Interpret it!

Let's look at the source code that wasn't interpriposed.

Avatar for Bo0oM

Bo0oM

August 15, 2020

More Decks by Bo0oM

See All by Bo0oM
Носок на сок
Avatar for Bo0oM bo0om
0
1.9k
Выйди и зайди нормально
Avatar for Bo0oM bo0om
0
99
Защита от вредоносной автоматизации сегодня
Avatar for Bo0oM bo0om
0
640
Defending against automatization using nginx
Avatar for Bo0oM bo0om
0
890
Antibot pitch deck
Avatar for Bo0oM bo0om
0
180
31337
Avatar for Bo0oM bo0om
0
230
Your back is white
Avatar for Bo0oM bo0om
0
390
FTP2RCE
Avatar for Bo0oM bo0om
1
7.7k
At Home Among Strangers
Avatar for Bo0oM bo0om
1
4k

Other Decks in Research

See All in Research
姫路市 -都市OSの「再実装」-
Avatar for Hopin hopin
0
1.7k
データサイエンティストをめぐる環境の違い2025年版〈一般ビジネスパーソン調査の国際比較〉
Avatar for The Japan DataScientist Society datascientistsociety
PRO
0
1.2k
"主観で終わらせない"定性データ活用 ― プロダクトディスカバリーを加速させるインサイトマネジメント / Utilizing qualitative data that "doesn't end with subjectivity" - Insight management that accelerates product discovery
Avatar for 株式会社カミナシ kaminashi
16
24k
衛星×エッジAI勉強会 衛星上におけるAI処理制約とそ取組について
Avatar for SatAI.challenge satai
4
410
LiDARセキュリティ最前線(2025年)
Avatar for Yoshioka Lab (Keio CSG) kentaroy47
0
460
言語モデルから言語について語る際に押さえておきたいこと
Avatar for Sho Yokoi eumesy
PRO
5
2k
ウェブ・ソーシャルメディア論文読み会 第36回: The Stepwise Deception: Simulating the Evolution from True News to Fake News with LLM Agents (EMNLP, 2025)
Avatar for taichi_murayama hkefka385
0
220
Φ-Sat-2のAutoEncoderによる情報圧縮系論文
Avatar for SatAI.challenge satai
4
350
NII S. Koyama's Lab Research Overview AY2026
Avatar for NII S. Koyama's Lab skoyamalab
0
130
LOSの検討(λ Kansai 2026 in Winter)
Avatar for Motohiro Yakura motopu
0
120
Can We Teach Logical Reasoning to LLMs? – An Approach Using Synthetic Corpora (AAAI 2026 bridge keynote)
Avatar for もりし morishtr
1
200
LINEヤフー データサイエンス Meetup「三井物産コモディティ予測チャレンジ」の舞台裏-AlpacaTechパート
Avatar for tomo gamella
0
290

Featured

See All Featured
Abbi's Birthday
Avatar for Violet Bock coloredviolet
2
6.7k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
3
110
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
Reality Check: Gamification 10 Years Later
Avatar for Sebastian Deterding codingconduct
0
2.1k
Unlocking the hidden potential of vector embeddings in international SEO
Avatar for Frank van Dijk frankvandijk
0
760
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
What’s in a name? Adding method to the madness
Avatar for The Alliance productmarketing
PRO
24
4k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
16
1.9k
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
Avatar for Aleyda Solis aleyda
1
2k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
120
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
3
320

Transcript

  1. How do I see the source code? • Include files

    (header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading

  2. Interpret it! Anton “Bo0oM” Lopanitsyn

  3. Server configuration errors Multiple routing and microservices location / {

    try_files $uri $uri/ /index.html; ... } location /blog { … }

  4. Server configuration errors Multiple routing and microservices

  5. How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -

    200, 3KB Content-type: application/octet-stream text/plain

  6. Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {

    fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }

  7. Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info

  8. Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP

    location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200

  9. Nginx /etc/nginx/site-enabled/default
 
 
 server { listen 80 default_server; listen

    [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
  10. None
  11. None
  12. None

  13. Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>

  14. Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php

    </FilesMatch>
 …

  15. How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php

    http://123.123.123.123/example.com/config.php

  16. CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some

    move the whole project to cdn!

  17. 0day

  18. Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn