Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Interpret it!
Search
Bo0oM
August 15, 2020
Research
0
1.1k
Interpret it!
Let's look at the source code that wasn't interpriposed.
Bo0oM
August 15, 2020
Tweet
Share
More Decks by Bo0oM
See All by Bo0oM
Защита от вредоносной автоматизации сегодня
bo0om
0
520
Defending against automatization using nginx
bo0om
0
790
Antibot pitch deck
bo0om
0
120
31337
bo0om
0
130
Your back is white
bo0om
0
310
FTP2RCE
bo0om
1
7.3k
At Home Among Strangers
bo0om
1
3.8k
2000day in Safari
bo0om
2
2.2k
Partyhack 3.0 - Telegram bugbounty writeup
bo0om
0
4k
Other Decks in Research
See All in Research
Large Vision Language Model (LVLM) に関する最新知見まとめ (Part 1)
onely7
24
5.9k
精度を無視しない推薦多様化の評価指標
kuri8ive
1
360
機械学習でヒトの行動を変える
hiromu1996
1
530
SpectralMamba: Efficient Mamba for Hyperspectral Image Classification
satai
2
150
JSAI NeurIPS 2024 参加報告会(AI アライメント)
akifumi_wachi
5
820
「熊本県内バス・電車無料デー」の振り返りとその後の展開@土木計画学SS:成功失敗事例に学ぶ公共交通運賃設定
trafficbrain
0
210
[輪講] Transformer Layers as Painters
nk35jk
4
660
言語と数理の交差点:テキストの埋め込みと構造のモデル化 (IBIS 2024 チュートリアル)
yukiar
5
1.1k
A Segment Anything Model based weakly supervised learning method for crop mapping using Sentinel-2 time series images
satai
2
130
20241226_くまもと公共交通新時代シンポジウム
trafficbrain
0
400
AWS 音声基盤モデル トーク解析AI MiiTelの音声処理について
ken57
0
130
NeurIPS 2024 参加報告 & 論文紹介 (SACPO, Ctrl-G)
reisato12345
0
330
Featured
See All Featured
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k
A Tale of Four Properties
chriscoyier
158
23k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.1k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Statistics for Hackers
jakevdp
797
220k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
4
330
RailsConf 2023
tenderlove
29
1k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
4
410
Transcript
How do I see the source code? • Include files
(header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading
Interpret it! Anton “Bo0oM” Lopanitsyn
Server configuration errors Multiple routing and microservices location / {
try_files $uri $uri/ /index.html; ... } location /blog { … }
Server configuration errors Multiple routing and microservices
How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -
200, 3KB Content-type: application/octet-stream text/plain
Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }
Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info
Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP
location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200
Nginx /etc/nginx/site-enabled/default server { listen 80 default_server; listen
[::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
None
None
None
Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php
</FilesMatch> …
How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php
http://123.123.123.123/example.com/config.php
CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some
move the whole project to cdn!
0day
Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn