Interpret it!

Transcript

1. How do I see the source code? • Include files

   (header.inc) • Backup files • Temp files (nano, vim, etc) • .git or another version-control system • Arbitrary file reading

2. Interpret it! Anton “Bo0oM” Lopanitsyn

3. Server configuration errors Multiple routing and microservices location / {

   try_files $uri $uri/ /index.html; ... } location /blog { … }

4. Server configuration errors Multiple routing and microservices

5. How to find it? https://example.com/config.php - 200, 0B https://example.com/config.php -

   200, 3KB Content-type: application/octet-stream text/plain

6. Find a vulnerability in the config! location ~ ^(.+\.php)(.*)$ {

   fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; }

7. Nope https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info

8. Windows + Nginx = <3 https://example.com/config.php - 200, 0B https://example.com/config.pHP

   location ~ ^(.+\.php)(.*)$ location ~ ^(.+\.php)(.*)$ Linux (case sensitive): https://example.com/config.pHP - 404 Windows: https://example.com/config.pHP - 200

9. Nginx /etc/nginx/site-enabled/default
 
 
 server { listen 80 default_server; listen

   [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
10. None
11. None
12. None

13. Apache /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>

14. Apache /etc/apache2/sites-enabled/example.conf <VirtualHost *:80> DocumentRoot /var/www/html/example.com <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php

    </FilesMatch>
 …

15. How to find it? example.com, IP: 123.123.123.123 Check http://123.123.123.123/config.php http://123.123.123.123/example/config.php

    http://123.123.123.123/example.com/config.php

16. CDN’s https://forum.example.com https://cdn.example.com/forum/static/123/123.jpg https://cdn.example.com/forum/config.php Unbelievable, but the fact is, some

    move the whole project to cdn!

17. 0day

18. Blog: https://bo0om.ru Twitter: @i_bo0om Telegram channel: @webpwn