当前位置:网站首页>[web Audit - source code disclosure] obtain source code methods and use tools
[web Audit - source code disclosure] obtain source code methods and use tools
2022-07-05 03:36:00 【Black zone (rise)】
Catalog
1.3、 The whole station source code backup file
Two 、Git Let the cat out of the
2.4、 adopt .git Let the cat out of the
3、 ... and 、svn Let the cat out of the
Four 、hg、CVS、Bazaar/bzr Source leak
5、 ... and 、WEB-INF/web.xml Let the cat out of the
5.3、WEB-INF It mainly includes files or directories :
6、 ... and 、DS_Store Document leakage
7、 ... and 、 Exploit vulnerabilities to reveal
One 、 Backup file disclosure
1.1、 brief introduction :
Backup files are usually due to the negligence of maintenance personnel , Forget to delete the files left in the server .
Attackers enumerate common backup file names , To get the corresponding path , And get the key code , So as to audit the source code
In order to find these backup files , Generally, some sensitive file scanning tools will be used to detect .
Common backup files are : Text backup file 、 The whole station source code backup file
file extension :.rar .zip .7z .tar.gz .bak .swp .txt .sql etc.
1.2、 Text backup file
stay Linux The system will use such as vim or gedit Wait for the text editor , When the editor crashes or exits due to exceptions, it will automatically back up the current file ; Or back up the code after realizing a certain function and then carry out subsequent development .
Possible backup files (index.php For example ):
.index.php.swp
.index.php.swo
index.php~
index.php.bak
index.php.txt
index.php.old
...
1.3、 The whole station source code backup file
Will package the source code of the whole station , Then put it in the root directory of the website , At this time , As long as you find this package, you can start the source code audit .
Common full site backup file names :
www
wwwdata
wwwroot
web
webroot
backup
dist
...Various compressed file suffixes :
.zip
.tar
.tar.gz
.7z
.rar
...You can also use other sensitive files that may disclose the directory structure or file name to obtain the location of backup files , Such as “.xx_xxx”
Two 、Git Let the cat out of the
2.1、 Tools (GitHack):
GitHack It's a .git Leak using scripts , By leaking .git Files in the folder , Rebuild restore project source code .
Penetration tester 、 The attacker , You can further audit the code , mining : Upload files ,SQL Injection, etc web Security vulnerabilities .
GitHub - lijiejie/GitHack: A `.git` folder disclosure exploithttps://github.com/lijiejie/GitHack
Use :
python GitHack.py http://www.openssl.org/.git/
2.2、 produce :
web In the process of upgrading and maintenance , The site file will be modified , You need to back up the whole site or part of it
When you release code , If not deleted .git Catalog , Just publish it directly to the server , The attacker uses it to recover the source code
The backup files are placed in web Under the directory accessible by the server
2.3、 Search through features
When there is an obvious characteristic string in a website
It is possible to pass GitHub To search for the item
2.4、 adopt .git Let the cat out of the
Every git There is one under the root directory of the project .git Folder , The function is to store the relevant information of the project
Tools :GitHack And the source code
Analysis of the source code :
First, set up a local git Project and initialize , And then again commit once
Get into .git Under the table of contents , Look at the files in the directory
determine commit object , View objects
Input exists “.git” In the directory url
Then check HEAD File to get the location of the branch , Then we get the branched hash value
obtain hash Value and initialize a git, Then passed parseCommit Get all objects
Finally using reset Reset branch , Successfully re established the project locally
file :
Key documents ( Part of the ):
HEAD: Mark current git In which branch .
refs: Mark what each branch of the project points to commit.
objects:git All objects stored in the local warehouse .
git The object of :
commit: Mark a submission record of a project .
tree: Mark the directory or subdirectory of a project .
blob: Mark a project file .
tag: Name a submission .
Custom function
(1)parseCommit function :
effect : download commit object , Put it parent Download with
Code :
function parseCommit {
echo parseCommit $1
downloadBlob $1
tree=$(git cat-file -p $1| sed -n '1p' | awk '{print $2}')
parseTree $tree
parent=$(git cat-file -p $1 | sed -n '2p' | awk '{print $2}')
[ ${#parent} -eq 40 ] && parseCommit $parent
}(2)parseTree function :
effect : download tree object , And list tree All the objects under , Classified as tree perhaps blob post-processing
Code :
function parseTree {
echo parseTree $1
downloadBlob $1
while read line
do
type=$(echo $line | awk '{print $2}')
hash=$(echo $line | awk '{print $3}')
[ "$type" = "tree" ] && parseTree $hash || downloadBlob $hash
done < <(git cat-file -p $1)
}(3)downloadBlob function :
effect : Download and hash Corresponding file
function downloadBlob {
echo downloadBlob $1
mkdir -p ${1:0:2}
cd $_
wget -q -nc $domain/.git/objects/${1:0:2}/${1:2}
cd ..
}
3、 ... and 、svn Let the cat out of the
3.1、 brief introduction :
Subversion(SVN) It's an open source version control system , in other words Subversion Managing data that changes over time . The data is placed in a central repository (repository) in . This archive is very similar to a normal file server , But it remembers every file change . So you can restore the file to the old version , Or browse the history of file changes .
In the use of SVN In the process of managing local code , Will automatically generate a file named .svn Hidden folders for , It contains important source code information .
3.2、 The reasons causing :
When the webmaster releases the code , Not used ‘ export ’ function , Instead, copy the code folder directly to WEB Server , This makes .svn Hidden folders are exposed to the Internet , You can use .svn/entries file , Get the server source code .
3.3、 Tools :
Seay-Svn( Simple )
dvcs-ripper
Download address :
Rip Web Accessible ( Distributed ) Version control system :SVN,GIT,Mercurial/hg,bzr,...
Even if directory browsing is turned off , It can also rip repositories .
Make sure you put yourself in the position you want to download / In the empty directory of the clone repository .
Four 、hg、CVS、Bazaar/bzr Source leak
4.1、 Tools :
dvcs-ripper
Download address :
Rip Web Accessible ( Distributed ) Version control system :SVN,GIT,Mercurial/hg,bzr,...
Even if directory browsing is turned off , It can also rip repositories .
Make sure you put yourself in the position you want to download / In the empty directory of the clone repository .
5、 ... and 、WEB-INF/web.xml Let the cat out of the
5.1、 brief introduction :
WEB-INF yes Java Of WEB Security directory of application , Client cannot access , Only the server can access , If you want to access the files directly in the page , Must pass web.xml The file can only be accessed by mapping the file to be accessed .
5.2、 The reasons causing :
When using network architecture , The mapping of directories or files of static resources is improperly configured , Thus causing safety problems , Lead to web.xml Wait until the file can be read
5.3、WEB-INF It mainly includes files or directories :
(1)/WEB-INF/web.xml :
Web Application configuration files ( describe servlet And other application component configuration and naming rules )
(2)/WEB-INF/database.properties:
Database configuration file
(3)/WEB-INF/classes/:
Deposit Java Class file (.class), All inclusive Servlet Class and other class files , The directory structure of class files matches their package name
(4)/WEB-INF/lib/ :
It's used to store packed warehouses (.jar), namely web Applications require a variety of JAR file
(5)/WEB-INF/src/ :
Source directory , Store source code (.asp and .php etc. )
5.4、 utilize :
By finding web.xml file , infer class Path to file , find class file , By decompiling class file , Get the source code of the website .
6、 ... and 、DS_Store Document leakage
6.1、 brief introduction :
.DS_Store yes Mac Next Finder Used to save how to display files / Folder Data files for ( That is, the display properties of the folder , Placement of the icon of the Hebi file ), Each folder corresponds to a
When uploading the code , Safe and correct operation should put .DS_Store File deletion , If not deleted ,.DS_Store Will upload and deploy to the server , May cause file leakage ( Directory structure 、 Backup file 、 Source code file )
6.2、 Tools :
ds_store_exp
It's a .DS_Store File leaks take advantage of scripts , It parses .DS_Store File and recursively download the file locally .
Download address :
7、 ... and 、 Exploit vulnerabilities to reveal
In combination with any File Inclusion Vulnerability or any file download vulnerability
It is possible to download to the source code , And audit it
边栏推荐
- The perfect car for successful people: BMW X7! Superior performance, excellent comfort and safety
- Tiny series rendering tutorial
- Azkaban安装部署
- The perfect car for successful people: BMW X7! Superior performance, excellent comfort and safety
- Devtools的简单使用
- Technology sharing swift defense programming
- NPM introduction link symbolic link
- FBO and RBO disappeared in webgpu
- [summary of two registration methods]
- 001 chip test
猜你喜欢
IPv6 experiment
Simple use of devtools
Qrcode: generate QR code from text
Sqoop command
Learning notes of raspberry pie 4B - IO communication (I2C)
[wp][入门]刷弱类型题目
SPI and IIC communication protocol
Jd.com 2: how to prevent oversold in the deduction process of commodity inventory?
2.常见的请求方法
[groovy] groovy environment setup (download groovy | install groovy | configure groovy environment variables)
随机推荐
【web源码-代码审计方法】审计技巧及审计工具
[Yu Yue education] National Open University autumn 2018 8109-22t (1) monetary and banking reference questions
How to make the listbox scroll automatically when adding a new item- How can I have a ListBox auto-scroll when a new item is added?
El select, El option drop-down selection box
Why are there fewer and fewer good products produced by big Internet companies such as Tencent and Alibaba?
How to define a unified response object gracefully
When sqlacodegen generates a model, how to solve the problem that the password contains special characters?
SQL performance optimization skills
Talk about the SQL server version of DTM sub transaction barrier function
Pdf things
The latest blind box mall, which has been repaired very popular these days, has complete open source operation source code
【做题打卡】集成每日5题分享(第三期)
Google Chrome CSS will not update unless the cache is cleared - Google Chrome CSS doesn't update unless clear cache
Azkaban概述
Delphi free memory
040. (2.9) relieved
The perfect car for successful people: BMW X7! Superior performance, excellent comfort and safety
001 chip test
[system security] ten thousand words summary system virtualization container bottom layer principle experiment
Azkaban actual combat