Common WebApp source leak

This article is mainly to record the common WebApp source leak, these often appear in the web penetration test and CTF. This section illustrates the most popular web application security weaknesses that do not really fall down under web vulnerabilities category but can be exploited to perform information gathering and to facilitate various attacks against web applications.

Leakage classification

• hg source leaked
  hg init will generate .hg
  e.g. http://www.example.com/.hg/
  Tools: dvcs-ripper
  rip-hg.pl -v -u http://www.example.com/.hg/

• .git source leaked
  When running git init to initialize the code base, a .git hidden file is created below the current directory to record changes to the code, and so on. In the release of the code, the. Git this directory has not been deleted, released directly. Use this file, you can use to restore the source code.
  e.g. http://www.example.com/.git/config
  Tool: GitHack
  GitHack.py http://www.example.com/.git/
  dvcs-ripper
  rip-git.pl -v -u http://www.example.com/.git/

• .DS_Store file leaked
  The hidden .DS_store in the folder was not deleted when the code was released, and when it was found, it got sensitive filenames and other information.
  http://www.example.com/.ds_store
  Tool:dsstoreexp
  python ds_store_exp.py http://www.example.com/.DS_Store
  
  Website backup compressed files
  In the process of using the site, often need to modify the file on the site, upgrade. At this point, you need to back up the site or one of the pages. When the backup file or modify the cache file for a variety of reasons were left in the website directory, and the directory did not set access permissions, it may lead to the backup file or the editor’s cache file is downloaded, leading to sensitive Information disclosure, the security of the server to lay hidden dangers. The causes of the vulnerabilities are mainly the following two:
  • The server administrator incorrectly places the backup files of the website or web page into the server web directory.
  • The backup files or temporary files that the editor automatically saves during use are saved in the web directory without being deleted for various reasons.The vulnerabilities often lead to the server source code or part of the page source code is downloaded, use. Various types of sensitive information contained in the source code, such as server database connection information, server configuration information, etc. will be revealed, resulting in huge losses. Leaked source code may also be used for code auditing, further utilization of the entire system and be laying the hidden dangers.

    .rar
    
    .zip
    
    .7z
    
    .tar.gz
    
    .bak
    
    .swp
    
    .txt
    
    .html

• SVN caused file leaks
  Subversion, or SVN for short, is an open source version control system that uses a branch management system over RCS and CVS. Its purpose is to replace CVS. More and more control services on the Internet have been transferred from CVS to Subversion.
  Subversion uses the server-client structure, of course, the server and the client can both run on the same server. On the server side is a Subversion repository holding all the controlled data, and the other side is a Subversion client that manages the local mapping (called the “working copy”) of a portion of the controlled data. Between these two ends, it is accessed through multiple channels of Repository Access (RA). In these channels, the warehouse can be operated by different network protocols, such as HTTP, SSH, or local files.
  e.g. http://vote.lz.taobao.com/admin/scripts/fckeditor.266/editor/.svn/entries
  Tool:
  dvcs-ripper rip-svn.pl -v -u http://www.example.com/.svn/
  
• WEB-INF/web.xml leaked
  WEB-INF is a secure directory of Java web applications. If you want to directly access the files in the page, you must visit the web.xml file to access the corresponding file can be mapped to access. WEB-INF mainly contains the following documents or directories:
  • /WEB-INF/web.xml: Web application configuration file that describes the servlet and other application component configuration and naming rules.
  • /WEB-INF/classes/: Contains class files for all sites, including servlet classes and non-servlet classes, which can not be included in a .jar file
  • /WEB-INF/lib/: store a variety of JAR files required by web applications, jar files required only for this application, such as database-driven jar files
  • /WEB-INF/src/: source directory, according to the package name structure to place each java file.
  • /WEB-INF/database.properties: database configuration file

• Usually some web applications we will use multiple web servers with a solution to one of the web server performance defects and the advantages of doing a balanced load and complete some of the hierarchical security strategies. When using this architecture, due to the improper mapping of static resource catalogs or files, some security issues may arise, causing files such as web.xml to be read. Vulnerability detection and utilization methods: By finding the web.xml file, inferred class file path, the last direct class file, through the decompilation class file, get the website source code.
  In general, the jsp engine is forbidden to visit WEB-INF directory by default. When Nginx cooperates with Tomcat to load balance or cluster, the reason is very simple. Nginx will not consider configuring other types of engines (Nginx is not jsp engine) (Such coupling is too high) to modify the Nginx configuration file to prohibit access to the WEB-INF directory: location ~ ^/WEB-INF/* { deny all; } or return 404; or something else!

• CVS leaks
  Test the directory
  http://url/CVS/Root returns the root information
  http://url/CVS/Entries returns the structure of all the files
  retrieved from the source code
  bk clone http://url/name dir
  The meaning of this command is to clone a remote repo called name to a directory named dir locally.
  See all the changed commands, go to the download directory
  

  bk changes
  
  Bazaar/bzr

  Tool:
  dvcs-ripper

• xx