a webserver s nightmare serving files that let me pwn you
play

A webservers nightmare Serving files that let me pwn you - PowerPoint PPT Presentation

Apr 02, 2024 •165 likes •702 views

A webservers nightmare Serving files that let me pwn you BerlinSides 0x7E2 @gehaxelt June 23, 2018 Introduction Agenda 1. Intro & something about webservers 2. Interesting files 3. Scanning for files 4. Feedback || Answers

  1. A webserver’s nightmare – Serving files that let me pwn you BerlinSides 0x7E2 @gehaxelt June 23, 2018

  2. Introduction Agenda 1. Intro & something about webservers 2. Interesting files 3. Scanning for files 4. Feedback || Answers && Questions @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 2 / 30

  3. Introduction Attention! Intro & something about webservers @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 3 / 30

  4. Introduction $>whoami • Mr. @gehaxelt / 0day.work • Co-Founder of Internetwache.org • MSc CS student at TU Berlin • < 3 CTFs @ ENOFLAG • Join us for the FAUST-CTF • Or sponsor our Defcon trip ;-) @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 4 / 30

  5. Something about webservers Webservers... • How do we identify webservers? 1 https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 5 / 30

  6. Something about webservers Webservers... • How do we identify webservers? • Who operates a webserver? 1 https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 5 / 30

  7. Something about webservers Webservers... • How do we identify webservers? • Who operates a webserver? • Who shut off his server because of GDPR? ;-) 1 https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 5 / 30

  8. Something about webservers Webservers... • How do we identify webservers? • Who operates a webserver? • Who shut off his server because of GDPR? ;-) • What’s the most used webserver software? 1 https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 5 / 30

  9. Something about webservers Webservers... • How do we identify webservers? • Who operates a webserver? • Who shut off his server because of GDPR? ;-) 1 • What’s the most used webserver software? 1 1 https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 5 / 30

  10. Something about webservers Who should listen? Someone who... • ... develops websites using Git/SVN/Mercurial ? • ... deploys them on the server using these tools (e.g. git pull)? • ... has a MacOS based system? • ... deploys using rsync/scp/(s)ftp ? • ... develops using Sublime Text and the ‘SFTP‘-Plugin? @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 6 / 30

  11. Something about webservers Who should listen? Someone who... • ... develops websites using Git/SVN/Mercurial ? • ... deploys them on the server using these tools (e.g. git pull)? • ... has a MacOS based system? • ... deploys using rsync/scp/(s)ftp ? • ... develops using Sublime Text and the ‘SFTP‘-Plugin? • ... or just wants to pwn those people’s servers? @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 6 / 30

  12. Interesting files on webservers Attention! Interesting files - Part I • ... develops websites using Git/SVN/Mercurial ? • ... deploys them on the server using these tools (e.g. git pull)? @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 7 / 30

  13. Interesting files on webservers .git directories (1) • VCS developed by Linus Torvalds • Commands: git init / add / commit / push / pull / ... • Data is stored in the .git directory @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 8 / 30

  14. Interesting files on webservers .git directories (2) • Objects can be commits, trees and blobs. 1 1 Figure https://git-scm.com/book/en/v2/Git-Internals-Git-Objects @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 9 / 30

  15. Interesting files on webservers .git directories (3) What if the deployment process is ‘cd /var/www/html && git pull‘? 1 https://github.com/internetwache/GitTools @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 10 / 30

  16. Interesting files on webservers .git directories (3) What if the deployment process is ‘cd /var/www/html && git pull‘? The /.git/ folder might be accessible! 1 https://github.com/internetwache/GitTools @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 10 / 30

  17. Interesting files on webservers .git directories (3) What if the deployment process is ‘cd /var/www/html && git pull‘? The /.git/ folder might be accessible! Directory listing enabled • It’s trivial to download all object files and restore the repository. • wget –mirror –include-directories=/.git http://domain.tld/.git/ 1 https://github.com/internetwache/GitTools @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 10 / 30

  18. Interesting files on webservers .git directories (3) What if the deployment process is ‘cd /var/www/html && git pull‘? The /.git/ folder might be accessible! Directory listing enabled Directory listing disabled • It’s trivial to download all object • Obtain first hash (.git/HEAD, files and restore the repository. .git/refs/heads/master) • wget –mirror • Download object file and get –include-directories=/.git new object hashes http://domain.tld/.git/ • Repeat until nothing new is found! • Automation: GitTools 1 1 https://github.com/internetwache/GitTools @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 10 / 30

  19. Interesting files on webservers .git directories (4) Demo! @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 11 / 30

  20. Interesting files on webservers .git directories (5) Consequences • Source code disclosure • Get the source and find other vulns ;-) • Find committed credentials and escalate privileges. 1 https://en.internetwache.org/ dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m- @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 12 / 30

  21. Interesting files on webservers .git directories (5) Consequences • Source code disclosure • Get the source and find other vulns ;-) • Find committed credentials and escalate privileges. • In some cases .git/config contains HTTP-BasicAuth credentials • Instant access to company’s repositories (e.g. GitLab / GitHub / ... ) • Access to the CI (e.g. GitLabCI): Build scripts and auto-deployment may lead to server pwnage 1 https://en.internetwache.org/ dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m- @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 12 / 30

  22. Interesting files on webservers .git directories (5) Consequences • Source code disclosure • Get the source and find other vulns ;-) • Find committed credentials and escalate privileges. • In some cases .git/config contains HTTP-BasicAuth credentials • Instant access to company’s repositories (e.g. GitLab / GitHub / ... ) • Access to the CI (e.g. GitLabCI): Build scripts and auto-deployment may lead to server pwnage • A scan 1 showed: ~10k out of Alexa’s Top 1M are affected. • ~250 had HTTP-BasicAuth 1 https://en.internetwache.org/ dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m- @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 12 / 30

  23. Interesting files on webservers Other VCS Other VCS can be affected, too! • Subversion • Mercurial • ... @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 13 / 30

  24. Interesting files on webservers Attention! Interesting files - Part II • ... has a MacOS based system? • ... deploys using rsync/scp/(s)ftp ? @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 14 / 30

  25. Interesting files on webservers .DS_Store files (1) • Apple’s proprietary Desktop Service Store format 1 on MacOS. • Holds meta information (e.g. icons, file name, attributes) about files in a directory. • Hidden and automatically created when entering a directory with ’Finder’. 1 https://en.wikipedia.org/wiki/.DS_Store @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 15 / 30

  26. Interesting files on webservers .DS_Store files (2) Header: • Header contains magic byte, ‘checksum‘, location of ‘root 1 block‘ • Root block holds structural information • Offsets to leaf nodes • Tables of content • Free lists 1 https://0day.work/parsing-the-ds_store-file-format/ @gehaxelt A webserver’s nightmare – Serving files that let me pwn you June 23, 2018 16 / 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Single-point Webserver COUNTIS E17 - E18 - E27 - E28 Single-point Webserver The products have an

Single-point Webserver COUNTIS E17 - E18 - E27 - E28 Single-point Webserver The products have an

Single-point Webserver COUNTIS E17 - E18 - E27 - E28 Single-point Webserver The products have an Ethernet port with an integrated web server accessible on a standard web browser (Internet Explorer, firefox) Single-point webserver 2

456 views • 14 slides
Using SQL/MX DBS Demo using iTP webserver May 2018 Frans Jongma, Advanced Technology Center A

Using SQL/MX DBS Demo using iTP webserver May 2018 Frans Jongma, Advanced Technology Center A

Using SQL/MX DBS Demo using iTP webserver May 2018 Frans Jongma, Advanced Technology Center A guided tour through SQL/MX DBS using iTP Webserver Requirements NonStop System iTP Webserver running Firefox or Chrome browser

338 views • 22 slides
2 nd semester Topic 5: Navigation nightmare More Than Just a Bad Dream--A Nightmare's Impact on

2 nd semester Topic 5: Navigation nightmare More Than Just a Bad Dream--A Nightmare's Impact on

2 nd semester Topic 5: Navigation nightmare More Than Just a Bad Dream--A Nightmare's Impact on the Waking Brain 1.Read the article You awake with a pounding heart and clammy hands. Relax, you think to yourself it was just a bad dream. But

204 views • 8 slides
NIGHTMARE CREATURES II Game Design Presentation - Confidential Kalisto Entertainment 1999

NIGHTMARE CREATURES II Game Design Presentation - Confidential Kalisto Entertainment 1999

NIGHTMARE CREATURES II Game Design Presentation - Confidential Kalisto Entertainment 1999 1 NIGHTMARE CREATURES II NIGHTMARE CREATURES II Game Overview Working tittle : Nightmare Creatures II Genre : Horror Action- Adventure Game

317 views • 8 slides
UPDATES Recap Christmas in the Sierra Concert Nightmare Before Christmas ALL SHOWS SOLD

UPDATES Recap Christmas in the Sierra Concert Nightmare Before Christmas ALL SHOWS SOLD

UPDATES Recap Christmas in the Sierra Concert Nightmare Before Christmas ALL SHOWS SOLD OUT! Coming Up 12/14 Dinner and Show Nightmare 12/15 Nightmare Before Christmas 12/16 Nightmare Before Christmas 12/22 Holiday

336 views • 6 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

507 views • 19 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

434 views • 22 slides
Interacting with Files Python Files Files Basic container of data in modern computing

Interacting with Files Python Files Files Basic container of data in modern computing

Interacting with Files Python Files Files Basic container of data in modern computing system Organized into a hierarchy of directories Files / /etc /Applications /var /tmp /Users /etc/Apache /etc/master.passwd

232 views • 19 slides
20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD

20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD

20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD Application Scientist Live Chemistry in Microsoft Office Structure representation Chemical search R-group decomposition Import from files or databases

506 views • 13 slides
Using files ITEC 1630 We save data in files on disk or some Week 9: Files &amp; Streams

Using files ITEC 1630 We save data in files on disk or some Week 9: Files &amp; Streams

Using files ITEC 1630 We save data in files on disk or some Week 9: Files &amp; Streams other media so that we dont lose it even if the computer is shut off Files can store more data than may fit in Yves Lesprance working memory

248 views • 4 slides
Accessing Files in Python Learning Objectives Concepts about files in Python How to open

Accessing Files in Python Learning Objectives Concepts about files in Python How to open

Accessing Files in Python Learning Objectives Concepts about files in Python How to open files Different ways of reading files How to write out files How to read then search, count, etc. on files Concepts about

615 views • 26 slides
Flat Files vs. DB Files So far, our PHP examples have

Flat Files vs. DB Files So far, our PHP examples have

Flat Files vs. DB Files So far, our PHP examples have used regular text files O&gt;en called FLAT FILES These have a certain advantage,

554 views • 22 slides
Internet publishing recommended software, encoding HTML, publishing on webserver Petr Zmostn

Internet publishing recommended software, encoding HTML, publishing on webserver Petr Zmostn

Internet publishing recommended software, encoding HTML, publishing on webserver Petr Zmostn room: A-72a phone: 4222 e-mail: petr.zamostny@vscht.cz PSPad editor Freeware http://www.pspad.com/cz/download.php Making the first

149 views • 14 slides
Imagining Politics beyond Brexit Gone quiet, hasnt it? Last year now seems like a nightmare

Imagining Politics beyond Brexit Gone quiet, hasnt it? Last year now seems like a nightmare

Imagining Politics beyond Brexit Gone quiet, hasnt it? Last year now seems like a nightmare from which we are just awakening. The febrile atmosphere of those days when two Prime Ministers struggled to push a withdrawal agreement through

269 views • 8 slides
Web 2.0 A Security Nightmare? SSL and Webapps Webmontag Karlsruhe, 29.5.2006 Hanno Bck,

Web 2.0 A Security Nightmare? SSL and Webapps Webmontag Karlsruhe, 29.5.2006 Hanno Bck,

Web 2.0 A Security Nightmare? SSL and Webapps Webmontag Karlsruhe, 29.5.2006 Hanno Bck, http://www.hboeck.de/ Web 2.0 for everyone? Web 2.0 applications should be available for the common user Blog in 1 minute, Get your own

254 views • 11 slides
A NIGHTMARE FOR THE INTERVENTIONAL CARDIOLOGIST-DES STENT ANEURYSM! DR VARUN CHAWLA MD,DM

A NIGHTMARE FOR THE INTERVENTIONAL CARDIOLOGIST-DES STENT ANEURYSM! DR VARUN CHAWLA MD,DM

A NIGHTMARE FOR THE INTERVENTIONAL CARDIOLOGIST-DES STENT ANEURYSM! DR VARUN CHAWLA MD,DM LIFECARE INSTITUTE OF MEDICAL SCIENCES &amp; RESEARCH,AHMEDABAD,INDIA Disclosure Statement of Financial Interest I, Dr Varun Chawla DO NOT have a

677 views • 32 slides
Grammars and Trees Dr. Vadim Zaytsev aka @grammarware 2015 Recap Lexical analysis

Grammars and Trees Dr. Vadim Zaytsev aka @grammarware 2015 Recap Lexical analysis

Grammars and Trees Dr. Vadim Zaytsev aka @grammarware 2015 Recap Lexical analysis Syntactic analysis Semantic analysis Intermediate representation Code generation Optimisation . . . WHY Formats everywhere

582 views • 47 slides
FLDC 2017 Debug Drupal with Devel, XDEBUG + More About Us Kalamuna makes the Internet for for

FLDC 2017 Debug Drupal with Devel, XDEBUG + More About Us Kalamuna makes the Internet for for

FLDC 2017 Debug Drupal with Devel, XDEBUG + More About Us Kalamuna makes the Internet for for mission-driven organizations driven to tinker, critique, and change the way things are. We specialize in design, strategy, user experience, and

616 views • 43 slides
MDN Browser Compatibility Data Florian Scholz @floscholz MDN web docs MDN web docs is a

MDN Browser Compatibility Data Florian Scholz @floscholz MDN web docs MDN web docs is a

MDN Browser Compatibility Data Florian Scholz @floscholz MDN web docs MDN web docs is a collaborative, high quality web documentation site providing information about web technologies like HTML, CSS, JavaScript, Web APIs and HTTP.

495 views • 22 slides
Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile &amp; Debug (for C) Text Editor (Vim, Sublime text, Atom) Shell Script A shell script is a program designed to be run by the shell. The various

375 views • 35 slides
Code completion in ExtendJ using LSP Daniel Tovesson Why LSP? - Programming

Code completion in ExtendJ using LSP Daniel Tovesson Why LSP? - Programming

Code completion in ExtendJ using LSP Daniel Tovesson Why LSP? - Programming language-specific features - Just one language server needed - Easier for vendors - Growing support

385 views • 10 slides
Good Habits in R Programming STAT 133 Gaston Sanchez Department of Statistics, UCBerkeley

Good Habits in R Programming STAT 133 Gaston Sanchez Department of Statistics, UCBerkeley

Good Habits in R Programming STAT 133 Gaston Sanchez Department of Statistics, UCBerkeley gastonsanchez.com github.com/gastonstat/stat133 Course web: gastonsanchez.com/stat133 Good Coding Habits 2 Code Habits Now that youve worked

1.03k views • 99 slides
Programming 1 - Honors Lecture 1 COP 3014 Spring 2017 January 10, 2017 Main Components of a

Programming 1 - Honors Lecture 1 COP 3014 Spring 2017 January 10, 2017 Main Components of a

Programming 1 - Honors Lecture 1 COP 3014 Spring 2017 January 10, 2017 Main Components of a computer CPU - Central Processing Unit: The brain of the computer. ISA - Instruction Set Architecture: the specific set of low-level

313 views • 14 slides
COMP 364: Intro to Programming/Python Carlos G. Oliver, Christopher Cameron September 11, 2017

COMP 364: Intro to Programming/Python Carlos G. Oliver, Christopher Cameron September 11, 2017

COMP 364: Intro to Programming/Python Carlos G. Oliver, Christopher Cameron September 11, 2017 1/25 BIO IO-PHYSICAL PROGRAMS IN INFORMATION SESSION Come and join us for the Bio-Physical programs information session: Chemistry -

371 views • 26 slides

More recommend