Shulou(Shulou.com)06/01 Report--

1,google hack

Svn search skills

Figure 1

Git search skills

Figure 2

2 svn1.6 information utilization principle 2.1 SVN

Svn introduced wc.db to manage files after 1. 6, which is located in .svn / wc.db. Normal file location: somedomain/.svn/pristine/ "XX" / "CHECKSUM" .svn-base,CHECKSUM is the SHA1 value of the file, and xx is his first two digits. So where can I find this CHECKSUM? This is the wc.db we just mentioned, which is a sqlite database. The general structure of the database is as follows:

$sqlite3 wc.db .tables

ACTUAL_NODE NODES PRISTINE WC_LOCK

EXTERNALS NODES_BASE REPOSITORY WORK_QUEUE

LOCK NODES_CURRENT WCROOT

$sqlite3 wc.db 'select local_relpath, checksum from NODES'

Index.php | $sha1 $4e6a225331f9ae872db25a8f85ae7be05cea6d51

Scripts/menu.js | $sha1 $fabeb3ba6a96cf0cbcad1308abdbe0c2427eeebf

Style/style.js | $sha1 $2cc5590e0ba024c3db77a13896da09b39ea74799

$sqlite3 wc.db 'select local_relpath, ".svn / pristine/" | | substr (checksum,7,2) | | "/" | | substr (checksum,7) | | ".svn-base" as alpha from NODES;'

Index.php | .svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base

Scripts/menu.js | .svn/pristine/fa/fabeb3ba6a96cf0cbcad1308abdbe0c2427eeebf.svn-base

Style/style.js | .svn/pristine/2s/2cc5590e0ba024c3db77a13896da09b39ea74799.svn-base

The first step is to download wc.db, then find the file name and its SHA1 value from the NODES table, and finally construct the download link.

3The principle of using git information

First of all, you can get the warehouse address from the git/config information.

[core]

Repositoryformatversion = 0

Filemode = true

Bare = false

Logallrefupdates = true

[remote "origin"]

Fetch = + refs/heads/*:refs/remotes/origin/*

Url = git@git.jingdigital.net:root/pcb001.git

[branch "master"]

Remote = origin

Merge = refs/heads/master

Basically, there are three steps:

(1) download the .git / index file, which is a git-specific format that contains the file name and file SHA1 value.

(2) download the corresponding file to the objects directory according to the file SHA1 value, and the specific path is somedomain/.git/objects/ "XX" / "CHECKSUM".

(3) zlib unzips the file and writes the source code according to the original directory.

4, simple scanning of domestic port 80

With the above foundation, you can restore the code through the leaked information, and you can do a lot of things if you can restore the code. The most common is the leakage of email addresses, database connections, debugging interfaces, and some third-party key leaks in the code. You can also conduct code audits, discovery injections, command execution, and so on, for targets of interest to you.

4.1 scan implementation

(1) when reading 80ip segment data from a file, set the maximum concurrency of 16 and the maximum number of connections to 60. At this time, the bandwidth is basically controlled at 600KB, and you can run in one day on weekends.

(2) set some parameters of pycurl, such as PROXY,MAXREDIRS=0, so that it will not jump. The parameter nosignal=1 must be 1, which is a bug of pycurl. During the intermediate test, it is because the parameters are not added, which leads to the failure of running for a long time.

(3) request / .git / config information. If 200, the returned type is text/plain and the repositoryformatversion field exists. Request / .svn / entries, if 200Cool contentment Type is text/plain and dir exists in the return value. In fact, this is wrong, because when the svn is greater than 1.6, there is only a simple number in the return value, and there is no dir, so there are basically no results above 1.6in the scan results.

4.2 result filtering

In the scan results of the analysis of the url, some .svn / entries returned 200, but there is a problem with the home page, and found that some ip is not in China. So I wrote a script to request the home page of these url, and from an ip query website to query the ip address attribution.

4.3 preliminary results

In the 5.25 million 80 port data, there are 6000 results, equivalent to a probability of 1/1000. In addition, the previous analysis of misjudgment of svn 1.6is not included, so this probability is still very high.

A simple analysis of the leakage of git information, a total of nearly 600 pieces of data, the removal of foreign and home page abnormal, can reach more than 250, of which almost half are on Aliyun's ip, these companies are generally start-ups. There is generally very little sql injection in these leaked code.

Svn, generally some of the older sites, this may be my previous judgment logic is a little bit of a problem. The injection problem is serious.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.