Shulou(Shulou.com)05/31 Report--

This article introduces you how to conduct code leak analysis in Web security, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Code leaks generally include SVN code leakage and GIT code leakage. For example, when you use SVN to manage local code, a hidden folder called SVN is automatically generated that contains important code information. However, when some developers release the code, they copy the code folder directly to the Web server, which exposes the SVN hidden folder to the public network. Attackers can use this vulnerability to download the code of the website, and then obtain the connection password of the database from the code or analyze new system vulnerabilities through code analysis, and further invade the system.

In addition, a large number of developers use GIT for version control and automatic deployment of the site. If not configured properly, the GIT folder may be deployed directly to the online environment, which leads to the disclosure of GIT files. Attackers can obtain sensitive configuration information (such as mailboxes and databases) directly from the leaked code, or they can further audit the code and exploit security vulnerabilities such as file upload and SQL injection.

Generally speaking, code leakage is caused by developers' lack of security awareness.

Example 1: there is a SVN code leak in a certain station. Open a browser and enter the main domain name / .svn / entries,Web server return information as shown in figure 1.

Figure 1 SVN code leak

As you can see from figure 1, there may be SVN code leaks. Attackers continue to use SVN code disclosure exploitation tools, as shown in figure 2.

Fig. 2 SVN code disclosure utilization tool

We can see that the Web directory structure has come out, as shown in figure 3.

Figure 3 Web directory structure

After a few minutes, the code is downloaded, and you open the index.php file, and you can see that it is the server code rather than the HTML code, as shown in figure 4.

Figure 4 Server code

As you can see from figure 4, there is indeed a SVN code leak here. At this point, attackers can analyze the directory structure of the site, collect sensitive information (such as database link files) or code audit, and try to find vulnerabilities such as SQL injection and file upload to carry out further penetration testing.

Example 2: there is a GIT file leak in a certain station. Open a browser and enter the main domain name / .gitignore of a certain site, and the Web server returns the information shown in figure 5.

Figure 5 download GIT file

Download the GIT file, as shown in figure 6.

Figure 6 GIT file disclosure

As you can see, the contents of the GIT file have actually revealed the directory structure of the code of the Web site. Access the robots.txt file, and the Web server returns the information shown in figure 7.

Figure 7 GIT file disclosure

As you can see from figure 7, there is indeed a GIT file leak here. If you want to download the code for the Web site through the GIT file, you can use the GitHack tool.

On how to conduct Web security code leak analysis is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.