Exploiting publically exposed Version Control System

A presentation at Null Meet Bangalore Chapter in August 2015 in Bengaluru, Karnataka, India by Anant Shrivastava

Slide 1

Slide 1

EXPLOITING VERSION CONTROL SYSTEMS PILLAGING FOR FUN AND PROFIT BY ANANT SHRIVASTAVA

Slide 2

Slide 2

ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H http://anantshri.info and @anantshri Trainer : Blackhat USA, NullCon, g0s, c0c0n, RootConf Speaker : Nullcon, c0c0n, ClubHack, RootConf

Slide 3

Slide 3

WHAT IS VCS Version Control System The hip / developers way of deploying code Supports Auto-Deployment on commit

Slide 4

Slide 4

WHY EXPLOIT Coz its fun Its like a golden ticket Auto-deployment if available makes it more hip.

Slide 5

Slide 5

VCS 101 Type FOLDER GIT .git SVN .svn Mercurial .hg

Slide 6

Slide 6

PREDICATABLE FILES .git/HEAD .hg/requires .bzr/README

Slide 7

Slide 7

ROBOTS.TXT OF VCS .gitignore

Slide 8

Slide 8

TOOLS 1. SVN-extractor (Only SVN) (on top coz i wrote it) 2. DVCS-pillage (lacks SVN support) 3. dvcs-ripper (alternative implementation covers svn too)

Slide 9

Slide 9

DEMO TIME NOTE: ALL DEMO’s are prepared while in sleep deprived state.

Slide 10

Slide 10

DIRECTORY LISTING ENABLED

Slide 11

Slide 11

DIRECTORY LISTING DISABLED

Slide 12

Slide 12

SVN

Slide 13

Slide 13

PHEW DEMO DONE

Slide 14

Slide 14

QUICK CHECKS while read p; do echo “Input: “$p echo “CHECK: SVN entries http” curl -I http://$p/.svn/entries echo “CHECK: SVN entries https” curl -k -I https://$p/.svn/entries echo “CHECK: SVN wcdb” curl -I http://$p/.svn/wc.db echo “CHECK: SVN wcdb https” curl -k -I https://$p/.svn/wc.db done<$1

Slide 15

Slide 15

ANY QUESTIONS

Slide 16

Slide 16

ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H http://anantshri.info and @anantshri Trainer : Blackhat USA, NullCon, g0s, c0c0n, RootConf Speaker : Nullcon, c0c0n, ClubHack, RootConf