Technical Insight-True Stories of the TRC-Vulnerabilities-Web Application Security

How I stole source code with Directory Indexing and Git

The keys to the kingdom pretty much always come down to acquiring source code for the web application you’re attacking from a blackbox perspective. This is a quick review of how I was able to get access to a particular client’s application source code using an extremely simple vulnerability: Directory Indexing. Interestingly enough, they also had a .git repository accessible at https://www.[redacted].com/.git/ (although the ‘why’ still baffles me). If you have access to this you also have access to any commits and all logs that may exist in the repo.

The following screenshots are from a recreation of the environment being run locally that I /etc/hosts mapped to http://demo.jkuskos.com. All client information has been redacted.

image1 copy_Kuskos_10.14.14

First, I confirmed that Directory Indexing was enabled. You’ll see why this is great in a moment.

image2 copy_Kuskos_10.14.14

The easiest way to download anything would be with a recursive wget(you simply need to set the flag -r).

wget -r http://demo.jkuskos.com/.git/

image3 copy_Kuskos_10.14.14

Now let’s investigate. With the repository downloaded we can perform git commands on it.

image4 copy_Kuskos_10.14.14

Now that we can see which files exist in the repository, access to them is as simple as checking them out.

git checkout *.php; ls;

image5 copy_Kuskos_10.14.14

This example is clearly simplified; however, the real site allowed me to find several SQL Injections and authorization bypasses that would have been cumbersome to find through dynamic blackbox testing alone. It also allowed me to find several files that would otherwise have been available only if you had the appropriate credential access. These types of flaws are easily found through static code analysis and much harder to find through a dynamic assessment only. As a hacker, turning a blackbox penetration test into a whitebox penetration test is always a victory.

  • https://facebook.com/profile.php?id=1273074160 Michael Crook

    inurl:.git “intitle:index.of

    :3