SVN Extractor for Web Pentesters

Many a times web application pen-testers are encountered with the presence of .svn folders. For those not aware .svn folder is used by SVN version control system to perform its operations. For a blackbox pentester this folder contains huge amount of information.

1) Uncover hidden files and folder names

2) Access the source code of the files.

3) download files even if the restrictions are in place at htaccess.

How this could be achieved.

1) Uncover hidden files and folder names

There are two ways in which this can be achieved based on the version of SVN in use.

for <1.6 we had .svn/entries files which contained list of files / folders as well as usernames used for commiting those files.

for >1.6 we have .svn/wc.db which contains simmilar data but in a sqlite3 format.

Those files could be directly accessible through url.

2) Access the source code / download files even if htaccess blocks its access.

SVN keeps a backup copy of all files in two seperate locations.

1) .svn/text-base/“filename”.svn-base

2) .svn/pristine/“XX”/“CHECKSUM”.svn-base

where

filename is actual name of file.

CHECKSUM is Sha1 sum of the file

XX is first two character of CHECKSUM.

first type of entries has one limitations suppose file name is testme.php so path becomes.

.svn/text-base/testme.php.svn-base

a large number of servers will execute the file using php engine and serve the output.

that’s where option 2 shines however this information is available only in case of wc.db (>1.6 SVN version) and this requires that .sv/pristine directory should be web accessible.

However after searching a lot i was not able to find a single code which can do both these things in one go.

so here is a tool which can perform both the operations in one script.

Usage

svn-extractor.py –url “url with .svn available”

Source Link : https://github.com/anantshri/svn-extractor

So far only tested on localhost environments however hoping to get some response on the same.

References

It would be unfair to say that i did all the research myself so here are the links to various resources i used to get the info out.

1) http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us (manual technique for wc.db)

2) http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive (manual technique for .svn/entries)

3) http://www.cirt.net/svnpristine (only automated tool i can find online doing 1/2 of what is in the tool)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>