Date post: | 28-Jun-2015 |
Category: |
Technology |
Upload: | tmccurry |
View: | 566 times |
Download: | 0 times |
BACKFiLBACKup Files Locator
Helping to find files forgotten about on your webserver
Live Presentation at:http://www.youtube.com/watch?v=TMZ_GvRf4oE
1
Whoami
• Tobias Mccurry • @lordsaibat • 10 YR AF Veteran• Sr. Pentester• Breaker of web apps• Discovered XSS zero day in Collabnet software• NOVA – Hacker member
2
Agenda• Web Application methodology – overview• How do temporary/backup files happen to get on the server?• What does a backup file look like in the browser?• What does this tool do?• How does it fit into your testing?• Roadmap for the tool.• Success stories• Compared to other tools• Where to get it.• How to prevent backup files from getting on the server in the
first place.• Best Practice
3
Web Application Methodology – contConfiguration Management Testing
• 4.3.1 SSL/TLS Testing (OWASP-CM-001)
• 4.3.2 DB Listener Testing (OWASP-CM-002)
• 4.3.3 Infrastructure Configuration Management Testing (OWASP-CM-003)
• 4.3.4 Application Configuration Management Testing (OWASP-CM-004)
• 4.3.5 Testing for File Extensions Handling (OWASP-CM-005)
• 4.3.6 Old, Backup and Unreferenced Files (OWASP-CM-006)
• 4.3.7 Infrastructure and Application Admin Interfaces (OWASP-CM-007)
• 4.3.8 Testing for HTTP Methods and XST (OWASP-CM-008)
4
Web Application Methodology-cont4.3.5 Testing for File Extensions Handling (OWASP-CM-005)
• “An important source of vulnerability lies in files which have nothing to do with the application, but are created as a consequence of editing application files, or after creating on-the-fly backup copies, or by leaving in the web tree old files or unreferenced files. Performing in-place editing or other administrative actions on production web servers may inadvertently leave, as a consequence, backup copies (either generated automatically by the editor while editing files, or by the administrator who is zipping a set of files to create a backup).”
• Suggested test:#!/bin/bash server=www.targetapp.com port=80 while read url do echo -ne "$url\t" echo -e "GET /$url HTTP/1.0\nHost: $server\n" | netcat $server $port | head -1 done | tee outputfile
5
Results from OWASP Suggestion
• Input an URL on the terminal– The program will let you know if a file is found.
• Problems– You have to monitor it and input every file you can
think of.
6
How do temporary/backup files happen to get on the server?
• An administrator logs in to a server to edit a web file using nano.– Nano will create temporary files with the .save
extension.– The administrator logs out, nano will leave a .save
file.– An attacker comes along and discovers the
<file>.save file.
7
How do temporary/backup files happen to get on the server?
– Well what about Windows?– The administrator edits the file and then uploads
all the files in the directory.• The .BAK file(s) are copied with the other files.
8
What does a backup file look like in the browser?
The file shows up differently even though it is still the same file. The point is the attacker gains more knowledge about the application.
9
What does this tool do?
• Takes a list of URLs found during spidering, and iterates a list of 502 different extensions on every URL found.
• Will dump the output to an HTML result file or straight to the command line.
• Ability to test a single URL or a list of URLs.
10
How to export URLs the easy way
• Spider the site in Burp.– Click on: Target tab, Site map.– Right click on the site, Copy URLs in this host
11
How does it fit into your testing?
• To expand the testing surface, spider the site while authenticated.
• After spidering the site, export the URLs found and dump them into a text file.
• Fire off the tool and review the results.
12
Roadmap
• Future fuctionality:– Muti-threading– Intelligence on found files– Rules behavior– Exception handling– Timing options– Burp plugin– Metasploit
13
Roadmap - Rules
• Add an extension• Change the first letter of the file name• Adding dates – Before name – After name
14
Demo
http://www.youtube.com/watch?v=mzisanSYZeU
15
Success Stories
• Admin access to a CMS after finding a zip copy of the website.
• Discovered the functionality of an application due to old file left on server
• Discovered a web server backup including the etc/shadow and etc/passwd file.
16
Compared to other tools
• Wfuzz – designed to brute force web applications. Directory discovering, url encoding, and parameter fuzzing
• Webscarab- has automated checks for 15 types of backup files.
• WebSlayer- brute force checker. Time consuming.
17
Where to get it
• GitHub
• https://github.com/lordsaibat/backfil
• Other scripts/tools there soon…..
18
Best Practices
• Don’t edit files on the production server.– File editors are going to write temporary files and they
might not remove them.• Separate files you intend to copy to the production
server and the working directory. – Prevents copying all the files to the server except the
ones you want to update.• Do not use Git or SVN in the web directory of the
production server.– It creates a hidden directory that could be enumerated.
19
QA
• Any questions?
20
Reference Slides
21
Web Application Methodology
• OWASP - 11 category methodology (v4)– 4.1 Introduction and Objectives– 4.2 Information Gathering– 4.3 Configuration Management Testing– 4.4 Business logic testing– 4.5 Authentication Testing– 4.6 Authorization Testing– 4.7 Session Management Testing– 4.8 Data Validation Testing– 4.9 Testing for Denial of Service– 4.10 Web Services Testing– 4.11 Ajax Testing
22
Tools Reference
– Wfuzz• https://code.google.com/p/wfuzz/wiki/Howto
– Webscarab• https://www.owasp.org/index.php/Category:OWASP_
WebScarab_Project
– Webslayer• https://www.owasp.org/index.php/Category:OWASP_
Webslayer_Project
23
Extensions Tested!@!$$$---011100b01b11-step20192b999a$vababkabkabkprjacradkaeaaffajaajlamkarcarcarmarzasdashbakashdiscasvasvateavzawbbacbackupbackupbackupdbbak
bakbakbakbakbakbakbakbakbakbakbakbakbak~bazbbbbbbbkbbzbc6bc7bcabckpbcmbdbbdbbdcbdfbffbfsbfwbinbjfbk!bk0bk1bk1bk1bk2bk3bk4bk5bk6bk7
bk8bk9bkcbkfbkibkobkpbksbksbkubkupbkybkzblend1blend2bm3bmrbmsbp0bp1bp2bp3bp4bpbbpnbppbprbpsbpsdbrzbsrbtxbucbudbupbvsbvwbwsbwsbz1camcascbk
cbkcbkcbucdbcdrcedatacigckpcmbcmbcmpcpscpscrashedcrdscrtctfctxctxctzcvtda0da1datbak0dat_mcrdat_olddbedbkdbkdbkdbqdirdiydkbdl_dmddmfdrscandrtdsbdskdskdsk
dssdt6dwtebfebiebkedkegewbexex_fbfbcfbffbkfbufezfifflbfpbffriftmbfwbfxhfzbgb1gbckgbkgbmgbpgcbghoghsgrbgsbagwshbihbkhcbhdbhdkhm4hm~
i5di5siabibakibzicbuichatimaimaimageimgimgimmin0in1inciobitipdipefile extensionfile extensionjafjbkjbkjpajrsjsonjtbackupjwckb2kbbkrtlbklcbldblidllxloaderbackupmbfmbkmbkmbkpmbsb
mbsyncstatembumcgmdbackupmddatamdinfomdomdrmdsmibmkzmonmoz-backupmpbmprmrimgmscxmsczmsnbakmtbmv_mycnabnabnb7nbanbaknbdnbfnbinbunbzncondunfbnfcnhvnpbnpfnpfnr4nrbnrc
nrdnrgnrhnrinrmnrsnrunrwnsdntjnu3nvnv3nvfobob5obakobkobkochoebofboldomgoptorigoriginal_epuboriginal_mobioutovboyxp15p24p2ip2vp3cpalpartimgpartimg.bz2
24
Extensions Testedpartimg.gzpbpbbpbfpbfpbrpcapcdpchdpckpcupcvpcvpd2pd3pd4pd5pmz4pqbpqipreviousprvpsapsb
pscpspautosavepswptbpurgeableqb2013qb2014qbbqbkqbmbqbmdqcnqdbqdf-backupqdkqibqicqmdQuickBooksAutoDataRecoveryquickenbackupr00r02
r03r04r05r06r07r08r09r10r11r12r13r14r15r16r17r18r19r20r21r22r23r24r25r26
r27rarrawrb0rb1rb4rbcrbfrbfrbkrbrrdbre3recrenrgmbrimrmanrmbrmbakromrpkrrrsafe
satsavesavedsbbsbfsbksbuscpsdcsetsidsiksimsisskbsn1sn2sn4snssparsebundlesparseimagespbspi
spssqbssbsspstgsunsv2isvdsvgsvlsvsswcswpsyncdbtb2tbitbktbktbktcstdrtibtigtk2
tlbackuptlytmbtmptmrtofptotalsbackuptpbtrnttbkuasuciudifumbundoutbv2bv2ivbbvbfvbk
25