Exploiting framework configuration files – Part 2

Example:

Zend I
  • inurl:/application/configs/ intitle:index of
  • inurl:/application/controllers/ intitle:index of
  • filetype:ini “Bootstrap.php” (pass|passwd|password|pwd)
Zend II
  • inurl:/data/cache/ intitle:index of
  • inurl:/module/application/ intitle:index of
Laravel
  • filetype:env intext:mail_host /  “MAIL_PASSWORD” filetype:env
  • de cima procurando por email
  • filetype:env intext:REDIS_PASSWORD
  • por configuração de redis
  • filetype:env intext:”APP_ENV”
  • inurl:readme.md intext:”Laravel” -vendor -github -gitlab -bitbucket -git -node_modules
  • Troca o readme.md por .env
  • filetype:env intext:FACEBOOK_APP_ID
  • filetype:env intext:TWITTER_CONSUMER_KEY
  • filetype:env intext:PUSHER_APP_ID
  • filetype:env intext:MAILGUN_DOMAIN
  • filetype:env intext:GOOGLE_SECRET
Symfony
  • inurl:”databases.yml” ext:yml password -github
  • inurl:”apps/backend/config/” intitle:index of
  • “database_password” filetype:yml “config/parameters.yml”
  • inurl:app/config/ intext:parameters.yml intitle:index.of
  • inurl:storage/logs/ intitle:index of
  • inurl:web/frontend_dev.php -trunk
  • inurl:config/databases.yml -trac -trunk -“Google Code” -source -repository
Codigniter

I did not find possibilities to explore this framework. It have index.html in all its folders and the system files being system, in the case a .php

Kohana
  • inurl:/application/cache intitle:index of
  • inurl:/application/logs intitle:index of
Slim
  • inurl:/log/error.log ext:log
  • inurl:/log/access.log ext:log
Yii I
  • inurl:/protected/data/ intitle:index of
Yii II
  • inurl:/protected/data/ intitle:index of
CakePHP
  • inurl:/cms/config/ intitle:index.of
  • inurl:/cms/logs/ intitle:index.of
  • inurl:/cms/tmp/ intitle:index.of

What can happen?

This failure can cause a simple exposure of personal data as I spoke in this post or start a command of a machine if the attacker has access to the configuration data of a database for example.

At first it seems to be superficial, but depending on the data exposed the company / institution / person can have a great loss on the part of the image and its clients with data exposed either directly or indirectly.

Data types:

    • Expose Data:
      • Personal documents;
      • Confidential documents;
      • Personal Images;
    • Systems
      • System Errors;
      • Access Logs;
      • Action Logs;
      • Temporary files;
    • Configuration Files:
      • Database;
      • SMTP;
      • REDIS;
      • Communication with Facebook;
      • Communication with twitter,
      • Communication with linkedin
      • Communication with github;
      • Communication with Pushs;

Solution

Many think that this responsibility is infrastructure, I would say yes, maybe everyone, does not have a correct answer, as this article is for developers, I will try to pass some tips to developers.

For framework developers.

  • Use system files (.php) to register configuration data;
  • Put empty index.html in all folders just as Codeigniter and WordPress do.

For those who implement the framework.

  • Correctly install the frameworks according to the standards they ask for. Its majority asks to put the root of the system in the public folder, the front of the folders with sensitive files.
  • Use the .htaccess configuration, inserting only “Options -Indexes” in the body of the document, to avoid indexing google and displaying pages without the index (remembering that it does not avoid the attack in its entirety). Link https://stackoverflow.com/questions/2530372/how-do-i-disable-directory-browsing

Conclusion

After exploring the dorks published above, we can see the number of systems that are exposed data, if you ran a scan with all those dorks with a few more variations, I would say that it revolves around thousands with problem.

We can not say that it is a 0day, or system failure, I would say it is an implementation failure of who install the framework on the server.

In spite of saying that it is not system failure, in the case of frameworks, I believe they have responsibilities, mainly for creating and disseminating configuration files that are not read by default as system files, and easy to print.

I could see that most new frameworks and new versions of old frameworks are saving settings to system files, although they always give you the option of putting sensitive data in text files. On the other hand of this action is the laravel and Cakephp that work with env files.

So stay tuned, and then you’ll take the risk?

By: me with contribution by Subsolo Vinícius

Referências:

Leave a Reply

Your email address will not be published. Required fields are marked *