SlideShare a Scribd company logo

Exploiting publically exposed Version Control System

Anant Shrivastava
Anant Shrivastava

This document discusses exploiting version control systems (VCS) like Git, SVN, and Mercurial. It describes how VCS work and why they can be exploited, noting that auto-deployment features can allow code to be deployed by committing changes. It provides an overview of common VCS files and folders that can be used to extract code from repositories. Tools for extracting code from VCS are also listed. The document concludes with a demonstration of exploiting VCS and checks that can be done to find exposed VCS files.

Technology
1 of 16
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
EXPLOITING VERSION CONTROL SYSTEMS PILLAGING FOR FUN AND PROFIT   BY ANANT SHRIVASTAVA
ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H and @anantshri Trainer : Blackhat USA, NullCon, g0s, c0c0n, RootConf Speaker : Nullcon, c0c0n, ClubHack, RootConf http://anantshri.info        
WHAT IS VCS Version Control System The hip / developers way of deploying code Supports Auto-Deployment on commit
WHY EXPLOIT Coz its fun Its like a golden ticket Auto-deployment if available makes it more hip.
VCS 101 Type FOLDER GIT .git SVN .svn Mercurial .hg
PREDICATABLE FILES .git/HEAD .hg/requires .bzr/README
ROBOTS.TXT OF VCS .gitignore
TOOLS 1. SVN-extractor (Only SVN) (on top coz i wrote it) 2. DVCS-pillage (lacks SVN support) 3. dvcs-ripper (alternative implementation covers svn too)
DEMO TIME NOTE: ALL DEMO's are prepared while in sleep deprived state.
DIRECTORY LISTING ENABLED
DIRECTORY LISTING DISABLED
SVN
PHEW DEMO DONE
QUICK CHECKS while read p; do echo "Input: "$p echo "CHECK: SVN entries http" curl -I echo "CHECK: SVN entries https" curl -k -I echo "CHECK: SVN wcdb" curl -I echo "CHECK: SVN wcdb https" curl -k -I done<$1 http://$p/.svn/entries https://$p/.svn/entries http://$p/.svn/wc.db https://$p/.svn/wc.db
ANY QUESTIONS
ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H and @anantshri Trainer : Blackhat USA, NullCon, g0s, c0c0n, RootConf Speaker : Nullcon, c0c0n, ClubHack, RootConf http://anantshri.info        

More Related Content

What's hot (20)

PPTX
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
PDF
Network Security
UTD Computer Security Group
 
PDF
Windows Security Crash Course
UTD Computer Security Group
 
PPTX
Pxosys Webinar Amplify your Security
🏆Ruben Cocheno💭
 
PPTX
Ruby and Framework Security
Creston Jamison
 
PDF
LT04 IDNOG04 - Affan Basalamah (ITB) - Documenting your network
Indonesia Network Operators Group
 
PDF
Nessus Basics
amiable_indian
 
PDF
Powershell'in Karanlık Yüzü
Halil Dalabasmaz
 
PDF
IPv6 for Pentesters
NotSoSecure Global Services
 
PDF
Ossec Lightning
wremes
 
PDF
Hack wifi password using kali linux
Helder Oliveira
 
PDF
Aws security with HIDS, OSSEC
Mayank Gaikwad
 
PPTX
IOS Security Basics - NULL/ OWASP/G4H Meet
Anthony Jose
 
PPTX
nessus
Muhammad Yasin
 
PDF
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 
PPTX
How to secure nginx server using fail2ban on Centos-7
Bhadreshsinh Gohil
 
PPT
Isa
deshvikas
 
PDF
How Many Linux Security Layers Are Enough?
Michael Boelen
 
PDF
Implementing ossec
Jeronimo Zucco
 
PDF
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
Network Security
UTD Computer Security Group
 
Windows Security Crash Course
UTD Computer Security Group
 
Pxosys Webinar Amplify your Security
🏆Ruben Cocheno💭
 
Ruby and Framework Security
Creston Jamison
 
LT04 IDNOG04 - Affan Basalamah (ITB) - Documenting your network
Indonesia Network Operators Group
 
Nessus Basics
amiable_indian
 
Powershell'in Karanlık Yüzü
Halil Dalabasmaz
 
IPv6 for Pentesters
NotSoSecure Global Services
 
Ossec Lightning
wremes
 
Hack wifi password using kali linux
Helder Oliveira
 
Aws security with HIDS, OSSEC
Mayank Gaikwad
 
IOS Security Basics - NULL/ OWASP/G4H Meet
Anthony Jose
 
nessus
Muhammad Yasin
 
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 
How to secure nginx server using fail2ban on Centos-7
Bhadreshsinh Gohil
 
Isa
deshvikas
 
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Implementing ossec
Jeronimo Zucco
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 

Viewers also liked (20)

PDF
My tryst with sourcecode review
Anant Shrivastava
 
PDF
Android Tamer BH USA 2016 : Arsenal Presentation
Anant Shrivastava
 
PDF
Snake bites : Python for Pentesters
Anant Shrivastava
 
PDF
OWASP Bangalore : OWTF demo : 13 Dec 2014
Anant Shrivastava
 
PDF
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
PDF
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
PPTX
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
PPTX
Career In Information security
Anant Shrivastava
 
PDF
Raspberry pi Beginners Session
Anant Shrivastava
 
PDF
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
PPT
Web2.0 : an introduction
Anant Shrivastava
 
PDF
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
PPT
Avr introduction
Anant Shrivastava
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
PDF
Radare2 - An Introduction by Anto Joseph
Anthony Jose
 
PDF
Grinder talk
n|u - The Open Security Community
 
PPTX
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
n|u - The Open Security Community
 
PPTX
Threat intelligence - nullmeetblr 21st June 2015
n|u - The Open Security Community
 
PPTX
Csp july2015
n|u - The Open Security Community
 
PPTX
Netcat - A Swiss Army Tool
Chandrapal Badshah
 
My tryst with sourcecode review
Anant Shrivastava
 
Android Tamer BH USA 2016 : Arsenal Presentation
Anant Shrivastava
 
Snake bites : Python for Pentesters
Anant Shrivastava
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
Anant Shrivastava
 
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
Career In Information security
Anant Shrivastava
 
Raspberry pi Beginners Session
Anant Shrivastava
 
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
Web2.0 : an introduction
Anant Shrivastava
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
Avr introduction
Anant Shrivastava
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Radare2 - An Introduction by Anto Joseph
Anthony Jose
 
Grinder talk
n|u - The Open Security Community
 
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
n|u - The Open Security Community
 
Threat intelligence - nullmeetblr 21st June 2015
n|u - The Open Security Community
 
Csp july2015
n|u - The Open Security Community
 
Netcat - A Swiss Army Tool
Chandrapal Badshah
 
Ad

Similar to Exploiting publically exposed Version Control System (20)

ODP
Continuous Security
Sysdig
 
PDF
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
PPT
Linux
Kavi Bharathi R
 
PDF
Deploy your Python code on Azure Functions
Dhilipsiva DS
 
PPTX
"Look Ma, no hands! Zero Touch Provisioning for OpenShift" DevConf.US 2021
Freddy Rolland
 
PDF
Assisted-Installer-DevConf-US-2021
Nir Magnezi
 
PDF
Android memory analysis Debug slides.pdf
VishalKumarJha10
 
PDF
PVS-Studio in the Clouds: Travis CI
Andrey Karpov
 
PDF
Rolling upgrade OpenStack
Vietnam Open Infrastructure User Group
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
PPTX
Kali kinux1
Mohammad Mafi
 
PDF
Android Boot Time Optimization
Kan-Ru Chen
 
PPTX
Baylisa - Dive Into OpenStack
Jesse Andrews
 
PPTX
Introduction to Docker
Nissan Dookeran
 
PDF
Uyuni Saltboot - automated image deployment and lifecycle with Uyuni
Ondrej Holecek
 
PDF
Trying and evaluating the new features of GlusterFS 3.5
Keisuke Takahashi
 
PDF
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Nicolas Collery
 
PDF
Startup guide for kvm on cent os 6
Carlos Eduardo
 
PDF
The ARTPredator-OS-post-installation.pdf
andsenmike3
 
PDF
Containerizing your Security Operations Center
Jimmy Mesta
 
Continuous Security
Sysdig
 
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
Linux
Kavi Bharathi R
 
Deploy your Python code on Azure Functions
Dhilipsiva DS
 
"Look Ma, no hands! Zero Touch Provisioning for OpenShift" DevConf.US 2021
Freddy Rolland
 
Assisted-Installer-DevConf-US-2021
Nir Magnezi
 
Android memory analysis Debug slides.pdf
VishalKumarJha10
 
PVS-Studio in the Clouds: Travis CI
Andrey Karpov
 
Rolling upgrade OpenStack
Vietnam Open Infrastructure User Group
 
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Kali kinux1
Mohammad Mafi
 
Android Boot Time Optimization
Kan-Ru Chen
 
Baylisa - Dive Into OpenStack
Jesse Andrews
 
Introduction to Docker
Nissan Dookeran
 
Uyuni Saltboot - automated image deployment and lifecycle with Uyuni
Ondrej Holecek
 
Trying and evaluating the new features of GlusterFS 3.5
Keisuke Takahashi
 
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Nicolas Collery
 
Startup guide for kvm on cent os 6
Carlos Eduardo
 
The ARTPredator-OS-post-installation.pdf
andsenmike3
 
Containerizing your Security Operations Center
Jimmy Mesta
 
Ad

More from Anant Shrivastava (11)

PDF
Diverseccon keynote: My 2 Paisa's on Infosec World
Anant Shrivastava
 
PDF
WhitePaper : Security issues in android custom rom
Anant Shrivastava
 
PDF
Security Issues in Android Custom ROM
Anant Shrivastava
 
PDF
Web application finger printing - whitepaper
Anant Shrivastava
 
PDF
Battle Underground NullCon 2011 Walkthrough
Anant Shrivastava
 
PDF
Nullcon Hack IM 2011 walk through
Anant Shrivastava
 
PPT
Embedded Systems : introduction
Anant Shrivastava
 
PPT
introduction to Lamp Stack
Anant Shrivastava
 
PPT
Logic Families Electronics
Anant Shrivastava
 
PPT
Filesystem
Anant Shrivastava
 
PPT
basic knowhow hacking
Anant Shrivastava
 
Diverseccon keynote: My 2 Paisa's on Infosec World
Anant Shrivastava
 
WhitePaper : Security issues in android custom rom
Anant Shrivastava
 
Security Issues in Android Custom ROM
Anant Shrivastava
 
Web application finger printing - whitepaper
Anant Shrivastava
 
Battle Underground NullCon 2011 Walkthrough
Anant Shrivastava
 
Nullcon Hack IM 2011 walk through
Anant Shrivastava
 
Embedded Systems : introduction
Anant Shrivastava
 
introduction to Lamp Stack
Anant Shrivastava
 
Logic Families Electronics
Anant Shrivastava
 
Filesystem
Anant Shrivastava
 
basic knowhow hacking
Anant Shrivastava
 

Recently uploaded (20)

PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
Biography of Daniel Podor.pdf
Daniel Podor
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Biography of Daniel Podor.pdf
Daniel Podor
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 

Exploiting publically exposed Version Control System