Saturday, April 09, 2005

Grabbing script source files from a server

Lets say you goto a site and see that it is run by some scripting language like PHP, Perl, ASP etc. Now, whenever you make a request to that site through your browser, the webserver is going to execute the script for which the request was made and send you back the results (not the script source file). Simple enough. Now lets see how you can grab the source files from that site.

So, lets assume that the site is run by PHP scripts. The browser makes the initial request, which is served by index.php. Now if you click the hyperlinks (that point back to more php files) on that page, the webserver is going to execute the scripts and send you back the output. What happens if you append a ".bak" to the name of the script file (assuming that there is a backup version of the file in that same directory). The webserver notices a new request and serves out the file without executing the script. It is just configured to execute ".php" files, not ".php.bak" files. What you get back is the actual script source file.

This happens because of the carelessness of the site admin or programmer, who just renames the old file to a ".bak", ".old", ".php.1" or something similar before replacing that script and then not deleting the backup version. This hack is not an easy one to pull off, because someone might have to try out different filename/file extension combinations before striking gold. The site might not even have backup versions in the first place. (But you will be suprised to know that even so many high profile websites, just leave the ".bak" files out there)

Comments:
Is this the only possible way to grab script files like .asp-files from a server? See that software like Grab-a-site, etc. can grab whole websites, but not the scripts. Would be interesting to find out whether there really are no other ways to download the source. I mean, why else do the security companies keep saying the .asp files should be encrypted? If there is no way to download a script-file unless there is a .bak etc. file left, there should not be any reason to encrypt these files either...
 
This is just one way to get the source files from a server. If an attacker breaks into the server, by using a buffer exploit or some application level vulnerability, then s/he can also grab files from the server. An attacker can also brute force the password of a site and gain access to the file system. The method that I pointed out is a non-intrusive way to get the source files. It doesnt involve breaking into the server by any means.

If you encrypt the ASP files on the server then it becomes worthless for someone to download the file because s/he cannot view the contents of the file. The ASP file has to be decrypted by the server to execute it, grab the output and send it back to the browser.

Even if all the ASP pages are encrypted, but if the sys-admin or the programmer leaves out the unencrypted versions (lets say for debugging purposes) on the filesystem, then it defeats the purpose of encrypting them in the first place.
 
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.
Webmaster