基于docker搭建.svn泄露环境(附dockerfile)

Dockerfile: https://github.com/Hok1/Dockerfile

部署方法请自行浏览文件svnvul.zip中README
——————————————————————原创,转载请标明出处

一.了解漏洞

1.什么是svn

Svn是一段c/s架构版本控制系统,有一个服务器,多个client。

2..svn泄露是什么

.svn泄露主要是由于当项目开发完成后,在web根目录下直接svn checkout后未删除.svn文件,导致外部可访问,通过分析.svn结构还原出开发源代码。

二.分析漏洞原理,修复方案

修复方案(最简便,并非最优)

删除web目录下.svn文件,切记checkout后一定要删除.svn文件

三.漏洞重现与利用(dockerfile)

1、Dockerfile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
FROM fedora

MAINTAINER H0k

RUN yum -y install mariadb-server
#初始化mysql
ADD initmysql.sh /root/initmysql.sh
RUN chmod 777 /root/initmysql.sh
RUN /root/initmysql.sh

#安装依赖
RUN yum -y install tar bzip2-devel curl-devel freetype-devel gcc libjpeg-devel libpng-devel libxslt-devel libxml2-devel openssl-devel pcre-devel pcre-devel zlib-devel openssl make

RUN groupadd www
RUN useradd -g www -s /sbin/nologin -M www
#安装php
ADD php-7.2.8.tar.gz /usr/local/
ADD installphp.sh /root/installphp.sh
RUN chmod 777 /root/installphp.sh
RUN /root/installphp.sh

#安装nginx
RUN yum -y install nginx
RUN rm -f /etc/nginx/nginx.conf
ADD nginx.conf /etc/nginx/nginx.conf

#.svn
ADD .svn /usr/share/nginx/html/.svn
RUN chmod 755 /usr/share/nginx/html/.svn/

EXPOSE 80
EXPOSE 3306

2、initmysql.sh

1
2
3
4
5
6
7
8
9
#!/bin/bash

mysql_install_db --user=mysql
sleep 3
mysqld_safe &
sleep 3
mysql -e "use mysql;grant all privileges on *.* to root@'%' identified by 'a1b2c3d4f5' with grant option;flush privileges;"
sleep 3
mysqladmin -u root password 'a1b2c3d4f5'

3、installphp.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/bash
tar -zxf /usr/local/php-7.2.8.tar.gz
cd /usr/local/php-7.2.8
./configure --prefix=/usr/local/php \
--with-config-file-path=/usr/local/php/etc \
--enable-fpm --with-fpm-user=www \
--with-fpm-group=www --with-curl --with-freetype-dir \
--with-gd --with-gettext --with-iconv-dir --with-kerberos \
--with-libdir=lib64 --with-libxml-dir --with-mysqli \
--with-openssl --with-pcre-regex --with-pdo-mysql \
--with-pdo-sqlite --with-pear --with-png-dir --with-jpeg-dir \
--with-xmlrpc --with-xsl --with-zlib --with-bz2 --with-mhash \
--enable-bcmath --enable-libxml --enable-inline-optimization \
--enable-mbregex --enable-mbstring --enable-opcache \
--enable-pcntl --enable-shmop --enable-soap \
--enable-sockets --enable-sysvsem --enable-sysvshm \
--enable-xml --enable-zip


sleep 3
make&&make install
sleep 3
cp /usr/local/php-7.2.8/php.ini-development /usr/local/php/php.ini
cp /usr/local/php/etc/php-fpm.conf.default /usr/local/php/etc/php-fpm.conf
cp /usr/local/php/etc/php-fpm.d/www.conf.default /usr/local/php/etc/php-fpm.d/www.conf

四、漏洞利用

在部署后docker后通过访问127.0.0.1/.svn/文件即可访问所有.svn下文件。
svn利用工具:https://www.0dayhack.com/post-421.html