Vimattack: How to get someone's database credentials while they are editing config files on a live server Table of contents
When editing files in Vim, by default it'll create a .swp file in the same directory as the file you're editing. This will contain information about what edits were made to the file.
* where the following is true:
- An admin user is editing the wp-config.php file (or any other config file) in Vim, using default settings (which save the .swp swap file in the same directory)
- The admin user editing the file has made the changes but hasn't yet saved the changes
- The config file is in /public (or /public_html/, or however you had it set up)
- The web server allows requests to dot files (i.e. a request to theirsite.com/.wp-config.php.swp will download that file)
Let's say you that you know someone just bought ANewDomain.com and that they will be installing WordPress. You know their favourite text editor is Vim, and you know that they will be installing WP soon.
(This could apply to other systems/config options, but WordPress is common, and it stores its wp-config.php in the public directory)
Set up a script to keep downloading http://anewdomain.com/.wp-config.php.swp several times a second.
If someone is currently editing the file on the server in Vim and you download that URL, you will get the swap file.
Once you have that downloaded, just run
vim -r .wp-config.php.swp, hit enter at the vim dialog and you should see whatever changes they've made to the file.
This isn't really a big deal, but could be used by someone if you know that they're editing files within the public directory (/public, /public_html/ etc) and that they use Vim without changing the default swap file directory.
I've used WordPress just as an example - it has absolutely nothing to do with WordPress. But it is useful for this example just because it stores its config file (wp-config.php) inside the public directory. It would be much better, security wise, to put it somewhere else and just do something like
- in ~/.vimrc/ use ‘set directory’ to change where to store .swp files (or just disable it) - See this guide on how to disable or change the swap directory
- don’t allow access to *.swp files in your web server
- don’t store or edit files in /public/ (or /public_html/, etc)