How to open and exploit .DS_Store
What are DS_Store files and why are they needed
.DS_Store are files in the Apple OS X operating system, they store user settings for a folder, such as the list of files, the location of the icons, the selected background image. The name is short for Desktop Services Store. These files are created and maintained by the Finder application in each folder and have functions similar to the desktop.ini file in Microsoft Windows. Names that begin with a period, including the .DS_Store file, are hidden in Finder and many Unix utilities. The internal structure of these files is proprietary.
.DS_Store files are of interest because they contain a list of files in the current folder. These files can be used in forensic analysis of the local system. Also, these files can be found on a server, for example, if the folder was moved in a ZIP archive from Mac machines.
Through the .DS_Store files, the contents of the files do not leak, only their names are revealed.
How to open .DS_Store files
Since the .DS_Store format is proprietary, and there are no official utilities for working with these files, the reverse engineering methods were used to analyze the structure of this file and make several tools that can extract its contents. These tools usually successfully display the names of the files contained in the .DS_Store file, but some .DS_Store files cause errors – the files may be corrupted or have some properties that are not implemented in the analysis tool.
An example program to open .DS_Store is Python-dsstore.
To install Python-dsstore on Linux:
git clone https://github.com/gehaxelt/Python-dsstore cd Python-dsstore/
Usage:
python3 ./main.py <FILE>
Output Example:
If you do not have Linux, then you can use the .DS_Store online content viewing service. In this service it is enough to upload a file and all the names of the files that are found in it will be displayed. You can rename .DS_Store to any other name if the file with a dot at the beginning is not visible on your system. The file name does not affect the analysis results.
How to search for .DS_Store files
These files can be found using the Nikto scanner, or with typical programs for finding hidden directories and files on sites:
- Gobuster
- Dirbuster
- Dirb
Most importantly, make sure their dictionaries have .DS_Store.
If you want to find .DS_Store files on any servers to try the tools, which will be described later, then you can find many such files on sites on the Internet using Google dorks:
intext:.DS_Store & intitle:index -github intitle:"index of" intext:".ds_store" inurl:.DS_Store intitle:index of inurl:.DS_Store intitle:index.of
To search for these files on GitHub: https://github.com/search?q=.DS_Store&type=Commits
Exploiting Data Leaks through a .DS_Store File
If you tried the dorks given above, then you are already aware that from the computers of website developers and media providers .DS_Store files get into the directories of the web server and become publicly available. In fact, if these files can be found using Google, they are not much useful – in this case the files are located in directories without an index file (index.php, index.htm, index.html) and with permission to view the contents of the directory. That is, without the .DS_Store file, you can see what the folder contains and download it.
The following tools are primarily useful if you find a .DS_Store file, for example, using Nikto and the directories are closed for viewing. In this case, using .DS_Store and the tools described below, you can download files whose existence was previously unknown.
I will talk about two tools at once, which, using the .DS_Store found on the server, look for other files.
The first such tool is ds_store_exp. It downloads the .DS_Store file, extracts the file names from it, and constructs new links for downloading the mentioned files. When saving files, the directory structure of the remote server is reproduced.
To install ds_store_exp on Linux, do:
git clone https://github.com/lijiejie/ds_store_exp cd ds_store_exp sudo pip2 install -r requirements.txt
To analyze which files and directories are referenced in the .DS_Store file located at https://www.digitalrepublik.com/assets/img/.DS_Store:
python2 ./ds_store_exp.py https://www.digitalrepublik.com/assets/img/.DS_Store
To view downloaded files and the structure of detected directories:
tree www.digitalrepublik.com/
In some cases, for example:
sudo python2 ./ds_store_exp.py https://www.le-pam.fr/images/.DS_Store
The program will fail:
[200] https://www.le-pam.fr/images/.DS_Store [!] Unable to read 1024 bytes in block
The essence of the problem is that it is not possible to read the contents of .DS_Store – either due to the fact that the file is damaged, or due to shortcomings of tools created on the basis of reverse engineering.
The second script is called DS_Store_crawler_parser. It downloads the .DS_Store file and checks the availability of the files mentioned in it, but does not download the files themselves.
To install DS_Store_crawler_parser on Kali Linux:
git clone https://github.com/anantshri/DS_Store_crawler_parser cd DS_Store_crawler_parser sudo pip3 install -r requirements.txt python3 ./dsstore_crawler.py -h
To install DS_Store_crawler_parser in BlackArch:
sudo pacman -S dsstore-crawler sudo sed -i 's/is not/!=/g' /usr/share/dsstore-crawler/dsstore_crawler.py
To launch the script, you should know about a couple issues. Firstly, you need to use the -i option:
python3 ./dsstore_crawler.py -i https://www.digitalrepublik.com/assets/img/
Secondly, pay attention to how we specified the URL: for the script to work, specify the URL to the folder where the .DS_store file is located, and not the full path to this file.
Related articles:
- lulzbuster: a tool for quick enumeration of hidden files and folders on sites (66.3%)
- Command injection: exploitation and automated vulnerability search (53.8%)
- How to exploit blind command injection vulnerability (53.8%)
- How to use sqlmap for injection in address of a web site page (URI). Arbitrary injection points (52.2%)
- Best Kali Linux tools in WSL (Windows Subsystem for Linux) (Part 1) (52.2%)
- How to make a local web server accessible from the Internet without a white IP (RANDOM - 33.8%)