Information Disclosure
Lab: Information disclosure in error messages
This lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.
给产品id查询后面加个单引号,意外的数据类型导致异常,响应中显示了完整的堆栈跟踪。这表明该实验室使用的是 Apache Struts 2 2.3.31。
Lab: Information disclosure on debug page
This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the
SECRET_KEYenvironment variable.
就在注释里面,BP 有功能能直接检测当前网页里的注释
Target => Site Map => 右键点击目标 => Engagement tools => Find comments
Lab: Source code disclosure via backup files
This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the database password, which is hard-coded in the leaked source code.
查看 robots.txt 文件
Lab: Authentication bypass via information disclosure
This lab’s administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end.
To solve the lab, obtain the header name then use it to bypass the lab’s authentication. Access the admin interface and delete the user
carlos. You can log in to your own account using the following credentials:
wiener:peter
访问 /admin,发现没有权限,要求我们是本地用户才能查看,bp 抓包,修改 get 方法为 TRACE
HTTP
TRACE该方法用于诊断目的。如果启用,Web 服务器将响应使用TRACE方法,TRACE方法会让服务器回显它收到的请求。这本身用于调试客户端与服务器之间的通信。
响应中出现了 X-Custom-Ip-Authorization ,值是我们的 ip,应用程序可能正在使用这个自定义头部来进行某种 IP 验证或授权检查。
结合之前的,我们把这个字段加到请求包,值改成 127.0.0.1 成功绕过。
Lab: Information disclosure in version control history
This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the
administratoruser then log in and delete the usercarlos.
1 | # 递归下载整个 .git 目录 |
本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。
