by Table of Contents
- Information disclosure in error messages
- Information disclosure on debug page
- Source code disclosure via backup files
Information disclosure in error messages
Goal: This lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.
With Burp running – I opened up one of the pages for products. In burp I sent the GET /product?productId=1 request to Burp Repeater and modified the productId to equal 010030.
GET /product?productId=”whatever”
The unexpected data type causes an exception, and a full stack trace is displayed in the response. This reveals that the lab is using Apache Struts 2 2.3.31.
Information disclosure on debug page
The first thing I did was browse to the home page. Go to the "Target" > "Site Map" tab. Right-click on the top-level entry for the lab and select "Engagement tools" > "Find comments". Notice that the home page contains an HTML comment that contains a link called "Debug". This points to /cgi-bin/phpinfo.php. In the site map, right-click on the entry for /cgi-bin/phpinfo.php and select "Send to Repeater". In Burp Repeater, send the request to retrieve the file. Notice that it reveals various debugging information, including the SECRET_KEY environment variable. Go back to the lab, click "Submit solution", and enter the SECRET_KEY to solve the lab.
Source code disclosure via backup files
Browse to /robots.txt and notice that it reveals the existence of a /backup directory. Browse to /backup to find the file ProductTemplate.java.bak. Alternatively, right-click on the lab in the site map and go to "Engagement tools" > "Discover content". Then, launch a content discovery session to discover the /backup directory and its contents. Browse to /backup/ProductTemplate.java.bak to access the source code. In the source code, notice that the connection builder contains the hard-coded password for a Postgres database. Go back to the lab, click "Submit solution", and enter the database password to solve the lab.
