Sensitive information collection

Sensitive information collection

Sensitive information related documents

robots.txt
index.php~
.index.php.swp
index.php.swp
index.php.bak
.index.php~
index.php.bak_Edietplus
index.php.~
index.php.~1~
index.php
index.php~
index.php.rar
index.php.zip
index.php.7z
index.php.tar.gz
www.zip
www.rar
www.zip
www.7z
www.tar.gz
www.tar
web.zip
web.rar
web.zip
web.7z
web.tar.gz
web.tar
wwwroot.rar
web.rar
readme.md

Reference source:
https://www.cnblogs.com/Lmg66/p/13598803.html

git leak

GitHack download and installation address: https://github.com/lijiejie/GitHack

python2 GitHack.py ******.git

Where ***** refers to the website

WEB-INF/web.xml disclosure

Relevant knowledge points:

WEB-INF is the security directory of Java Web application. If you want to directly access the files in the page, you must map the files to be accessed through the web.xml file.

WEB-INF mainly includes the following files or directories:

WEB-INF/web.xml : Web Application profile, Described servlet And other application component configuration and naming rules.
WEB-INF/database.properties : Database configuration file
WEB-INF/classes/ : Generally used for storage Java Class file(.class)
WEB-INF/lib/ : Used to store the packaged library(.jar)
WEB-INF/src/ : Used to put the source code(.asp and.php etc.)

Servlet access URL mapping configuration:

Because the client accesses the resources in the Web server through the URL address, if the Servlet program wants to be accessed by the outside world, it must map the Servlet program to a URL address. This work is completed by using elements and elements in the web.xml file. Element is used to register a Servlet. It contains two main sub elements: and, which are used to set the registration name of the Servlet and the complete class name of the Servlet respectively. An element is used to map an external access path of a registered Servlet. It contains two sub elements: and, which are used to specify the registration name of the Servlet and the external access path of the Servlet respectively. For example:

<servlet>
    <servlet-name>ServletDemo1</servlet-name>
    <servlet-class>cn.itcast.ServletDemo1</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>ServletDemo1</servlet-name>
    <url-pattern>/ServletDemo1</url-pattern>
</servlet-mapping>

Idea:

By finding the web.xml file, infer the path of the class file, and finally directly the class file, and then decompile the class file to obtain the website source code.

Examples

From [RoarCTF 2019]Easy Java on buuctf

When I opened the page, I found that it was a login box. After trying, it didn't work. After clicking help, I noticed that the address bar turned to

***/Download?filename=help.docx

It is speculated that there may be a file download vulnerability

Try passing in the WEB-INF/web.xml parameter

?filename=WEB-INF/web.xml

Discovery doesn't work. At this time, change the request mode to post request. Observe the burpsuite returned package and find that there is a flag keyword in it

<servlet>
        <servlet-name>FlagController</servlet-name>
        <servlet-class>com.wm.ctf.FlagController</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>FlagController</servlet-name>
        <url-pattern>/Flag</url-pattern>
    </servlet-mapping>

The way to access the Servlet through the url is:
Find the corresponding file name, then find the corresponding servlet through the file name, and then obtain its specific servlet file through the file name of the servlet. Because this is a file in the class, the suffix should be added. Class

Try to download this file and write out the file path according to com.wm.ctf.FlagController

filename=WEB-INF/classes/com/wm/ctf/FlagController.class

After downloading the file, it is found that there is a base64 encrypted string in the file. After decryption, the flag is obtained

Reference source:
https://www.cnblogs.com/Lmg66/p/13598803.html
https://www.cnblogs.com/karsa/p/13130130.html

Tags: Web Development Web Security

Posted on Fri, 10 Sep 2021 04:31:54 -0400 by pozer69