This lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.
Internal Server Error: java.lang.NumberFormatException: For input string: "''" at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:67) at java.base/java.lang.Integer.parseInt(Integer.java:647) at java.base/java.lang.Integer.parseInt(Integer.java:777) at lab.r.l.u.o.l(Unknown Source) at lab.v.v.t.v.P(Unknown Source) at lab.v.v.b.e.m.O(Unknown Source) at lab.v.v.b.a.lambda$handleSubRequest$0(Unknown Source) at q.x.y.y.lambda$null$3(Unknown Source) at q.x.y.y.H(Unknown Source) at q.x.y.y.lambda$uncheckedFunction$4(Unknown Source) at java.base/java.util.Optional.map(Optional.java:260) at lab.v.v.b.a.N(Unknown Source) at lab.server.d.s.m.z(Unknown Source) at lab.v.v.v.S(Unknown Source) at lab.v.v.v.z(Unknown Source) at lab.server.d.s.q.p.V(Unknown Source) at lab.server.d.s.q.u.lambda$handle$0(Unknown Source) at lab.r.i.m.r.P(Unknown Source) at lab.server.d.s.q.u.X(Unknown Source) at lab.server.d.s.k.l(Unknown Source) at q.x.y.y.lambda$null$3(Unknown Source) at q.x.y.y.H(Unknown Source) at q.x.y.y.lambda$uncheckedFunction$4(Unknown Source) at lab.server.g9.z(Unknown Source) at lab.server.d.s.k.s(Unknown Source) at lab.server.d.c.f.A(Unknown Source) at lab.server.d.j.r(Unknown Source) at lab.server.d.o.r(Unknown Source) at lab.server.gf.G(Unknown Source) at lab.server.gf.c(Unknown Source) at lab.u.z.lambda$consume$0(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) at java.base/java.lang.Thread.run(Thread.java:1583)
Apache Struts 22.3.31
2.2 Lab: Information disclosure on debug page
This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable.
查看页面源码,发现如下信息:
1
<!-- <a href=/cgi-bin/phpinfo.php>Debug</a> -->
访问即可查看环境变量 SECRET_KEY 的值。
2.3 Lab: Source code disclosure via backup files
This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the database password, which is hard-coded in the leaked source code.
2.4 Lab: Authentication bypass via information disclosure
This lab’s administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end.
To solve the lab, obtain the header name then use it to bypass the lab’s authentication. Access the admin interface and delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
直接访问 /admin,提示 Admin interface only available to local users,直接尝试给 HTTP Header 增加 X-Forwarded-For: 127.0.0.1,发现还是同样的返回信息,去看了答案 :-D
所以,直接改回 GET 并增加 X-Custom-Ip-Authorization: 127.0.0.1 就可以绕过鉴权了。现在,需要给 Burp Suite 增加设置,让其自动为 HTTP 请求头增加新的字段,操作步骤如下:
点击 Proxy -> Options -> Match and Replace
点击 Add 增加规则
Type 选择 Request header,Match 留空,Replace 填写要增加的字段和值
接下来在 Burp 的浏览器就可以访问 /admin 页面了。在 Burp 的 HTTP history 中,默认显示的是原始请求,如果要查看修改后的请求,需要从 Original request 切换到 Auto-modified request。
2.5 Lab: Information disclosure in version control history
This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user then log in and delete the user carlos.
根据提示,尝试访问 .git,发现存在 GIT 相关文件。
访问 /.git/COMMIT_EDITMSG,返回 Remove admin password from config,所以应该访问前一个版本就可以看到密码了。
$ git log commit 24149ac70173daf569a481330fe551a9ba3a1ef3 (HEAD -> master) Author: Carlos Montoya <carlos@carlos-montoya.net> Date: Tue Jun 23 14:05:07 2020 +0000
Remove admin password from config
commit 8a84f2fa87e4b0442384cda3f5981336928f6228 Author: Carlos Montoya <carlos@carlos-montoya.net> Date: Mon Jun 22 16:23:42 2020 +0000
Add skeleton admin panel $ git checkout 8a84f2fa87e4b0442384cda3f5981336928f6228 D admin_panel.php Note: switching to '8a84f2fa87e4b0442384cda3f5981336928f6228'.
You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at 8a84f2f Add skeleton admin panel $ ls admin.conf $ cat admin.conf ADMIN_PASSWORD=7v1k8nlcholroagw32p0
之后,尝试使用 admin 登录,提示 Invalid username or password,用户名换成 administrator 就可以了。
0x03. 小结
触发异常后,可能返回对应的调用栈,可能泄露敏感信息
网页源码中可能存在敏感的注释信息
尝试使用字典扫描目录信息
如果扫到 .git,可以使用 wget -r 下载下来在本地分析
HTTP TRACE 方法
The HTTP TRACE method is used for diagnostic purposes. It allows the client to see what is being received at the other end of the request chain and to use that information for testing or debugging. When a TRACE request is sent, the server echoes back the received request, so the client can see any changes or additions made by intermediate servers.
