Vulinbox(敏感信息与敏感文件泄露)

www4392026-04-11 18:09

一二直接访问即可

Swagger暴露会导致接口参数一览无余

swagger UI泄露

观察到页面为空,可以借助工具对目录进行扫码

bash 复制代码 
dirsearch -u "http://192.168.17.1:8787/swagger/" -w test.txt

直接访问即可

git文件泄露

同样的借助dirsearch对git目录进行扫描

bash 复制代码 
dirsearch -u "http://192.168.17.1:8787/git/website/"
result 复制代码 
[17:28:25] 200 -  137B  - /git/website/.git/config
[17:28:25] 500 -  515B  - /git/website/.git/logs/refs/remotes/origin/HEAD
[17:28:25] 200 -  289B  - /git/website/.git/index
[17:28:25] 200 -  822B  - /git/website/.git/logs/HEAD
[17:28:25] 200 -    2KB - /git/website/.git/hooks/pre-commit.sample
[17:28:25] 200 -  478B  - /git/website/.git/hooks/applypatch-msg.sample
[17:28:25] 500 -  505B  - /git/website/.git/refs/remotes/origin/HEAD
[17:28:25] 500 -  457B  - /git/website/.git/
[17:28:25] 500 -  469B  - /git/website/.git/hooks/
[17:28:25] 200 -  189B  - /git/website/.git/hooks/post-update.sample
[17:28:25] 200 -    5KB - /git/website/.git/hooks/pre-rebase.sample
[17:28:25] 200 -  424B  - /git/website/.git/hooks/pre-applypatch.sample
[17:28:25] 200 -   41B  - /git/website/.git/refs/heads/master
[17:28:25] 200 -   73B  - /git/website/.git/description
[17:28:25] 200 -    1KB - /git/website/.git/hooks/pre-push.sample
[17:28:25] 200 -  300B  - /git/website/.git/logs/refs/heads/master
[17:28:25] 200 -   23B  - /git/website/.git/HEAD
[17:28:25] 200 -    1KB - /git/website/.git/hooks/prepare-commit-msg.sample
[17:28:25] 500 -  477B  - /git/website/.git/refs/stash
[17:28:25] 200 -  896B  - /git/website/.git/hooks/commit-msg.sample
[17:28:25] 200 -    4KB - /git/website/.git/hooks/update.sample
[17:28:25] 500 -  473B  - /git/website/.git/objects/
[17:28:25] 500 -  483B  - /git/website/.git/objects/info/
[17:28:25] 500 -  483B  - /git/website/.git/objects/pack/
[17:28:25] 500 -  467B  - /git/website/.git/info/
[17:28:25] 200 -  240B  - /git/website/.git/info/exclude
[17:28:25] 500 -  475B  - /git/website/.git/info/refs
[17:28:25] 500 -  475B  - /git/website/.git/ORIG_HEAD
[17:28:25] 200 -   12B  - /git/website/.git/COMMIT_EDITMSG
[17:28:25] 500 -  483B  - /git/website/.git/NOTES_EDITMSG
[17:28:25] 500 -  475B  - /git/website/.gitattributes
[17:28:25] 500 -  469B  - /git/website/.gitmodules
[17:28:25] 500 -  479B  - /git/website/.git-credentials
[17:28:25] 500 -  459B  - /git/website/.gitsh
[17:28:25] 500 -  457B  - /git/website/.svn/
[17:28:25] 500 -  455B  - /git/website/.hg/
[17:28:25] 500 -  457B  - /git/website/.gitk
[17:28:25] 500 -  467B  - /git/website/.gitignore

可以使用githack对git目录下载

相关推荐
皮皮蟹虾饺3 小时前
DNS协议指南:从报文格式到安全加密与 K8s 实战
安全·容器·kubernetes
HavenlonLabs6 小时前
重塑链上未来的隐形基石:长期主义下的生态演进
大数据·人工智能·安全·区块链
其实防守也摸鱼8 小时前
软件安全与漏洞--Windows底层原理与软件逆向工程基础
linux·网络·数据库·算法·安全·安全架构·软件安全与漏洞
杨先生哦9 小时前
2026 热端攻防:AI 驱动 Web 前端安全全景透析
前端·笔记·安全·web安全
国科安芯11 小时前
基于AS32S601ZIT2型抗辐照MCU的商业航天卫星姿态确定与控制系统研究
单片机·嵌入式硬件·安全·fpga开发·架构·risc-v
持敬chijing12 小时前
Web渗透之前后端漏洞-CORS跨越访问漏洞
安全·web安全·网络安全·网络攻击模型·安全威胁分析
yuegu77712 小时前
HarmonyOS应用<节气通>开发第30篇:安全存储封装
安全
阿狸猿13 小时前
网络安全体系设计
安全·web安全
大鱼>14 小时前
AIoT安全攻防:当物联网设备成为黑客后门
人工智能·物联网·安全·aiot
HackTwoHub14 小时前
免费FOFA高级会员、DayDaymap、360Quake、Hunter测绘搜索引擎高级会员免费使用最大1W条查询工具
运维·安全·web安全·搜索引擎·网络安全·系统安全·安全架构
热门推荐
01HTTP 与 HTTPS 的区别:从原理到实战详解022026年6月AI行业全景:从百模大战到Agent元年,这30天发生了什么?032026 AI 编程工具终极实战指南:Cursor vs Claude Code vs Copilot,开发者该怎么选?04【AI】2026 年具身智能模型和世界模型总结052026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf06GitHub 镜像站点07AI科技热点日报 | 2026年6月1日08《置身钉内》原文-可播放阅读09Claude Code、Codex、Cursor三分天下:2026年AI编程Agent生态全景剖析10上线仅72小时被强制下架:Claude Fable 5 的短命