Vulinbox(敏感信息与敏感文件泄露)

一二直接访问即可

Swagger暴露会导致接口参数一览无余

swagger UI泄露

观察到页面为空,可以借助工具对目录进行扫码

bash 复制代码
dirsearch -u "http://192.168.17.1:8787/swagger/" -w test.txt

直接访问即可

git文件泄露

同样的借助dirsearch对git目录进行扫描

bash 复制代码
dirsearch -u "http://192.168.17.1:8787/git/website/"
result 复制代码
[17:28:25] 200 -  137B  - /git/website/.git/config
[17:28:25] 500 -  515B  - /git/website/.git/logs/refs/remotes/origin/HEAD
[17:28:25] 200 -  289B  - /git/website/.git/index
[17:28:25] 200 -  822B  - /git/website/.git/logs/HEAD
[17:28:25] 200 -    2KB - /git/website/.git/hooks/pre-commit.sample
[17:28:25] 200 -  478B  - /git/website/.git/hooks/applypatch-msg.sample
[17:28:25] 500 -  505B  - /git/website/.git/refs/remotes/origin/HEAD
[17:28:25] 500 -  457B  - /git/website/.git/
[17:28:25] 500 -  469B  - /git/website/.git/hooks/
[17:28:25] 200 -  189B  - /git/website/.git/hooks/post-update.sample
[17:28:25] 200 -    5KB - /git/website/.git/hooks/pre-rebase.sample
[17:28:25] 200 -  424B  - /git/website/.git/hooks/pre-applypatch.sample
[17:28:25] 200 -   41B  - /git/website/.git/refs/heads/master
[17:28:25] 200 -   73B  - /git/website/.git/description
[17:28:25] 200 -    1KB - /git/website/.git/hooks/pre-push.sample
[17:28:25] 200 -  300B  - /git/website/.git/logs/refs/heads/master
[17:28:25] 200 -   23B  - /git/website/.git/HEAD
[17:28:25] 200 -    1KB - /git/website/.git/hooks/prepare-commit-msg.sample
[17:28:25] 500 -  477B  - /git/website/.git/refs/stash
[17:28:25] 200 -  896B  - /git/website/.git/hooks/commit-msg.sample
[17:28:25] 200 -    4KB - /git/website/.git/hooks/update.sample
[17:28:25] 500 -  473B  - /git/website/.git/objects/
[17:28:25] 500 -  483B  - /git/website/.git/objects/info/
[17:28:25] 500 -  483B  - /git/website/.git/objects/pack/
[17:28:25] 500 -  467B  - /git/website/.git/info/
[17:28:25] 200 -  240B  - /git/website/.git/info/exclude
[17:28:25] 500 -  475B  - /git/website/.git/info/refs
[17:28:25] 500 -  475B  - /git/website/.git/ORIG_HEAD
[17:28:25] 200 -   12B  - /git/website/.git/COMMIT_EDITMSG
[17:28:25] 500 -  483B  - /git/website/.git/NOTES_EDITMSG
[17:28:25] 500 -  475B  - /git/website/.gitattributes
[17:28:25] 500 -  469B  - /git/website/.gitmodules
[17:28:25] 500 -  479B  - /git/website/.git-credentials
[17:28:25] 500 -  459B  - /git/website/.gitsh
[17:28:25] 500 -  457B  - /git/website/.svn/
[17:28:25] 500 -  455B  - /git/website/.hg/
[17:28:25] 500 -  457B  - /git/website/.gitk
[17:28:25] 500 -  467B  - /git/website/.gitignore

可以使用githack对git目录下载

相关推荐
风控PM说2 小时前
入门第二课:业务催生风险,常见的业务风险有哪些?
安全
独守一片天17 小时前
HarmonyOS 6.1.0 Call Service 来电识别与安全通信怎么设计?
安全·华为·harmonyos
想你依然心痛19 小时前
嵌入式C代码规范:MISRA-C 2012核心规则解读——类型安全与未定义行为深度剖析
c语言·安全·代码规范
Elastic 中国社区官方博客20 小时前
跟踪资金流向:使用 ES|QL 和跨集群搜索追踪洗钱网络
大数据·人工智能·安全·elasticsearch·搜索引擎·金融·全文检索
IT新视界21 小时前
数据要素安全流通服务
安全
微信开发api-视频号协议1 天前
Codex++安全边界探秘:从模型能力到风险防御
前端·安全·微信·企业微信
枝头玉1 天前
新160个CrackMe048-monkeycrackme1、049-THraw-crackme8、050-daxxor逆向分析
安全·逆向·crackme·reserve
维基框架1 天前
Claude Mythos Preview 发布后严重漏洞激增:安全还是营销?
人工智能·安全
技术不好的崎鸣同学1 天前
[MRCTF2020]PYWebsite 思路及解法
安全·web安全
seven_stars_1 天前
CVE-2012-1823漏洞复现
安全·靶场·kali