Vulinbox（敏感信息与敏感文件泄露）

一二直接访问即可

Swagger暴露会导致接口参数一览无余

swagger UI泄露

观察到页面为空，可以借助工具对目录进行扫码

dirsearch -u "http://192.168.17.1:8787/swagger/" -w test.txt

直接访问即可

git文件泄露

同样的借助dirsearch对git目录进行扫描

dirsearch -u "http://192.168.17.1:8787/git/website/"

[17:28:25] 200 -  137B  - /git/website/.git/config
[17:28:25] 500 -  515B  - /git/website/.git/logs/refs/remotes/origin/HEAD
[17:28:25] 200 -  289B  - /git/website/.git/index
[17:28:25] 200 -  822B  - /git/website/.git/logs/HEAD
[17:28:25] 200 -    2KB - /git/website/.git/hooks/pre-commit.sample
[17:28:25] 200 -  478B  - /git/website/.git/hooks/applypatch-msg.sample
[17:28:25] 500 -  505B  - /git/website/.git/refs/remotes/origin/HEAD
[17:28:25] 500 -  457B  - /git/website/.git/
[17:28:25] 500 -  469B  - /git/website/.git/hooks/
[17:28:25] 200 -  189B  - /git/website/.git/hooks/post-update.sample
[17:28:25] 200 -    5KB - /git/website/.git/hooks/pre-rebase.sample
[17:28:25] 200 -  424B  - /git/website/.git/hooks/pre-applypatch.sample
[17:28:25] 200 -   41B  - /git/website/.git/refs/heads/master
[17:28:25] 200 -   73B  - /git/website/.git/description
[17:28:25] 200 -    1KB - /git/website/.git/hooks/pre-push.sample
[17:28:25] 200 -  300B  - /git/website/.git/logs/refs/heads/master
[17:28:25] 200 -   23B  - /git/website/.git/HEAD
[17:28:25] 200 -    1KB - /git/website/.git/hooks/prepare-commit-msg.sample
[17:28:25] 500 -  477B  - /git/website/.git/refs/stash
[17:28:25] 200 -  896B  - /git/website/.git/hooks/commit-msg.sample
[17:28:25] 200 -    4KB - /git/website/.git/hooks/update.sample
[17:28:25] 500 -  473B  - /git/website/.git/objects/
[17:28:25] 500 -  483B  - /git/website/.git/objects/info/
[17:28:25] 500 -  483B  - /git/website/.git/objects/pack/
[17:28:25] 500 -  467B  - /git/website/.git/info/
[17:28:25] 200 -  240B  - /git/website/.git/info/exclude
[17:28:25] 500 -  475B  - /git/website/.git/info/refs
[17:28:25] 500 -  475B  - /git/website/.git/ORIG_HEAD
[17:28:25] 200 -   12B  - /git/website/.git/COMMIT_EDITMSG
[17:28:25] 500 -  483B  - /git/website/.git/NOTES_EDITMSG
[17:28:25] 500 -  475B  - /git/website/.gitattributes
[17:28:25] 500 -  469B  - /git/website/.gitmodules
[17:28:25] 500 -  479B  - /git/website/.git-credentials
[17:28:25] 500 -  459B  - /git/website/.gitsh
[17:28:25] 500 -  457B  - /git/website/.svn/
[17:28:25] 500 -  455B  - /git/website/.hg/
[17:28:25] 500 -  457B  - /git/website/.gitk
[17:28:25] 500 -  467B  - /git/website/.gitignore

可以使用githack对git目录下载