4.10.web source code disclosure backup files(Web Security Academy)

Web Security Academy >>Information disclosure >> Exploiting >> Lab

This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the database password, which is hard-coded in the leaked source code .

If the source code is in the backup files, and also two backup files are in a hidden directory, then we have to find that directory :

https\://0af100de0405d8cc805bb22a004a0053.web-security-academy.net/robots.txt

The “robots .txt” directory is often used, because the robots.txt file is a useful tool for managing how a website interacts with search engines, but it must be kept in mind that using it is not an effective way to block access to sensitive resources. These instructions specify which pages should Or it should not be indexed by these engines.

We’ve already found a backup file for that :

And when we opened that file ProductTemplate.java.bak:

We can also find the backup file in another way. You can continue reading if you want to benefit…….

In short, this means that you use FeroxBuster to scan the specified location while using the specified list of words to search for hidden or unknown files and paths.

Indeed, in the end, we found what we wanted and reached the same file .

See you soon in other reports….!!

Abdelwahab_Shandy

AS_Cyber