错误消息中的信息泄露

image-20221227195505589

image-20221227195740196

2.3.31

image-20221227195804203

调试页面信息泄露

image-20221227195848868

image-20221227195931289

image-20221227195950942

image-20221227200029089

mdf8208gl1ove3d9gm38ghmgstx5gafs

image-20221227200046266

通过备份文件泄露源代码

image-20221227200105398

image-20221227200218317

image-20221227200250761

image-20221227200259750

04uy5cvc79m0lx0o1t4k3oalnpdv1i1u

image-20221227200317115

通过信息泄露绕过身份验证

image-20221227200344235

image-20221227200523000

TRACE 请求是一种http方法,它允许客户端要求服务器回显请求消息,并添加包含请求标头的消息正文

image-20221227200851944

可以发现存在一个 X-Custom-IP-Authorization

X-Custom-IP-Authorization: 127.0.0.1

image-20221227201108963

image-20221227201139016

版本控制历史中的信息泄露

image-20221227201329811

image-20221227202109147

wget -r https://0a4b00bf04de640bc5e1659c00240091.web-security-academy.net/.git/

递归下载所有文件

image-20221227202137275

下载个工具

http://git-cola.github.io/downloads.html

image-20221227203928826

image-20221227204000220

image-20221227204008414

p80h2j3tbs6fn21fnp1c

image-20221227204241796