PortSwigger's "Source code disclosure via backup files" Walkthrough
This is another quick walkthrough, this time with the third of five information disclosure labs (four of which are Apprentice-level).
Before we get started, you’ll need a Portswigger Academy account. Log in and then view the lab at https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-via-backup-files. This is accessible from the “all labs” view.
Challenge Information
Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.
The goal of this challenge is to get the database password, after finding a backup on the website that leads to information disclosure.
As usual, the website is a shopping site:
Lab Solution
We need to find the backup file. A good place to start is in the HTML, since we found an interesting link in the form of an HTML comment in the last information disclosure walkthrough.
If you right-click on the page and select “View Source”, you can see the HTML. Unfortunately, there’s nothing of interest.
Let’s try robots.txt next. Go to:
https://<random-string>.web-security-academy.net/robots.txt
This website does have a robots.txt file, which is used to tell web crawlers (such as googlebot) what pages to avoid indexing. Many people mistake this as security, when in fact it often points people to files you’d rather keep hidden.
Since /backup is listed, let’s go there:
https://<random-string>.web-security-academy.net/backup
There’s one file listed and it’s a Java backup file, ProductTemplate.java.bak. The .bak extension is a common backup extension appended to the end of the original filename and extension. Let’s view it:
https://<random-string>.web-security-academy.net/backup/ProductTemplate.java.bak
If you scroll down, there’s a database connection string that includes the database password:
Copy this value (6qwu95tef27d47q3xtswr2yhln9nxlum in my case) and then go back to the main website. Click “Submit Solution” and copy the value in:
And that’s it for this lab!
