Source code disclosure via backup files

Description

This lab leaks its source code via backup files in a hidden directory.

Reproduction and proof of concept

  1. Browse to /robots.txt. It reveals the existence of a /backup directory. Browse to /backup to find the file ProductTemplate.java.bak. Or right-click on the lab in the site map and go to Engagement tools -> Discover content and launch a content discovery session to discover the /backup directory and its contents.

  2. Browse to /backup/ProductTemplate.java.bak to access the source code.

package data.productcatalog;

import common.db.JdbcConnectionBuilder;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class ProductTemplate implements Serializable
{
    static final long serialVersionUID = 1L;

    private final String id;
    private transient Product product;

    public ProductTemplate(String id)
    {
        this.id = id;
    }

    private void readObject(ObjectInputStream inputStream) throws IOException, ClassNotFoundException
    {
        inputStream.defaultReadObject();

        ConnectionBuilder connectionBuilder = ConnectionBuilder.from(
                "org.postgresql.Driver",
                "postgresql",
                "localhost",
                5432,
                "postgres",
                "postgres",
                "v6c8ogbwkjt6wyzbb5uf64ykbc3oygam"
        ).withAutoCommit();
        try
        {
            Connection connect = connectionBuilder.connect(30);
            String sql = String.format("SELECT * FROM products WHERE id = '%s' LIMIT 1", id);
            Statement statement = connect.createStatement();
            ResultSet resultSet = statement.executeQuery(sql);
            if (!resultSet.next())
            {
                return;
            }
            product = Product.from(resultSet);
        }
        catch (SQLException e)
        {
            throw new IOException(e);
        }
    }

    public String getId()
    {
        return id;
    }

    public Product getProduct()
    {
        return product;
    }
}

  1. In the source code, the connection builder contains the hard-coded password for a Postgres database.

  2. Go back to the lab, click Submit solution, and enter the database password to solve the lab.

Exploitability

An attacker will need to identify and submit the database password, which is hard-coded in the leaked source code.