Source Code disclose Vulnerability

hello Security Guys ,
I’m Mohamed Serwah (serWazito0)
This is my first write up So i hope No Mistakes let’s start

in this write up i will take http://test.example.com as example

Today i will discuss What is Source Code Disclose vulnerability using vulnerable website , this vulnerability make the attacker able to read the source code of any script let’s start ….

at test.example.com there is categories and the categories has a list of products the products has Some Posters if you Click on any photo of each posters it will open at the Next link

http://test.example.com/showimage.php?file=./pictures/1.jpg

hum it’s look like the pictures come from pictures directory let’s change this input and see how it perform after modify this input i try to modify the input ./pictures/1.jpg to ./pictures/8.jpg from 1 to 8 it will show a picture from the directory if you enter and if you try to make the website showing an image that not exists it will gave an error like this ./pictures/9.jpg also if you try to access Some php files like showimage.php , listproducts.php and categories.php it Will Gave You the next error

in fact modern browser will not show this error So what should we do ..!!

Just Copy the link and Paste it at Internet explorer it will show you the real error let’s enter ./pictures/9.jpg

hum what about if we try to open php files ??

http://test.example.com/showimage.php?file=./listproducts.php

OMG WTF …!! i got php source code ? but what wait second i have notice something that make sense to me after analyses the first line of the Code it contain database_connect.php

please my mind don’t do that 😂😂😂

let’s Open the file database_connect.php

and BOOM it’s MySQL username & password :”D

Thanks For reading and i hope U Guys Understand Well

twitter

Facebook