Recently, I discovered a vulnerability that allowed me to recover source content from any file in the "home" path of the tomcat application. For example, I could read / META-INF / context.xml and other types of files of this type (but not / etc / passwd). Vulnerable parameter located in GET and added ".jsp" at the end of the parameter controllable by the user. For example, if the URL will be like this; http://site.com/abc.jsp?param=en, it will attempt to load /some/folder/lang_en.jsp.
I've tried reading standard XML files such as web.xml, context.xml, and so on. using request like this; http://site.com/abc.jsp?param=en/../../META-INF/context.xml? .
After this request, I was able to recover the contents of this file. Other than that, I could not do anything else. I do not have a great experience of java pentesting applications, so hopefully the appropriate answers will be provided from here.
Please recommend the list of files that I can fuzz to grab more data, or alternative attack vectors.
P.S. I could enumerate the file and directory names according to the HTTP response. If the file does not exist, this type of error message appears:
If the file exists, I could get the contents of this file. I could not access other folders like / etc /.