##Description
During poking around ██████.00/24
range - ██████████ looking for the Cisco devices, I came across ███
which resolved to the https://███████.edu/
While it’s a not .mil
host, it’s likely related to the DoD since it hosted in the DoD-controlled ASN.
I discovered few critical vulnerabilities here, one of them is LFD (local file disclosure).
##POC
https://██████.edu/file.ashx?path=web.config
will download the website configuration file.
It exposes the DB credentials:
███
Similarly, attacker able to get content of any server-side resource, such as source code of application:
https://███.edu/file.ashx?path=UserAccountJSON.aspx.cs
Source code & DB credentials leakage. Attacker can use it to compromise the resource.