常見的敏感文件泄漏總結
VSole2023-02-01 14:08:59
敏感文件通常指攜帶敏感信息的文件,最為常見的就是數據庫的配置文件、網站源碼備份、數據庫備份等,管理員為了方便下載,將源碼備份放置在 web 目錄,然后下載至本地備份,下載完之后忘記刪除,從而導致漏洞的出現。
配置文件泄漏
最為典型的就是 spring 框架的配置文件泄漏,常見路徑:
"/env"/actuator/env"
泄漏信息如圖:
這類漏洞通常需要日常收集常見系統的配置文件默認路徑,如果存在未授權訪問的情況,就會存在文件泄漏的問題。
除了這類常見框架、系統的配置文件泄漏外,還有因為管理員修改配置文件時,為了防止無法恢復,而創建的備份文件,比如 config.php.bak、config.php.20230101 等,這類文件是可以下載的,從而泄漏配置信息。
修復方案
1、對于備份文件,為在系統中使用的,可以刪除處置,或者備份到其他無法直接通過瀏覽器訪問的目錄
2、在使用的無法刪除的文件,需要設置權限,僅限本地訪問
網站備份泄漏
網站源碼備份是網站管理員經常要做的操作,有的管理員會自動備份到備份服務器,而有些管理員為了簡單方便,將服務器上到源碼打包壓縮后放置在 web 目錄,然后從服務器再下載到本地,進行本地備份,下載完成之后是應該刪除的,但是由于未做這個操作,導致整站源碼泄漏。
備份的文件名通常為 wwwroot、www、子域名等,壓縮包后綴通常為 zip、tar.gz 等,通過組合常用備份名稱和后綴,可以進行目錄掃描,來發現這類備份文件。
下面是某工具的配置文件,收集整理了常見的備份文件組合方式:
# format: /path {tag="text string to find"} {status=HTTP_STATUS} {type="content-type should contain this string"} {type_no="content-type should not contain this string"}# each item must starts with right slash "/"
/core {status=200} {tag="ELF"}
/../{hostname_or_folder}.old {status=301} {type="html"}/../{hostname_or_folder}.backup {status=301} {type="html"}/../{hostname_or_folder}.bak {status=301} {type="html"}
/{sub}.zip {status=206} {type="application/octet-stream"}/{sub}.rar {status=206} {type="application/octet-stream"}/{sub}.tar.gz {status=206} {type="application/octet-stream"}/{sub}.tar.bz2 {status=206} {type="application/octet-stream"}/{sub}.tgz {status=206} {type="application/octet-stream"}/{sub}.7z {status=206} {type="application/octet-stream"}
/old.zip {status=206} {type="application/octet-stream"}/old.rar {status=206} {type="application/octet-stream"}/old.tar.gz {status=206} {type="application/octet-stream"}/old.tar.bz2 {status=206} {type="application/octet-stream"}/old.tgz {status=206} {type="application/octet-stream"}/old.7z {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.zip {status=206} {type="application/octet-stream"}/{hostname_or_folder}.rar {status=206} {type="application/octet-stream"}/{hostname_or_folder}.tar.gz {status=206} {type="application/octet-stream"}/{hostname_or_folder}.tar.bz2 {status=206} {type="application/octet-stream"}/{hostname_or_folder}.tgz {status=206} {type="application/octet-stream"}/{hostname_or_folder}.7z {status=206} {type="application/octet-stream"}
/../{hostname_or_folder}.zip {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.rar {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.tar.gz {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.tar.bz2 {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.tgz {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.7z {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.log {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.sh {status=206} {type="application/octet-stream"}
/temp.zip {status=206} {type="application/octet-stream"}/temp.rar {status=206} {type="application/octet-stream"}/temp.tar.gz {status=206} {type="application/octet-stream"}/temp.tgz {status=206} {type="application/octet-stream"}/temp.tar.bz2 {status=206} {type="application/octet-stream"}
/package.zip {status=206} {type="application/octet-stream"}/package.rar {status=206} {type="application/octet-stream"}/package.tar.gz {status=206} {type="application/octet-stream"}/package.tgz {status=206} {type="application/octet-stream"}/package.tar.bz2 {status=206} {type="application/octet-stream"}
/tmp.zip {status=206} {type="application/octet-stream"}/tmp.rar {status=206} {type="application/octet-stream"}/tmp.tar.gz {status=206} {type="application/octet-stream"}/tmp.tgz {status=206} {type="application/octet-stream"}/tmp.tar.bz2 {status=206} {type="application/octet-stream"}
/test.zip {status=206} {type="application/octet-stream"}/test.rar {status=206} {type="application/octet-stream"}/test.tar.gz {status=206} {type="application/octet-stream"}/test.tgz {status=206} {type="application/octet-stream"}/test.tar.bz2 {status=206} {type="application/octet-stream"}
/backup.zip {status=206} {type="application/octet-stream"}/backup.rar {status=206} {type="application/octet-stream"}/backup.tar.gz {status=206} {type="application/octet-stream"}/backup.tgz {status=206} {type="application/octet-stream"}/back.tar.bz2 {status=206} {type="application/octet-stream"}
/db.zip {status=206} {type="application/octet-stream"}/db.rar {status=206} {type="application/octet-stream"}/db.tar.gz {status=206} {type="application/octet-stream"}/db.tgz {status=206} {type="application/octet-stream"}/db.tar.bz2 {status=206} {type="application/octet-stream"}/db.log {status=206} {type="application/octet-stream"}/db.inc {status=200} {type_no="html"}/db.sqlite {status=206} {type="application/octet-stream"}
/db.sql.gz {status=206} {type="application/octet-stream"}/dump.sql.gz {status=206} {type="application/octet-stream"}/database.sql.gz {status=206} {type="application/octet-stream"}/backup.sql.gz {status=206} {type="application/octet-stream"}
/data.zip {status=206} {type="application/octet-stream"}/data.rar {status=206} {type="application/octet-stream"}/data.tar.gz {status=206} {type="application/octet-stream"}/data.tgz {status=206} {type="application/octet-stream"}/data.tar.bz2 {status=206} {type="application/octet-stream"}
/database.zip {status=206} {type="application/octet-stream"}/database.rar {status=206} {type="application/octet-stream"}/database.tar.gz {status=206} {type="application/octet-stream"}/database.tgz {status=206} {type="application/octet-stream"}/database.tar.bz2 {status=206} {type="application/octet-stream"}
/ftp.zip {status=206} {type="application/octet-stream"}/ftp.rar {status=206} {type="application/octet-stream"}/ftp.tar.gz {status=206} {type="application/octet-stream"}/ftp.tgz {status=206} {type="application/octet-stream"}/ftp.tar.bz2 {status=206} {type="application/octet-stream"}
/log.txt {status=200} {type="text/plain"}/log.tar.gz {status=206} {type="application/octet-stream"}/log.rar {status=206} {type="application/octet-stream"}/log.zip {status=206} {type="application/octet-stream"}/log.tgz {status=206} {type="application/octet-stream"}/log.tar.bz2 {status=206} {type="application/octet-stream"}/log.7z {status=206} {type="application/octet-stream"}
/logs.txt {status=200} {type="text/plain"}/logs.tar.gz {status=206} {type="application/octet-stream"}/logs.rar {status=206} {type="application/octet-stream"}/logs.zip {status=206} {type="application/octet-stream"}/logs.tgz {status=206} {type="application/octet-stream"}/logs.tar.bz2 {status=206} {type="application/octet-stream"}/logs.7z {status=206} {type="application/octet-stream"}
/web.zip {status=206} {type="application/octet-stream"}/web.rar {status=206} {type="application/octet-stream"}/web.tar.gz {status=206} {type="application/octet-stream"}/web.tgz {status=206} {type="application/octet-stream"}/web.tar.bz2 {status=206} {type="application/octet-stream"}
/www.log {status=206} {type="application/octet-stream"}/www.zip {status=206} {type="application/octet-stream"}/www.rar {status=206} {type="application/octet-stream"}/www.tar.gz {status=206} {type="application/octet-stream"}/www.tgz {status=206} {type="application/octet-stream"}/www.tar.bz2 {status=206} {type="application/octet-stream"}
/wwwroot.zip {status=206} {type="application/octet-stream"}/wwwroot.rar {status=206} {type="application/octet-stream"}/wwwroot.tar.gz {status=206} {type="application/octet-stream"}/wwwroot.tgz {status=206} {type="application/octet-stream"}/wwwroot.tar.bz2 {status=206} {type="application/octet-stream"}
/output.zip {status=206} {type="application/octet-stream"}/output.rar {status=206} {type="application/octet-stream"}/output.tar.gz {status=206} {type="application/octet-stream"}/output.tgz {status=206} {type="application/octet-stream"}/output.tar.bz2 {status=206} {type="application/octet-stream"}
/admin.zip {status=206} {type="application/octet-stream"}/admin.rar {status=206} {type="application/octet-stream"}/admin.tar.gz {status=206} {type="application/octet-stream"}/admin.tgz {status=206} {type="application/octet-stream"}/admin.tar.bz2 {status=206} {type="application/octet-stream"}
/upload.zip {status=206} {type="application/octet-stream"}/upload.rar {status=206} {type="application/octet-stream"}/upload.tar.gz {status=206} {type="application/octet-stream"}/upload.tgz {status=206} {type="application/octet-stream"}/upload.tar.bz2 {status=206} {type="application/octet-stream"}
/website.zip {status=206} {type="application/octet-stream"}/website.rar {status=206} {type="application/octet-stream"}/website.tar.gz {status=206} {type="application/octet-stream"}/website.tgz {status=206} {type="application/octet-stream"}/website.tar.bz2 {status=206} {type="application/octet-stream"}
/package.zip {status=206} {type="application/octet-stream"}/package.rar {status=206} {type="application/octet-stream"}/package.tar.gz {status=206} {type="application/octet-stream"}/package.tgz {status=206} {type="application/octet-stream"}/package.tar.bz2 {status=206} {type="application/octet-stream"}
/sql.log {status=206} {type="application/octet-stream"}/sql.zip {status=206} {type="application/octet-stream"}/sql.rar {status=206} {type="application/octet-stream"}/sql.tar.gz {status=206} {type="application/octet-stream"}/sql.tgz {status=206} {type="application/octet-stream"}/sql.tar.bz2 {status=206} {type="application/octet-stream"}/sql.7z {status=206} {type="application/octet-stream"}/sql.inc {status=200} {type_no="html"}
/data.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/qq.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/tencent.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/database.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/db.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/test.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/admin.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/backup.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/user.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/sql.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/index.zip {status=206} {type="application/octet-stream"}/index.7z {status=206} {type="application/octet-stream"}/index.bak {status=206} {type="application/octet-stream"}/index.rar {status=206} {type="application/octet-stream"}/index.tar.tz {status=206} {type="application/octet-stream"}/index.tar.bz2 {status=206} {type="application/octet-stream"}/index.tar.gz {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.log {status=206} {type="application/octet-stream"}/logs/{hostname_or_folder}.log {status=206} {type="application/octet-stream"}
/dump.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/{sub}.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/old.zip {status=206} {type="application/octet-stream"}/old.rar {status=206} {type="application/octet-stream"}/old.tar.gz {status=206} {type="application/octet-stream"}/old.tar.bz2 {status=206} {type="application/octet-stream"}/old.tgz {status=206} {type="application/octet-stream"}/old.7z {status=206} {type="application/octet-stream"}
/1.tar.gz {status=206} {type="application/octet-stream"}/a.tar.gz {status=206} {type="application/octet-stream"}/x.tar.gz {status=206} {type="application/octet-stream"}/o.tar.gz {status=206} {type="application/octet-stream"}
/conf/conf.zip {status=206} {type="application/octet-stream"}
/conf.tar.gz {status=206} {type="application/octet-stream"}
/qq.pac {status=206} {type="application/octet-stream"}/tencent.pac {status=206} {type="application/octet-stream"}
/server.cfg {status=206} {type="application/octet-stream"}
/deploy.tar.gz {status=206} {type="application/octet-stream"}/build.tar.gz {status=206} {type="application/octet-stream"}/install.tar.gz {status=206} {type="application/octet-stream"}
/secu-tcs-agent-mon-safe.sh {status=206}/password.tar.gz {status=206} {type="application/octet-stream"}/site.tar.gz {status=206} {type="application/octet-stream"}/tenpay.tar.gz {status=206} {type="application/octet-stream"}
/rsync_log.sh {status=206} {type="application/octet-stream"}/rsync.sh {status=206} {type="application/octet-stream"}
/webroot.zip {status=206} {type="application/octet-stream"}
/tools.tar.gz {status=206} {type="application/octet-stream"}
/users.tar.gz {status=206} {type="application/octet-stream"}
/webserver.tar.gz {status=206} {type="application/octet-stream"}
/htdocs.tar.gz {status=206} {type="application/octet-stream"}
推薦工具
https://github.com/maurosoria/dirsearch
修復方案
刪除備份文件即可
隱藏目錄泄漏
常見的隱藏目錄泄漏有三種 svn、git 以及 DS_Store,svn 和 git 是代碼管理系統,在上線代碼時,同步代碼的過程中會把因此目錄 .git 和 .svn 給同步上去,導致通過遠程即可訪問該目錄下的內容,而 DS_Store 是 mac 系統下自動生成的文件,每個目錄下都有,記錄了目錄下文件變動的歷史。
svn
Subversion,簡稱 SVN,是一個開放源代碼的版本控制系統,相對于的 RCS、CVS,采用了分支管理系統,它的設計目標就是取代 CVS。互聯網上越來越多的控制服務從 CVS 轉移到 Subversion。
svn 更新至 1.7+ .svn/entries 目錄就不包含文件目錄列表了。檢測方法為探測網站目錄下是否有 .svn/entries 這個文件,內容如圖:
工具推薦
https://github.com/admintony/svnExploit
修復方案
1、上線前刪除該目錄
2、在服務器上配置禁止該目錄訪問,常見配置如下:
Apache:
<Directory ~ "\.svn"> Order allow,deny Deny from all </Directory>
Nginx:
location ~ ^(.*)\/\.svn\/ { return 404; }
git
在運行 git init 初始化代碼庫的時候,會在當前目錄下面產生一個 .git 的隱藏目錄,用來記錄代碼的變更記錄等等。在發布代碼的時候,而 .git 這個目錄沒有刪除,直接發布了。使用這個文件,可以用來恢復源代碼。
攻擊者利用該漏洞下載 .git 文件夾中的所有內容。如果文件夾中存在敏感信息(數據庫賬號密碼、源碼等),通過白盒的審計等方式就可能直接獲得控制服務器的權限和機會!
漏洞發現
1、可以先觀察一下站點是否有醒目地指出 Git,如果有的話,那就說明站點很大可能是存在這個問題的
2、如果站點沒有醒目的提示的話,可以利用 dirsearch 這類掃描工具,如果存在 ./git 泄露的問題的話,會被掃描出來的
3、最直觀的方式,就是直接通過網頁訪問 .git 目錄,如果能訪問就說明存在
當確認存在這個漏洞之后,就可以通過工具來下載 git 泄露的全部源碼
工具推薦
https://github.com/0xHJK/dumpall
.DS_Store
.DS_Store 是 Mac 下 Finder 用來保存如何展示 文件/文件夾 的數據文件,每個文件夾下對應一個。和 windows 相比,等同于 desktop.ini 和 Thumbs.db 兩個文件。
如果開發/設計人員將 .DS_Store 上傳部署到線上環境,可能造成文件目錄結構泄漏,特別是備份文件、源代碼文件。
比如我本地系統:
嘗試用工具解析:
能看到我本地目錄下的一些目錄信息。
工具推薦
https://github.com/gehaxelt/Python-dsstore
https://github.com/lijiejie/ds_store_exp
總結
今天分享的這部分內容,最終危害取取決于泄漏的文件,比如可以遠程連接的數據庫賬號密碼和地址,那么就存在直接的危害,導致數據庫被接管,如果泄漏的是網站源碼,則可能存在漏洞被通過代碼審計的方式審計出來,如果都是些靜態資源,那么危害幾乎可以忽略,所以學需要具體問題具體對待。
VSole
網絡安全專家