信安之路内部文库第 138 篇文章,欢迎注册学习
敏感文件通常指携带敏感信息的文件,最为常见的就是数据库的配置文件、网站源码备份、数据库备份等,管理员为了方便下载,将源码备份放置在 web 目录,然后下载至本地备份,下载完之后忘记删除,从而导致漏洞的出现。
配置文件泄漏
最为典型的就是 spring 框架的配置文件泄漏,常见路径:
"/env"/actuator/env"
泄漏信息如图:
这类漏洞通常需要日常收集常见系统的配置文件默认路径,如果存在未授权访问的情况,就会存在文件泄漏的问题。
除了这类常见框架、系统的配置文件泄漏外,还有因为管理员修改配置文件时,为了防止无法恢复,而创建的备份文件,比如 config.php.bak、config.php.20230101 等,这类文件是可以下载的,从而泄漏配置信息。
修复方案
1、对于备份文件,为在系统中使用的,可以删除处置,或者备份到其他无法直接通过浏览器访问的目录
2、在使用的无法删除的文件,需要设置权限,仅限本地访问
网站备份泄漏
网站源码备份是网站管理员经常要做的操作,有的管理员会自动备份到备份服务器,而有些管理员为了简单方便,将服务器上到源码打包压缩后放置在 web 目录,然后从服务器再下载到本地,进行本地备份,下载完成之后是应该删除的,但是由于未做这个操作,导致整站源码泄漏。
备份的文件名通常为 wwwroot、www、子域名等,压缩包后缀通常为 zip、tar.gz 等,通过组合常用备份名称和后缀,可以进行目录扫描,来发现这类备份文件。
下面是某工具的配置文件,收集整理了常见的备份文件组合方式:
# format: /path {tag="text string to find"} {status=HTTP_STATUS} {type="content-type should contain this string"} {type_no="content-type should not contain this string"}# each item must starts with right slash "/"/core {status=200} {tag="ELF"}/../{hostname_or_folder}.old {status=301} {type="html"}/../{hostname_or_folder}.backup {status=301} {type="html"}/../{hostname_or_folder}.bak {status=301} {type="html"}/{sub}.zip {status=206} {type="application/octet-stream"}/{sub}.rar {status=206} {type="application/octet-stream"}/{sub}.tar.gz {status=206} {type="application/octet-stream"}/{sub}.tar.bz2 {status=206} {type="application/octet-stream"}/{sub}.tgz {status=206} {type="application/octet-stream"}/{sub}.7z {status=206} {type="application/octet-stream"}/old.zip {status=206} {type="application/octet-stream"}/old.rar {status=206} {type="application/octet-stream"}/old.tar.gz {status=206} {type="application/octet-stream"}/old.tar.bz2 {status=206} {type="application/octet-stream"}/old.tgz {status=206} {type="application/octet-stream"}/old.7z {status=206} {type="application/octet-stream"}/{hostname_or_folder}.zip {status=206} {type="application/octet-stream"}/{hostname_or_folder}.rar {status=206} {type="application/octet-stream"}/{hostname_or_folder}.tar.gz {status=206} {type="application/octet-stream"}/{hostname_or_folder}.tar.bz2 {status=206} {type="application/octet-stream"}/{hostname_or_folder}.tgz {status=206} {type="application/octet-stream"}/{hostname_or_folder}.7z {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.zip {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.rar {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.tar.gz {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.tar.bz2 {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.tgz {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.7z {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.log {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.sh {status=206} {type="application/octet-stream"}/temp.zip {status=206} {type="application/octet-stream"}/temp.rar {status=206} {type="application/octet-stream"}/temp.tar.gz {status=206} {type="application/octet-stream"}/temp.tgz {status=206} {type="application/octet-stream"}/temp.tar.bz2 {status=206} {type="application/octet-stream"}/package.zip {status=206} {type="application/octet-stream"}/package.rar {status=206} {type="application/octet-stream"}/package.tar.gz {status=206} {type="application/octet-stream"}/package.tgz {status=206} {type="application/octet-stream"}/package.tar.bz2 {status=206} {type="application/octet-stream"}/tmp.zip {status=206} {type="application/octet-stream"}/tmp.rar {status=206} {type="application/octet-stream"}/tmp.tar.gz {status=206} {type="application/octet-stream"}/tmp.tgz {status=206} {type="application/octet-stream"}/tmp.tar.bz2 {status=206} {type="application/octet-stream"}/test.zip {status=206} {type="application/octet-stream"}/test.rar {status=206} {type="application/octet-stream"}/test.tar.gz {status=206} {type="application/octet-stream"}/test.tgz {status=206} {type="application/octet-stream"}/test.tar.bz2 {status=206} {type="application/octet-stream"}/backup.zip {status=206} {type="application/octet-stream"}/backup.rar {status=206} {type="application/octet-stream"}/backup.tar.gz {status=206} {type="application/octet-stream"}/backup.tgz {status=206} {type="application/octet-stream"}/back.tar.bz2 {status=206} {type="application/octet-stream"}/db.zip {status=206} {type="application/octet-stream"}/db.rar {status=206} {type="application/octet-stream"}/db.tar.gz {status=206} {type="application/octet-stream"}/db.tgz {status=206} {type="application/octet-stream"}/db.tar.bz2 {status=206} {type="application/octet-stream"}/db.log {status=206} {type="application/octet-stream"}/db.inc {status=200} {type_no="html"}/db.sqlite {status=206} {type="application/octet-stream"}/db.sql.gz {status=206} {type="application/octet-stream"}/dump.sql.gz {status=206} {type="application/octet-stream"}/database.sql.gz {status=206} {type="application/octet-stream"}/backup.sql.gz {status=206} {type="application/octet-stream"}/data.zip {status=206} {type="application/octet-stream"}/data.rar {status=206} {type="application/octet-stream"}/data.tar.gz {status=206} {type="application/octet-stream"}/data.tgz {status=206} {type="application/octet-stream"}/data.tar.bz2 {status=206} {type="application/octet-stream"}/database.zip {status=206} {type="application/octet-stream"}/database.rar {status=206} {type="application/octet-stream"}/database.tar.gz {status=206} {type="application/octet-stream"}/database.tgz {status=206} {type="application/octet-stream"}/database.tar.bz2 {status=206} {type="application/octet-stream"}/ftp.zip {status=206} {type="application/octet-stream"}/ftp.rar {status=206} {type="application/octet-stream"}/ftp.tar.gz {status=206} {type="application/octet-stream"}/ftp.tgz {status=206} {type="application/octet-stream"}/ftp.tar.bz2 {status=206} {type="application/octet-stream"}/log.txt {status=200} {type="text/plain"}/log.tar.gz {status=206} {type="application/octet-stream"}/log.rar {status=206} {type="application/octet-stream"}/log.zip {status=206} {type="application/octet-stream"}/log.tgz {status=206} {type="application/octet-stream"}/log.tar.bz2 {status=206} {type="application/octet-stream"}/log.7z {status=206} {type="application/octet-stream"}/logs.txt {status=200} {type="text/plain"}/logs.tar.gz {status=206} {type="application/octet-stream"}/logs.rar {status=206} {type="application/octet-stream"}/logs.zip {status=206} {type="application/octet-stream"}/logs.tgz {status=206} {type="application/octet-stream"}/logs.tar.bz2 {status=206} {type="application/octet-stream"}/logs.7z {status=206} {type="application/octet-stream"}/web.zip {status=206} {type="application/octet-stream"}/web.rar {status=206} {type="application/octet-stream"}/web.tar.gz {status=206} {type="application/octet-stream"}/web.tgz {status=206} {type="application/octet-stream"}/web.tar.bz2 {status=206} {type="application/octet-stream"}/www.log {status=206} {type="application/octet-stream"}/www.zip {status=206} {type="application/octet-stream"}/www.rar {status=206} {type="application/octet-stream"}/www.tar.gz {status=206} {type="application/octet-stream"}/www.tgz {status=206} {type="application/octet-stream"}/www.tar.bz2 {status=206} {type="application/octet-stream"}/wwwroot.zip {status=206} {type="application/octet-stream"}/wwwroot.rar {status=206} {type="application/octet-stream"}/wwwroot.tar.gz {status=206} {type="application/octet-stream"}/wwwroot.tgz {status=206} {type="application/octet-stream"}/wwwroot.tar.bz2 {status=206} {type="application/octet-stream"}/output.zip {status=206} {type="application/octet-stream"}/output.rar {status=206} {type="application/octet-stream"}/output.tar.gz {status=206} {type="application/octet-stream"}/output.tgz {status=206} {type="application/octet-stream"}/output.tar.bz2 {status=206} {type="application/octet-stream"}/admin.zip {status=206} {type="application/octet-stream"}/admin.rar {status=206} {type="application/octet-stream"}/admin.tar.gz {status=206} {type="application/octet-stream"}/admin.tgz {status=206} {type="application/octet-stream"}/admin.tar.bz2 {status=206} {type="application/octet-stream"}/upload.zip {status=206} {type="application/octet-stream"}/upload.rar {status=206} {type="application/octet-stream"}/upload.tar.gz {status=206} {type="application/octet-stream"}/upload.tgz {status=206} {type="application/octet-stream"}/upload.tar.bz2 {status=206} {type="application/octet-stream"}/website.zip {status=206} {type="application/octet-stream"}/website.rar {status=206} {type="application/octet-stream"}/website.tar.gz {status=206} {type="application/octet-stream"}/website.tgz {status=206} {type="application/octet-stream"}/website.tar.bz2 {status=206} {type="application/octet-stream"}/package.zip {status=206} {type="application/octet-stream"}/package.rar {status=206} {type="application/octet-stream"}/package.tar.gz {status=206} {type="application/octet-stream"}/package.tgz {status=206} {type="application/octet-stream"}/package.tar.bz2 {status=206} {type="application/octet-stream"}/sql.log {status=206} {type="application/octet-stream"}/sql.zip {status=206} {type="application/octet-stream"}/sql.rar {status=206} {type="application/octet-stream"}/sql.tar.gz {status=206} {type="application/octet-stream"}/sql.tgz {status=206} {type="application/octet-stream"}/sql.tar.bz2 {status=206} {type="application/octet-stream"}/sql.7z {status=206} {type="application/octet-stream"}/sql.inc {status=200} {type_no="html"}/data.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/qq.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/tencent.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/database.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/db.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/test.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/admin.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/backup.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/user.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/sql.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/index.zip {status=206} {type="application/octet-stream"}/index.7z {status=206} {type="application/octet-stream"}/index.bak {status=206} {type="application/octet-stream"}/index.rar {status=206} {type="application/octet-stream"}/index.tar.tz {status=206} {type="application/octet-stream"}/index.tar.bz2 {status=206} {type="application/octet-stream"}/index.tar.gz {status=206} {type="application/octet-stream"}/{hostname_or_folder}.log {status=206} {type="application/octet-stream"}/logs/{hostname_or_folder}.log {status=206} {type="application/octet-stream"}/dump.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/{sub}.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/old.zip {status=206} {type="application/octet-stream"}/old.rar {status=206} {type="application/octet-stream"}/old.tar.gz {status=206} {type="application/octet-stream"}/old.tar.bz2 {status=206} {type="application/octet-stream"}/old.tgz {status=206} {type="application/octet-stream"}/old.7z {status=206} {type="application/octet-stream"}/1.tar.gz {status=206} {type="application/octet-stream"}/a.tar.gz {status=206} {type="application/octet-stream"}/x.tar.gz {status=206} {type="application/octet-stream"}/o.tar.gz {status=206} {type="application/octet-stream"}/conf/conf.zip {status=206} {type="application/octet-stream"}/conf.tar.gz {status=206} {type="application/octet-stream"}/qq.pac {status=206} {type="application/octet-stream"}/tencent.pac {status=206} {type="application/octet-stream"}/server.cfg {status=206} {type="application/octet-stream"}/deploy.tar.gz {status=206} {type="application/octet-stream"}/build.tar.gz {status=206} {type="application/octet-stream"}/install.tar.gz {status=206} {type="application/octet-stream"}/secu-tcs-agent-mon-safe.sh {status=206}/password.tar.gz {status=206} {type="application/octet-stream"}/site.tar.gz {status=206} {type="application/octet-stream"}/tenpay.tar.gz {status=206} {type="application/octet-stream"}/rsync_log.sh {status=206} {type="application/octet-stream"}/rsync.sh {status=206} {type="application/octet-stream"}/webroot.zip {status=206} {type="application/octet-stream"}/tools.tar.gz {status=206} {type="application/octet-stream"}/users.tar.gz {status=206} {type="application/octet-stream"}/webserver.tar.gz {status=206} {type="application/octet-stream"}/htdocs.tar.gz {status=206} {type="application/octet-stream"}
推荐工具
https://github.com/maurosoria/dirsearch
修复方案
删除备份文件即可
隐藏目录泄漏
常见的隐藏目录泄漏有三种 svn、git 以及 DS_Store,svn 和 git 是代码管理系统,在上线代码时,同步代码的过程中会把因此目录 .git 和 .svn 给同步上去,导致通过远程即可访问该目录下的内容,而 DS_Store 是 mac 系统下自动生成的文件,每个目录下都有,记录了目录下文件变动的历史。
svn
Subversion,简称 SVN,是一个开放源代码的版本控制系统,相对于的 RCS、CVS,采用了分支管理系统,它的设计目标就是取代 CVS。互联网上越来越多的控制服务从 CVS 转移到 Subversion。
svn 更新至 1.7+ .svn/entries 目录就不包含文件目录列表了。检测方法为探测网站目录下是否有 .svn/entries 这个文件,内容如图:
工具推荐
https://github.com/admintony/svnExploit
修复方案
1、上线前删除该目录
2、在服务器上配置禁止该目录访问,常见配置如下:
Apache:
<Directory ~ ".svn">Order allow,denyDeny from all</Directory>
Nginx:
location ~ ^(.*)/.svn/ {return 404;}
git
在运行 git init 初始化代码库的时候,会在当前目录下面产生一个 .git 的隐藏目录,用来记录代码的变更记录等等。在发布代码的时候,而 .git 这个目录没有删除,直接发布了。使用这个文件,可以用来恢复源代码。
攻击者利用该漏洞下载 .git 文件夹中的所有内容。如果文件夹中存在敏感信息(数据库账号密码、源码等),通过白盒的审计等方式就可能直接获得控制服务器的权限和机会!
漏洞发现
1、可以先观察一下站点是否有醒目地指出 Git,如果有的话,那就说明站点很大可能是存在这个问题的
2、如果站点没有醒目的提示的话,可以利用 dirsearch 这类扫描工具,如果存在 ./git 泄露的问题的话,会被扫描出来的
3、最直观的方式,就是直接通过网页访问 .git 目录,如果能访问就说明存在
当确认存在这个漏洞之后,就可以通过工具来下载 git 泄露的全部源码
工具推荐
https://github.com/0xHJK/dumpall
.DS_Store
.DS_Store 是 Mac 下 Finder 用来保存如何展示 文件/文件夹 的数据文件,每个文件夹下对应一个。和 windows 相比,等同于 desktop.ini 和 Thumbs.db 两个文件。
如果开发/设计人员将 .DS_Store 上传部署到线上环境,可能造成文件目录结构泄漏,特别是备份文件、源代码文件。
比如我本地系统:
尝试用工具解析:
能看到我本地目录下的一些目录信息。
工具推荐
https://github.com/gehaxelt/Python-dsstore
https://github.com/lijiejie/ds_store_exp
总结
今天分享的这部分内容,最终危害取取决于泄漏的文件,比如可以远程连接的数据库账号密码和地址,那么就存在直接的危害,导致数据库被接管,如果泄漏的是网站源码,则可能存在漏洞被通过代码审计的方式审计出来,如果都是些静态资源,那么危害几乎可以忽略,所以学需要具体问题具体对待。
原文始发于微信公众号(信安之路):常见的敏感文件泄漏总结
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论