本文地址来源于
http://blkstone.github.io/2017/12/18/arbitary-file-read-exploit/
任意文件读取的利用思路
有些文件需要高权限才能读取
-
/etc/passwd # 用户情况
-
/etc/shadow # 直接 John the Ripper
-
/etc/hosts # 主机信息
-
/root/.bashrc # 环境变量
-
/root/.bash_history # 还有root外的其他用户
-
/root/.viminfo # vim 信息
-
/root/.ssh/id_rsa # 拿私钥直接ssh
-
/proc/xxxx/cmdline # 进程状态枚举 xxxx 可以为0000-9999 使用burpsuite
-
数据库 config 文件
-
web 日志 access.log, error.log
-
ssh 日志
-
/var/lib/php/sess_PHPSESSID # 非常规问题 session 文件( 参考 平安科技的一道session包含 http://www.jianshu.com/p/2c24ea34566b)
进一步推断系统版本
1 2 3 4 5 6 7 8 9
|
uname -a lsb_release -d cat /etc/issue cat /proc/version cat /etc/redhat-release cat /etc/debian_version cat /etc/slackware_version ls /etc/*version cat /proc/cpuinfo
|
无痕反弹shell
常用默认路径整理
可以开虚拟机看看默认路径是什么
ssh
1 2 3 4 5
|
/root/.ssh/id_rsa /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys /etc/ssh/sshd_config /var/log/secure
|
Nginx
1 2 3 4 5 6 7 8
|
/etc/nginx/nginx.conf /var/www/html /usr/local/services/nginx-1.6.2/logs/access.log /usr/local/services/nginx-1.6.2/logs/error.log /usr/local/services/nginx-1.6.2/nginx.conf /usr/local/services/nginx-1.6.2/conf/nginx.conf /usr/local/services/nginx-1.6.2/conf/proxy.conf /usr/local/services/nginx-1.6.2/conf/extra/haolaiyao.conf
|
Apache
1 2
|
/home/httpd/ /home/httpd/www/
|
jetty
1 2 3
|
/usr/local/services/jetty-8.1.16/ /usr/local/services/jetty-8.1.16/logs/stderrout.log /usr/local/services/jetty-8.1.16/etc/jetty.xml
|
resin
1 2 3
|
/usr/local/services/resin-4.0.44/ /usr/local/services/resin-4.0.44/conf/resin.xml /usr/local/services/resin-4.0.44/conf/resin.properties
|
tomcat
1 2
|
/usr/local/services/apache-tomcat-8.0.23/logs /usr/local/services/apache-tomcat-8.0.23/logs/catalina.out
|
svn
原文始发于微信公众号(阿乐你好):任意文件读取的深度利用
评论