常见的敏感文件泄漏总结
2023-2-1 11:10:17 Author: 信安之路(查看原文) 阅读量:23 收藏

信安之路内部文库第 138 篇文章,欢迎注册学习

敏感文件通常指携带敏感信息的文件,最为常见的就是数据库的配置文件、网站源码备份、数据库备份等,管理员为了方便下载,将源码备份放置在 web 目录,然后下载至本地备份,下载完之后忘记删除,从而导致漏洞的出现。

最为典型的就是 spring 框架的配置文件泄漏,常见路径:

"/env"/actuator/env"

泄漏信息如图:

这类漏洞通常需要日常收集常见系统的配置文件默认路径,如果存在未授权访问的情况,就会存在文件泄漏的问题。

除了这类常见框架、系统的配置文件泄漏外,还有因为管理员修改配置文件时,为了防止无法恢复,而创建的备份文件,比如 config.php.bak、config.php.20230101 等,这类文件是可以下载的,从而泄漏配置信息。

修复方案

1、对于备份文件,为在系统中使用的,可以删除处置,或者备份到其他无法直接通过浏览器访问的目录 

2、在使用的无法删除的文件,需要设置权限,仅限本地访问

网站源码备份是网站管理员经常要做的操作,有的管理员会自动备份到备份服务器,而有些管理员为了简单方便,将服务器上到源码打包压缩后放置在 web 目录,然后从服务器再下载到本地,进行本地备份,下载完成之后是应该删除的,但是由于未做这个操作,导致整站源码泄漏。

备份的文件名通常为 wwwroot、www、子域名等,压缩包后缀通常为 zip、tar.gz 等,通过组合常用备份名称和后缀,可以进行目录扫描,来发现这类备份文件。

下面是某工具的配置文件,收集整理了常见的备份文件组合方式:

#  format:  /path  {tag="text  string  to  find"}  {status=HTTP_STATUS}  {type="content-type  should  contain  this  string"}  {type_no="content-type  should  not  contain  this  string"}#  each  item  must  starts  with  right  slash  "/"

/core {status=200} {tag="ELF"}
/../{hostname_or_folder}.old {status=301} {type="html"}/../{hostname_or_folder}.backup {status=301} {type="html"}/../{hostname_or_folder}.bak {status=301} {type="html"}
/{sub}.zip {status=206} {type="application/octet-stream"}/{sub}.rar {status=206} {type="application/octet-stream"}/{sub}.tar.gz {status=206} {type="application/octet-stream"}/{sub}.tar.bz2 {status=206} {type="application/octet-stream"}/{sub}.tgz {status=206} {type="application/octet-stream"}/{sub}.7z {status=206} {type="application/octet-stream"}
/old.zip {status=206} {type="application/octet-stream"}/old.rar {status=206} {type="application/octet-stream"}/old.tar.gz {status=206} {type="application/octet-stream"}/old.tar.bz2 {status=206} {type="application/octet-stream"}/old.tgz {status=206} {type="application/octet-stream"}/old.7z {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.zip {status=206} {type="application/octet-stream"}/{hostname_or_folder}.rar {status=206} {type="application/octet-stream"}/{hostname_or_folder}.tar.gz {status=206} {type="application/octet-stream"}/{hostname_or_folder}.tar.bz2 {status=206} {type="application/octet-stream"}/{hostname_or_folder}.tgz {status=206} {type="application/octet-stream"}/{hostname_or_folder}.7z {status=206} {type="application/octet-stream"}
/../{hostname_or_folder}.zip {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.rar {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.tar.gz {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.tar.bz2 {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.tgz {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.7z {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.log {status=206} {type="application/octet-stream"}/../{hostname_or_folder}.sh {status=206} {type="application/octet-stream"}
/temp.zip {status=206} {type="application/octet-stream"}/temp.rar {status=206} {type="application/octet-stream"}/temp.tar.gz {status=206} {type="application/octet-stream"}/temp.tgz {status=206} {type="application/octet-stream"}/temp.tar.bz2 {status=206} {type="application/octet-stream"}
/package.zip {status=206} {type="application/octet-stream"}/package.rar {status=206} {type="application/octet-stream"}/package.tar.gz {status=206} {type="application/octet-stream"}/package.tgz {status=206} {type="application/octet-stream"}/package.tar.bz2 {status=206} {type="application/octet-stream"}
/tmp.zip {status=206} {type="application/octet-stream"}/tmp.rar {status=206} {type="application/octet-stream"}/tmp.tar.gz {status=206} {type="application/octet-stream"}/tmp.tgz {status=206} {type="application/octet-stream"}/tmp.tar.bz2 {status=206} {type="application/octet-stream"}
/test.zip {status=206} {type="application/octet-stream"}/test.rar {status=206} {type="application/octet-stream"}/test.tar.gz {status=206} {type="application/octet-stream"}/test.tgz {status=206} {type="application/octet-stream"}/test.tar.bz2 {status=206} {type="application/octet-stream"}
/backup.zip {status=206} {type="application/octet-stream"}/backup.rar {status=206} {type="application/octet-stream"}/backup.tar.gz {status=206} {type="application/octet-stream"}/backup.tgz {status=206} {type="application/octet-stream"}/back.tar.bz2 {status=206} {type="application/octet-stream"}
/db.zip {status=206} {type="application/octet-stream"}/db.rar {status=206} {type="application/octet-stream"}/db.tar.gz {status=206} {type="application/octet-stream"}/db.tgz {status=206} {type="application/octet-stream"}/db.tar.bz2 {status=206} {type="application/octet-stream"}/db.log {status=206} {type="application/octet-stream"}/db.inc {status=200} {type_no="html"}/db.sqlite {status=206} {type="application/octet-stream"}
/db.sql.gz {status=206} {type="application/octet-stream"}/dump.sql.gz {status=206} {type="application/octet-stream"}/database.sql.gz {status=206} {type="application/octet-stream"}/backup.sql.gz {status=206} {type="application/octet-stream"}
/data.zip {status=206} {type="application/octet-stream"}/data.rar {status=206} {type="application/octet-stream"}/data.tar.gz {status=206} {type="application/octet-stream"}/data.tgz {status=206} {type="application/octet-stream"}/data.tar.bz2 {status=206} {type="application/octet-stream"}
/database.zip {status=206} {type="application/octet-stream"}/database.rar {status=206} {type="application/octet-stream"}/database.tar.gz {status=206} {type="application/octet-stream"}/database.tgz {status=206} {type="application/octet-stream"}/database.tar.bz2 {status=206} {type="application/octet-stream"}
/ftp.zip {status=206} {type="application/octet-stream"}/ftp.rar {status=206} {type="application/octet-stream"}/ftp.tar.gz {status=206} {type="application/octet-stream"}/ftp.tgz {status=206} {type="application/octet-stream"}/ftp.tar.bz2 {status=206} {type="application/octet-stream"}
/log.txt {status=200} {type="text/plain"}/log.tar.gz {status=206} {type="application/octet-stream"}/log.rar {status=206} {type="application/octet-stream"}/log.zip {status=206} {type="application/octet-stream"}/log.tgz {status=206} {type="application/octet-stream"}/log.tar.bz2 {status=206} {type="application/octet-stream"}/log.7z {status=206} {type="application/octet-stream"}
/logs.txt {status=200} {type="text/plain"}/logs.tar.gz {status=206} {type="application/octet-stream"}/logs.rar {status=206} {type="application/octet-stream"}/logs.zip {status=206} {type="application/octet-stream"}/logs.tgz {status=206} {type="application/octet-stream"}/logs.tar.bz2 {status=206} {type="application/octet-stream"}/logs.7z {status=206} {type="application/octet-stream"}
/web.zip {status=206} {type="application/octet-stream"}/web.rar {status=206} {type="application/octet-stream"}/web.tar.gz {status=206} {type="application/octet-stream"}/web.tgz {status=206} {type="application/octet-stream"}/web.tar.bz2 {status=206} {type="application/octet-stream"}
/www.log {status=206} {type="application/octet-stream"}/www.zip {status=206} {type="application/octet-stream"}/www.rar {status=206} {type="application/octet-stream"}/www.tar.gz {status=206} {type="application/octet-stream"}/www.tgz {status=206} {type="application/octet-stream"}/www.tar.bz2 {status=206} {type="application/octet-stream"}
/wwwroot.zip {status=206} {type="application/octet-stream"}/wwwroot.rar {status=206} {type="application/octet-stream"}/wwwroot.tar.gz {status=206} {type="application/octet-stream"}/wwwroot.tgz {status=206} {type="application/octet-stream"}/wwwroot.tar.bz2 {status=206} {type="application/octet-stream"}

/output.zip {status=206} {type="application/octet-stream"}/output.rar {status=206} {type="application/octet-stream"}/output.tar.gz {status=206} {type="application/octet-stream"}/output.tgz {status=206} {type="application/octet-stream"}/output.tar.bz2 {status=206} {type="application/octet-stream"}
/admin.zip {status=206} {type="application/octet-stream"}/admin.rar {status=206} {type="application/octet-stream"}/admin.tar.gz {status=206} {type="application/octet-stream"}/admin.tgz {status=206} {type="application/octet-stream"}/admin.tar.bz2 {status=206} {type="application/octet-stream"}
/upload.zip {status=206} {type="application/octet-stream"}/upload.rar {status=206} {type="application/octet-stream"}/upload.tar.gz {status=206} {type="application/octet-stream"}/upload.tgz {status=206} {type="application/octet-stream"}/upload.tar.bz2 {status=206} {type="application/octet-stream"}
/website.zip {status=206} {type="application/octet-stream"}/website.rar {status=206} {type="application/octet-stream"}/website.tar.gz {status=206} {type="application/octet-stream"}/website.tgz {status=206} {type="application/octet-stream"}/website.tar.bz2 {status=206} {type="application/octet-stream"}
/package.zip {status=206} {type="application/octet-stream"}/package.rar {status=206} {type="application/octet-stream"}/package.tar.gz {status=206} {type="application/octet-stream"}/package.tgz {status=206} {type="application/octet-stream"}/package.tar.bz2 {status=206} {type="application/octet-stream"}
/sql.log {status=206} {type="application/octet-stream"}/sql.zip {status=206} {type="application/octet-stream"}/sql.rar {status=206} {type="application/octet-stream"}/sql.tar.gz {status=206} {type="application/octet-stream"}/sql.tgz {status=206} {type="application/octet-stream"}/sql.tar.bz2 {status=206} {type="application/octet-stream"}/sql.7z {status=206} {type="application/octet-stream"}/sql.inc {status=200} {type_no="html"}
/data.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/qq.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/tencent.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/database.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/db.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/test.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/admin.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/backup.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/user.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/sql.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/index.zip {status=206} {type="application/octet-stream"}/index.7z {status=206} {type="application/octet-stream"}/index.bak {status=206} {type="application/octet-stream"}/index.rar {status=206} {type="application/octet-stream"}/index.tar.tz {status=206} {type="application/octet-stream"}/index.tar.bz2 {status=206} {type="application/octet-stream"}/index.tar.gz {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.log {status=206} {type="application/octet-stream"}/logs/{hostname_or_folder}.log {status=206} {type="application/octet-stream"}
/dump.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}/{sub}.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/old.zip {status=206} {type="application/octet-stream"}/old.rar {status=206} {type="application/octet-stream"}/old.tar.gz {status=206} {type="application/octet-stream"}/old.tar.bz2 {status=206} {type="application/octet-stream"}/old.tgz {status=206} {type="application/octet-stream"}/old.7z {status=206} {type="application/octet-stream"}
/1.tar.gz {status=206} {type="application/octet-stream"}/a.tar.gz {status=206} {type="application/octet-stream"}/x.tar.gz {status=206} {type="application/octet-stream"}/o.tar.gz {status=206} {type="application/octet-stream"}
/conf/conf.zip {status=206} {type="application/octet-stream"}
/conf.tar.gz {status=206} {type="application/octet-stream"}
/qq.pac {status=206} {type="application/octet-stream"}/tencent.pac {status=206} {type="application/octet-stream"}
/server.cfg {status=206} {type="application/octet-stream"}
/deploy.tar.gz {status=206} {type="application/octet-stream"}/build.tar.gz {status=206} {type="application/octet-stream"}/install.tar.gz {status=206} {type="application/octet-stream"}
/secu-tcs-agent-mon-safe.sh {status=206}/password.tar.gz {status=206} {type="application/octet-stream"}/site.tar.gz {status=206} {type="application/octet-stream"}/tenpay.tar.gz {status=206} {type="application/octet-stream"}
/rsync_log.sh {status=206} {type="application/octet-stream"}/rsync.sh {status=206} {type="application/octet-stream"}
/webroot.zip {status=206} {type="application/octet-stream"}
/tools.tar.gz {status=206} {type="application/octet-stream"}
/users.tar.gz {status=206} {type="application/octet-stream"}
/webserver.tar.gz {status=206} {type="application/octet-stream"}
/htdocs.tar.gz  {status=206}  {type="application/octet-stream"}

推荐工具

https://github.com/maurosoria/dirsearch

修复方案

删除备份文件即可

常见的隐藏目录泄漏有三种 svn、git 以及 DS_Store,svn 和 git 是代码管理系统,在上线代码时,同步代码的过程中会把因此目录 .git 和 .svn 给同步上去,导致通过远程即可访问该目录下的内容,而 DS_Store 是 mac 系统下自动生成的文件,每个目录下都有,记录了目录下文件变动的历史。

svn

Subversion,简称 SVN,是一个开放源代码的版本控制系统,相对于的 RCS、CVS,采用了分支管理系统,它的设计目标就是取代 CVS。互联网上越来越多的控制服务从 CVS 转移到 Subversion。

svn 更新至 1.7+ .svn/entries 目录就不包含文件目录列表了。检测方法为探测网站目录下是否有 .svn/entries 这个文件,内容如图:

工具推荐

https://github.com/admintony/svnExploit

修复方案

1、上线前删除该目录 

2、在服务器上配置禁止该目录访问,常见配置如下:

Apache:

    <Directory ~ "\.svn">    Order allow,deny    Deny from all    </Directory>

Nginx:

location ~ ^(.*)\/\.svn\/ {    return 404;    }

git

在运行 git init 初始化代码库的时候,会在当前目录下面产生一个 .git 的隐藏目录,用来记录代码的变更记录等等。在发布代码的时候,而 .git 这个目录没有删除,直接发布了。使用这个文件,可以用来恢复源代码。

攻击者利用该漏洞下载 .git 文件夹中的所有内容。如果文件夹中存在敏感信息(数据库账号密码、源码等),通过白盒的审计等方式就可能直接获得控制服务器的权限和机会!

漏洞发现

1、可以先观察一下站点是否有醒目地指出 Git,如果有的话,那就说明站点很大可能是存在这个问题的

2、如果站点没有醒目的提示的话,可以利用 dirsearch 这类扫描工具,如果存在 ./git 泄露的问题的话,会被扫描出来的

3、最直观的方式,就是直接通过网页访问 .git 目录,如果能访问就说明存在

当确认存在这个漏洞之后,就可以通过工具来下载 git 泄露的全部源码

工具推荐

https://github.com/0xHJK/dumpall

.DS_Store

.DS_Store 是 Mac 下 Finder 用来保存如何展示 文件/文件夹 的数据文件,每个文件夹下对应一个。和 windows 相比,等同于 desktop.ini 和 Thumbs.db 两个文件。

如果开发/设计人员将 .DS_Store 上传部署到线上环境,可能造成文件目录结构泄漏,特别是备份文件、源代码文件。

比如我本地系统:

尝试用工具解析:

能看到我本地目录下的一些目录信息。

工具推荐

https://github.com/gehaxelt/Python-dsstore

https://github.com/lijiejie/ds_store_exp

今天分享的这部分内容,最终危害取取决于泄漏的文件,比如可以远程连接的数据库账号密码和地址,那么就存在直接的危害,导致数据库被接管,如果泄漏的是网站源码,则可能存在漏洞被通过代码审计的方式审计出来,如果都是些静态资源,那么危害几乎可以忽略,所以学需要具体问题具体对待。


文章来源: http://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247498403&idx=1&sn=0a4557ff1a9b9def02ee0b12f9386dc6&chksm=ec1dca8bdb6a439dbf7badc5b45e4e8dd179f9d8aa9096ebcf1e09d217d03101c50f102292c3#rd
如有侵权请联系:admin#unsafe.sh