目前存在未授权访问漏洞的服务主要 包括:NFS、Samba、LDAP、Rsync、FTP、GitLab、Jenkins、 MongoDB、Redis、ZooKeeper、ElasticSearch、Memcache、CouchDB、 Docker、Solr、Hadoop等。
redis未授权
通过手工进行未授权访问验证,在安装Redis服务的Kali系统中输 入redis-cli-h IP,如果目标系统存在未授权访问漏洞,则可以成功 进行连接。输入info命令,可以查看Redis服务的版本号、配置文件目 录、进程ID号等。
常见的敏感文件泄漏总结:
敏感文件通常指携带敏感信息的文件,最为常见的就是数据库的配置文件、网站源码备份、数据库备份等,管理员为了方便下载,将源码备份放置在 web 目录,然后下载至本地备份,下载完之后忘记删除,从而导致漏洞的出现。
配置文件泄漏
最为典型的就是 spring 框架的配置文件泄漏,常见路径:
"/env"
/actuator/env"
泄漏信息如图:
这类漏洞通常需要日常收集常见系统的配置文件默认路径,如果存在未授权访问的情况,就会存在文件泄漏的问题。
除了这类常见框架、系统的配置文件泄漏外,还有因为管理员修改配置文件时,为了防止无法恢复,而创建的备份文件,比如 config.php.bak、config.php.20230101 等,这类文件是可以下载的,从而泄漏配置信息。
修复方案
1、对于备份文件,为在系统中使用的,可以删除处置,或者备份到其他无法直接通过浏览器访问的目录
2、在使用的无法删除的文件,需要设置权限,仅限本地访问
网站备份泄漏
网站源码备份是网站管理员经常要做的操作,有的管理员会自动备份到备份服务器,而有些管理员为了简单方便,将服务器上到源码打包压缩后放置在 web 目录,然后从服务器再下载到本地,进行本地备份,下载完成之后是应该删除的,但是由于未做这个操作,导致整站源码泄漏。
备份的文件名通常为 wwwroot、www、子域名等,压缩包后缀通常为 zip、tar.gz 等,通过组合常用备份名称和后缀,可以进行目录扫描,来发现这类备份文件。
下面是某工具的配置文件,收集整理了常见的备份文件组合方式:
# format: /path {tag="text string to find"} {status=HTTP_STATUS} {type="content-type should contain this string"} {type_no="content-type should not contain this string"}
# each item must starts with right slash "/"
/core {status=200} {tag="ELF"}
/../{hostname_or_folder}.old {status=301} {type="html"}
/../{hostname_or_folder}.backup {status=301} {type="html"}
/../{hostname_or_folder}.bak {status=301} {type="html"}
/{sub}.zip {status=206} {type="application/octet-stream"}
/{sub}.rar {status=206} {type="application/octet-stream"}
/{sub}.tar.gz {status=206} {type="application/octet-stream"}
/{sub}.tar.bz2 {status=206} {type="application/octet-stream"}
/{sub}.tgz {status=206} {type="application/octet-stream"}
/{sub}.7z {status=206} {type="application/octet-stream"}
/old.zip {status=206} {type="application/octet-stream"}
/old.rar {status=206} {type="application/octet-stream"}
/old.tar.gz {status=206} {type="application/octet-stream"}
/old.tar.bz2 {status=206} {type="application/octet-stream"}
/old.tgz {status=206} {type="application/octet-stream"}
/old.7z {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.zip {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.rar {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.tar.gz {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.tar.bz2 {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.tgz {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.7z {status=206} {type="application/octet-stream"}
/../{hostname_or_folder}.zip {status=206} {type="application/octet-stream"}
/../{hostname_or_folder}.rar {status=206} {type="application/octet-stream"}
/../{hostname_or_folder}.tar.gz {status=206} {type="application/octet-stream"}
/../{hostname_or_folder}.tar.bz2 {status=206} {type="application/octet-stream"}
/../{hostname_or_folder}.tgz {status=206} {type="application/octet-stream"}
/../{hostname_or_folder}.7z {status=206} {type="application/octet-stream"}
/../{hostname_or_folder}.log {status=206} {type="application/octet-stream"}
/../{hostname_or_folder}.sh {status=206} {type="application/octet-stream"}
/temp.zip {status=206} {type="application/octet-stream"}
/temp.rar {status=206} {type="application/octet-stream"}
/temp.tar.gz {status=206} {type="application/octet-stream"}
/temp.tgz {status=206} {type="application/octet-stream"}
/temp.tar.bz2 {status=206} {type="application/octet-stream"}
/package.zip {status=206} {type="application/octet-stream"}
/package.rar {status=206} {type="application/octet-stream"}
/package.tar.gz {status=206} {type="application/octet-stream"}
/package.tgz {status=206} {type="application/octet-stream"}
/package.tar.bz2 {status=206} {type="application/octet-stream"}
/tmp.zip {status=206} {type="application/octet-stream"}
/tmp.rar {status=206} {type="application/octet-stream"}
/tmp.tar.gz {status=206} {type="application/octet-stream"}
/tmp.tgz {status=206} {type="application/octet-stream"}
/tmp.tar.bz2 {status=206} {type="application/octet-stream"}
/test.zip {status=206} {type="application/octet-stream"}
/test.rar {status=206} {type="application/octet-stream"}
/test.tar.gz {status=206} {type="application/octet-stream"}
/test.tgz {status=206} {type="application/octet-stream"}
/test.tar.bz2 {status=206} {type="application/octet-stream"}
/backup.zip {status=206} {type="application/octet-stream"}
/backup.rar {status=206} {type="application/octet-stream"}
/backup.tar.gz {status=206} {type="application/octet-stream"}
/backup.tgz {status=206} {type="application/octet-stream"}
/back.tar.bz2 {status=206} {type="application/octet-stream"}
/db.zip {status=206} {type="application/octet-stream"}
/db.rar {status=206} {type="application/octet-stream"}
/db.tar.gz {status=206} {type="application/octet-stream"}
/db.tgz {status=206} {type="application/octet-stream"}
/db.tar.bz2 {status=206} {type="application/octet-stream"}
/db.log {status=206} {type="application/octet-stream"}
/db.inc {status=200} {type_no="html"}
/db.sqlite {status=206} {type="application/octet-stream"}
/db.sql.gz {status=206} {type="application/octet-stream"}
/dump.sql.gz {status=206} {type="application/octet-stream"}
/database.sql.gz {status=206} {type="application/octet-stream"}
/backup.sql.gz {status=206} {type="application/octet-stream"}
/data.zip {status=206} {type="application/octet-stream"}
/data.rar {status=206} {type="application/octet-stream"}
/data.tar.gz {status=206} {type="application/octet-stream"}
/data.tgz {status=206} {type="application/octet-stream"}
/data.tar.bz2 {status=206} {type="application/octet-stream"}
/database.zip {status=206} {type="application/octet-stream"}
/database.rar {status=206} {type="application/octet-stream"}
/database.tar.gz {status=206} {type="application/octet-stream"}
/database.tgz {status=206} {type="application/octet-stream"}
/database.tar.bz2 {status=206} {type="application/octet-stream"}
/ftp.zip {status=206} {type="application/octet-stream"}
/ftp.rar {status=206} {type="application/octet-stream"}
/ftp.tar.gz {status=206} {type="application/octet-stream"}
/ftp.tgz {status=206} {type="application/octet-stream"}
/ftp.tar.bz2 {status=206} {type="application/octet-stream"}
/log.txt {status=200} {type="text/plain"}
/log.tar.gz {status=206} {type="application/octet-stream"}
/log.rar {status=206} {type="application/octet-stream"}
/log.zip {status=206} {type="application/octet-stream"}
/log.tgz {status=206} {type="application/octet-stream"}
/log.tar.bz2 {status=206} {type="application/octet-stream"}
/log.7z {status=206} {type="application/octet-stream"}
/logs.txt {status=200} {type="text/plain"}
/logs.tar.gz {status=206} {type="application/octet-stream"}
/logs.rar {status=206} {type="application/octet-stream"}
/logs.zip {status=206} {type="application/octet-stream"}
/logs.tgz {status=206} {type="application/octet-stream"}
/logs.tar.bz2 {status=206} {type="application/octet-stream"}
/logs.7z {status=206} {type="application/octet-stream"}
/web.zip {status=206} {type="application/octet-stream"}
/web.rar {status=206} {type="application/octet-stream"}
/web.tar.gz {status=206} {type="application/octet-stream"}
/web.tgz {status=206} {type="application/octet-stream"}
/web.tar.bz2 {status=206} {type="application/octet-stream"}
/www.log {status=206} {type="application/octet-stream"}
/www.zip {status=206} {type="application/octet-stream"}
/www.rar {status=206} {type="application/octet-stream"}
/www.tar.gz {status=206} {type="application/octet-stream"}
/www.tgz {status=206} {type="application/octet-stream"}
/www.tar.bz2 {status=206} {type="application/octet-stream"}
/wwwroot.zip {status=206} {type="application/octet-stream"}
/wwwroot.rar {status=206} {type="application/octet-stream"}
/wwwroot.tar.gz {status=206} {type="application/octet-stream"}
/wwwroot.tgz {status=206} {type="application/octet-stream"}
/wwwroot.tar.bz2 {status=206} {type="application/octet-stream"}
/output.zip {status=206} {type="application/octet-stream"}
/output.rar {status=206} {type="application/octet-stream"}
/output.tar.gz {status=206} {type="application/octet-stream"}
/output.tgz {status=206} {type="application/octet-stream"}
/output.tar.bz2 {status=206} {type="application/octet-stream"}
/admin.zip {status=206} {type="application/octet-stream"}
/admin.rar {status=206} {type="application/octet-stream"}
/admin.tar.gz {status=206} {type="application/octet-stream"}
/admin.tgz {status=206} {type="application/octet-stream"}
/admin.tar.bz2 {status=206} {type="application/octet-stream"}
/upload.zip {status=206} {type="application/octet-stream"}
/upload.rar {status=206} {type="application/octet-stream"}
/upload.tar.gz {status=206} {type="application/octet-stream"}
/upload.tgz {status=206} {type="application/octet-stream"}
/upload.tar.bz2 {status=206} {type="application/octet-stream"}
/website.zip {status=206} {type="application/octet-stream"}
/website.rar {status=206} {type="application/octet-stream"}
/website.tar.gz {status=206} {type="application/octet-stream"}
/website.tgz {status=206} {type="application/octet-stream"}
/website.tar.bz2 {status=206} {type="application/octet-stream"}
/package.zip {status=206} {type="application/octet-stream"}
/package.rar {status=206} {type="application/octet-stream"}
/package.tar.gz {status=206} {type="application/octet-stream"}
/package.tgz {status=206} {type="application/octet-stream"}
/package.tar.bz2 {status=206} {type="application/octet-stream"}
/sql.log {status=206} {type="application/octet-stream"}
/sql.zip {status=206} {type="application/octet-stream"}
/sql.rar {status=206} {type="application/octet-stream"}
/sql.tar.gz {status=206} {type="application/octet-stream"}
/sql.tgz {status=206} {type="application/octet-stream"}
/sql.tar.bz2 {status=206} {type="application/octet-stream"}
/sql.7z {status=206} {type="application/octet-stream"}
/sql.inc {status=200} {type_no="html"}
/data.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/qq.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/tencent.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/database.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/db.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/test.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/admin.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/backup.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/user.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/sql.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/index.zip {status=206} {type="application/octet-stream"}
/index.7z {status=206} {type="application/octet-stream"}
/index.bak {status=206} {type="application/octet-stream"}
/index.rar {status=206} {type="application/octet-stream"}
/index.tar.tz {status=206} {type="application/octet-stream"}
/index.tar.bz2 {status=206} {type="application/octet-stream"}
/index.tar.gz {status=206} {type="application/octet-stream"}
/{hostname_or_folder}.log {status=206} {type="application/octet-stream"}
/logs/{hostname_or_folder}.log {status=206} {type="application/octet-stream"}
/dump.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/{sub}.sql {status=206} {type="application/octet-stream"} {tag="CREATE TABLE"}
/old.zip {status=206} {type="application/octet-stream"}
/old.rar {status=206} {type="application/octet-stream"}
/old.tar.gz {status=206} {type="application/octet-stream"}
/old.tar.bz2 {status=206} {type="application/octet-stream"}
/old.tgz {status=206} {type="application/octet-stream"}
/old.7z {status=206} {type="application/octet-stream"}
/1.tar.gz {status=206} {type="application/octet-stream"}
/a.tar.gz {status=206} {type="application/octet-stream"}
/x.tar.gz {status=206} {type="application/octet-stream"}
/o.tar.gz {status=206} {type="application/octet-stream"}
/conf/conf.zip {status=206} {type="application/octet-stream"}
/conf.tar.gz {status=206} {type="application/octet-stream"}
/qq.pac {status=206} {type="application/octet-stream"}
/tencent.pac {status=206} {type="application/octet-stream"}
/server.cfg {status=206} {type="application/octet-stream"}
/deploy.tar.gz {status=206} {type="application/octet-stream"}
/build.tar.gz {status=206} {type="application/octet-stream"}
/install.tar.gz {status=206} {type="application/octet-stream"}
/secu-tcs-agent-mon-safe.sh {status=206}
/password.tar.gz {status=206} {type="application/octet-stream"}
/site.tar.gz {status=206} {type="application/octet-stream"}
/tenpay.tar.gz {status=206} {type="application/octet-stream"}
/rsync_log.sh {status=206} {type="application/octet-stream"}
/rsync.sh {status=206} {type="application/octet-stream"}
/webroot.zip {status=206} {type="application/octet-stream"}
/tools.tar.gz {status=206} {type="application/octet-stream"}
/users.tar.gz {status=206} {type="application/octet-stream"}
/webserver.tar.gz {status=206} {type="application/octet-stream"}
/htdocs.tar.gz {status=206} {type="application/octet-stream"}
推荐工具
https://github.com/maurosoria/dirsearch
修复方案
删除备份文件即可
隐藏目录泄漏
常见的隐藏目录泄漏有三种 svn、git 以及 DS_Store,svn 和 git 是代码管理系统,在上线代码时,同步代码的过程中会把因此目录 .git 和 .svn 给同步上去,导致通过远程即可访问该目录下的内容,而 DS_Store 是 mac 系统下自动生成的文件,每个目录下都有,记录了目录下文件变动的历史。
svn
Subversion,简称 SVN,是一个开放源代码的版本控制系统,相对于的 RCS、CVS,采用了分支管理系统,它的设计目标就是取代 CVS。互联网上越来越多的控制服务从 CVS 转移到 Subversion。
svn 更新至 1.7+ .svn/entries
目录就不包含文件目录列表了。检测方法为探测网站目录下是否有 .svn/entries 这个文件,内容如图:
工具推荐
https://github.com/admintony/svnExploit
修复方案
1、上线前删除该目录
2、在服务器上配置禁止该目录访问,常见配置如下:
Apache:
<Directory ~ "\.svn">
Order allow,deny
Deny from all
</Directory>
Nginx:
location ~ ^(.*)\/\.svn\/ {
return 404;
}
git
在运行 git init 初始化代码库的时候,会在当前目录下面产生一个 .git 的隐藏目录,用来记录代码的变更记录等等。在发布代码的时候,而 .git 这个目录没有删除,直接发布了。使用这个文件,可以用来恢复源代码。
攻击者利用该漏洞下载 .git 文件夹中的所有内容。如果文件夹中存在敏感信息(数据库账号密码、源码等),通过白盒的审计等方式就可能直接获得控制服务器的权限和机会!
漏洞发现
1、可以先观察一下站点是否有醒目地指出 Git,如果有的话,那就说明站点很大可能是存在这个问题的
2、如果站点没有醒目的提示的话,可以利用 dirsearch 这类扫描工具,如果存在 ./git 泄露的问题的话,会被扫描出来的
3、最直观的方式,就是直接通过网页访问 .git 目录,如果能访问就说明存在
当确认存在这个漏洞之后,就可以通过工具来下载 git 泄露的全部源码
工具推荐
https://github.com/0xHJK/dumpall
.DS_Store
.DS_Store 是 Mac 下 Finder 用来保存如何展示 文件/文件夹 的数据文件,每个文件夹下对应一个。和 windows 相比,等同于 desktop.ini 和 Thumbs.db 两个文件。
如果开发/设计人员将 .DS_Store 上传部署到线上环境,可能造成文件目录结构泄漏,特别是备份文件、源代码文件。
比如我本地系统:
尝试用工具解析:
能看到我本地目录下的一些目录信息。
工具推荐
https://github.com/gehaxelt/Python-dsstore
https://github.com/lijiejie/ds_store_exp