敏感文件搜集

在打比赛或者测试时,会遇到任意文件读取或者目录穿越之类的漏洞,可以读取一些敏感文件来更进一步,下面整理了一些敏感文件的路径,希望各位表哥给出补充


apache

apache和nginx的安装路径都不是固定的,下面给出的是常见的路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/etc/apache/httpd.conf

/etc/httpd/conf/httpd.conf

/etc/httpd/httpd.conf

/usr/local/apache/conf/httpd.conf

/home/httpd/conf/httpd.conf

/usr/local/apache2/conf/httpd.conf

/usr/local/httpd/conf/httpd.conf

/etc/rc.local 有时可以读出来apache的路径

after apache2.4

1
2
3
4
5
6
7
/etc/apache2/sites-available/000-default.conf 有web文件根目录

/etc/apache2/sites-enabled/ 启用的配置文件

/etc/apache2/sites-available/ 所有的配置,包括临时不启用的

/etc/apache2/apache2.conf Apache的主配置文件

nginx

1
2
3
/etc/nginx/nginx.conf

/etc/nginx/conf.d/nginx.conf

linux

etc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
/etc/hosts.deny 定义禁止访问本机的主机

/etc/bashrc bash shell 的系统全局配置

/etc/issue 显示Linux核心的发行版本信息(用于本地登陆用户)

/etc/issue/net 显示Linux核心和发行版本信息(用于远程登陆用户)----没成功

/etc/ssh/ssh_config ssh配置文件

/etc/termcap 终端定义和配置文件

/etc/xinetd.d

/etc/mtab 包含当前安装的文件系统列 有时可以读取到当前网站的路径

/etc/vsftpd/vsftpd.conf

/etc/xinetd.conf xinetd 配置文件

/etc/protocols 列举当前可用的协议

/etc/logrotate.conf 维护 /var/log 目录中的日志文件

/etc/ld.so.conf “动态链接程序”(Dynamic Linker)的配置。

/etc/resolv.conf DNS客户机配置文件,设置DNS服务器的IP地址及DNS域名

内容为Default Router的ip地址
Redhat 5.x: /etc/sysconfig/network

/etc/sendmail.cf Sendmail(EMAIL服务器)配置文件
/etc/sendmail.cw 本地主机名

proc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
/proc/mounts 文件系统列表

/proc/cpuinfo CPU信息

/proc/meminfo 内存信息

/proc/self -> 指向 /proc/[当前进程pid]

/proc/self/environ 当前的环境变量

/proc/[pid]/cmdline 进程启动参数(可以获取一些敏感信息,如redis密码等)(可以跨进程,如pid=1的进程/proc/1/cmdline

/proc/[pid]/mountinfo 文件系统挂载的信息(可以看到docker文件映射的一些信息,如果是运行在容器内的进程,通常能找到重要数据的路径:如配置文件、代码、数据文件等)

/proc/[pid]/fd/[fd] 进程打开的文件(fd是文件描述符id)

/proc/[pid]/exe 指向该进程的可执行文件

/proc/config.gz

需要root权限

1
2
3
4
5
6
7
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
/root/.ssh/id_rsa.keystore
/root/.ssh/id_rsa.pub
/root/.ssh/known_hosts
/root/.bash_history
/root/.mysql_history

Windows

1
2
3
4
c:\boot.ini
c:\windows\systems32\inetsrv\MetaBase.xml
c:\windows\repair\sam
C:\windows\system32\config\sam

apache httpd.conf or apache2.conf ?

我自己在ubuntu上并没有找到httpd.conf这个文件,而是apache2.conf

为什么呢?在StackOverflow上找到了答案:

The Apache Software Foundation publishes many bits of software, one of which is a web server named httpd. The httpd project sources include among other things an httpd.conf sample configuration file, which is installed by default in /usr/local/etc/httpd or /etc/httpd. You will find httpd named as such on most systems.

However, long ago and far away, someone in the Debian GNU/Linux distribution decided to change the name of the software within that distribution from httpd to apache2. Thus on a Debian system you will find a configuration file named apache2.conf in a directory named /etc/apache2. I don’t know who did this or why, but it’s a perennial source of confusion on par with calling Windows “Microsoft” or ESXi “VMware”. Distributions based on Debian, such as Ubuntu, inherit this strangeness. Even stranger, they then include a file /etc/apache2/httpd.conf which is Included from apache2.conf into which users can place custom configuration.

So the answer is, if you’re on a Debian-based system, you bend your brain into doing things the way Debian wants you to do it. Otherwise you generally do things the normal way as the upstream httpd project does it.

The /etc/apache2/httpd.conf is empty in Ubuntu, because the Apache configuration resides in /etc/apache2/apache2.conf!

“httpd.conf is for user options.” No it isn’t, it’s there for historic reasons.

Using Apache server, all user options should go into a new *.conf-file inside /etc/apache2/conf.d/. This method should be “update-safe”, as httpd.conf or apache2.conf may get overwritten on the next server update.

Inside /etc/apache2/apache2.conf, you will find the following line, which includes those files:

1
2
3
># Include generic snippets of statements
>Include conf.d/
>

As of Apache 2.4+ the user configuration directory is /etc/apache2/conf-available/. Use a2enconf FILENAME_WITHOUT_SUFFIX to enable the new configuration file or manually create a symlink in /etc/apache2/conf-enabled/. Be aware that as of Apache 2.4 the configuration files must have the suffix .conf (e.g. conf-available/my-settings.conf);

reference