Sensitive information collection
Web source code leak (through tools)
.hg source code leak
.hg
.git source code leak
.git
use method
Because the current web project development uses a completely separated front-end and back-end architecture: the front end uses static files, and the back-end code is completely separated, and belongs to two different projects. The statement file is synchronously published to the server using git, and then pointed to the specified directory using nginx to achieve the purpose of being accessed by the public network. When running git init to
initialize the code base, a .git hidden file will be generated under the current directory to record the code change records and so on. When the code was released, the .git
directory was not deleted, and it was directly released. Use this file to restore the source code.
Use githack to enter this .git file to restore the source code
cvs source code leak
/cvs/root
.svn source code leak
.svn / enteries
Subversion, referred to as SVN, is an open source version control system. Compared with RCS and CVS, it uses a branch management system, and its design goal is to replace CVS. More and more control services on the Internet are transferred from CVS to Subversion.
Subversion uses a server-client structure. Of course, both the server and the client can run on the same server. On the server side is a Subversion repository that stores all controlled data, and on the other end is a Subversion client program that manages the local mapping of a portion of the controlled data (called "working copy"). Between these two ends, it is accessed through multiple channels of various repository access layers (RepositoryAccess, referred to as RA). In these channels, you can operate the warehouse through different network protocols, such as HTTP, SSH, etc., or local files.
SVN vulnerabilities are often used in the actual penetration testing process. Due to the negligence of some development administrators, the principle is similar to the DS_Store vulnerability. We will no longer build the environment here, we recommend tools for everyone. The methods of use are as follows:
1) Vulnerability exploit tool: Seay SVN Vulnerability exploit tool
2) Add website url Add /.svn/entries after the used URL to list the website Well, even download the entire site
Download address: https://pan.baidu.com/s/1jGA98jG
.Ds_Store file leak
.DS_Store is
a data file used by Finder under Mac to store how to display files // folders, one for each folder. Since the developer / designer did not delete the .DS_store hidden in the folder when publishing the code, it may cause the leakage of the file directory structure and the leakage of sensitive information such as source code files.
We can imitate an environment, use phpstudy to build a PHP environment, and upload the .DS_store file to the relevant directory.
Tool download address: https://github.com/lijiejie/ds_store_exp
This is a file disclosure script, parse this type of file and download the file recursively to the local
WEB-INF / web.xml leak
WEB-INF is the security purpose of Java's WEB application. If you want to directly access the files in the page, you must
map the files to be accessed through the web.xml file to access them.
WEB-INF mainly contains the following files or directories:
/WEB-INF/web.xml : Web application configuration file, which describes the configuration and naming rules of servlets and other application components.
/ WEB-INF / classes /: contains all the class files used by the site, including servlet class and non-servlet class, they cannot be included in the jar file
/ WEB-INF / lib /: store various JAR files required by web applications, Place the jar files required only in this application, such as the database driver jar file
/ WEB-INF / src /: source code directory, and place each java file according to the package name structure.
/WEB-INF/database.properties: database configuration file
Reason:
Usually some web applications we use multiple web servers together to solve the performance defects of one of the web servers and the advantages of doing load balancing and completing some layered structures Security strategy, etc. When using this architecture, due to improper mapping configuration of static resource directories or files, it may cause some security problems, resulting in
web.xml and other files can be read
Website backup file leak
.rar
.zip
.tar.gz
.bak
.tar
Web scanning using shell breaking
添加目标,选择脚本类型,目标类型,开始扫描
Possible websites
网 盘 搜 索 : http://www.pansou.com/ 或 https://www.lingfengyun.com/
网 盘 密 码 破 解 可 参 考 :https://www.52pojie.cn/thread-763130-1-1.html
社工信息泄露:https://www.instantcheckmate.com/、http://www.uneihan.com/
源码搜索:https://searchcode.com/、https://gitee.com/、gitcafe.com、code.csdn.net
钟馗之眼: https://www.zoomeye.org/
ZoomEye 支持公网设备指纹检索和 Web 指纹检索的网站,指纹检索包括应用名称、版本、前端框架、后端框架、服务端语言、服务器操作系统、网站容器、内容管理系统和数据库等。设备指纹包括应用名、版本、开放端口、操作系统、服务名、地理位置等。
主机设备搜索组件名称
app: 组件名
ver: 组件版本
port:端口
等
例 1:搜索使用 iis6.0 主机:app:"Microsoft-IIS" ver"6.0",可以看到 0.6 秒搜索到 41,781,210左右的使用 iis6.0 的主机。
例 2:搜索使 weblogic 主机:app:"weblogic httpd" port:7001,可以看到 0.078 秒搜索到 42万左右的使用 weblogic 的主机。
例 3:查询开放 3389 端口的主机:port:3389
例 4:查询操作系统为 Linux 系统的服务器,os:linux
例 5:查询公网摄像头:service:”routersetup”
例 6:搜索美国的 Apache 服务器:app:Apache country:US 后面还可以接 city: 城市名称
例 7:搜索指定 ip 信息,ip:121.42.173.26
例 8:查询有关 taobao.com 域名的信息,site:taobao.com
例 9:搜索标题中包含该字符的网站,title:weblogic
例 10:keywords:Nginx
天眼查 https://www.tianyancha.com/
其它:威胁情报:微步在线、 ti.360.cn、 Virustotal
github信息泄露
https://sec.xiaomi.com/article/37
全自动监控 github
多用于搜索源代码
google hack信息泄露
接口信息泄露
接口未做限制
遍历主播uid获取IP地址
社工信息泄露
利用社工库获取邮箱对应密码进行攻击
Email information collection
作用
发现目标系统账号命名规则
可用来后期登入其他子系统
爆破登入邮箱
常见规则(例如张小三员工)
[email protected]
[email protected]
[email protected]
有的公司会有一些共有邮箱
人力,客服,运维
有时候会有弱口令
收集
手工
引擎搜索
github第三方托管平台
作者邮箱地址
连接数据库的账号密码
社工库
查询个人信息相关
工具
The Harvester
可用于搜索Google、Bing 和 PGP 服务器的电子邮件、主机以及子域名,因此需要翻墙运行该工具。
下载地址为:https://github.com/laramies/theHarvester
源收集电子邮件,名称,子域,IP,URL
需要python3.6版本
下载Windowsx-86 64 excutable installer
python -m pip install -r requirements.txt 导入相关配置
./theHarvester.py -d 域名 -1 1000(搜索结果条数) -b 搜索引擎,全用就all
Historical vulnerability collection
仔细分析,大胆验证,发散思维,对企业的运维、开发习惯了解绝对是有很大的帮助。可以把漏洞保存下来,进行统计,甚至炫一点可以做成词云展示给自己看,看着看着或者就知道会有什么漏洞。
wooyun 历史漏洞库:http://www.anquan.us/
漏洞银行:https://www.bugbank.cn/
360 补天:https://www.butian.net/
教育行业漏洞报告平台(Beta)https://src.edu-info.edu.cn/login/
可能有未修复的,也可能修复不完美,或者二级漏洞
Tool information collection
7kbscan、破壳 Web 极速扫描器等
