文件敏感信息泄露原理（常见的敏感文件泄漏总结）

信息泄露的途径有哪些 常见的敏感文件泄漏

敏感文件通常指携带敏感信息的文件，最为常见的就是数据库的配置文件、网站源码备份、数据库备份等，管理员为了方便下载，将源码备份放置在 web 目录，然后下载至本地备份，下载完之后忘记删除，从而导致漏洞的出现。

配置文件泄漏

最为典型的就是 spring 框架的配置文件泄漏，常见路径

#34/env#34/actuator/env#34

泄漏信息如图

这类漏洞通常需要日常收集常见系统的配置文件默认路径，如果存在未授权访问的情况，就会存在文件泄漏的问题。

除了这类常见框架、系统的配置文件泄漏外，还有因为管理员修改配置文件时，为了防止无法恢复，而创建的备份文件，比如 config.php.bak、config.php.20230101 等，这类文件是可以下载的，从而泄漏配置信息。

修复方案

1、对于备份文件，为在系统中使用的，可以删除处置，或者备份到其他无法直接通过浏览器访问的目录

2、在使用的无法删除的文件，需要设置权限，仅限本地访问

网站备份泄漏

网站源码备份是网站管理员经常要做的操作，有的管理员会自动备份到备份服务器，而有些管理员为了简单方便，将服务器上到源码打包压缩后放置在 web 目录，然后从服务器再下载到本地，进行本地备份，下载完成之后是应该删除的，由于未做这个操作，导致整站源码泄漏。

备份的文件名通常为 wwwroot、www、子域名等，压缩包后缀通常为 zip、tar.gz 等，通过组合常用备份名称和后缀，可以进行目录扫描，来发现这类备份文件。

下面是某工具的配置文件，收集整理了常见的备份文件组合方式

# format: /path {tag=#34text string to find#34} {status=HTTP_STATUS} {type=#34content-type should contain this string#34} {type_no=#34content-type should not contain this string#34}# each item must starts with right slash #34/#34/core {status=200} {tag=#34ELF#34}/../{hostname_or_folder}.old {status=301} {type=#34html#34}/../{hostname_or_folder}.backup {status=301} {type=#34html#34}/../{hostname_or_folder}.bak {status=301} {type=#34html#34}/{sub}.zip {status=206} {type=#34application/octet-stream#34}/{sub}.rar {status=206} {type=#34application/octet-stream#34}/{sub}.tar.gz {status=206} {type=#34application/octet-stream#34}/{sub}.tar.bz2 {status=206} {type=#34application/octet-stream#34}/{sub}.tgz {status=206} {type=#34application/octet-stream#34}/{sub}.7z {status=206} {type=#34application/octet-stream#34}/old.zip {status=206} {type=#34application/octet-stream#34}/old.rar {status=206} {type=#34application/octet-stream#34}/old.tar.gz {status=206} {type=#34application/octet-stream#34}/old.tar.bz2 {status=206} {type=#34application/octet-stream#34}/old.tgz {status=206} {type=#34application/octet-stream#34}/old.7z {status=206} {type=#34application/octet-stream#34}/{hostname_or_folder}.zip {status=206} {type=#34application/octet-stream#34}/{hostname_or_folder}.rar {status=206} {type=#34application/octet-stream#34}/{hostname_or_folder}.tar.gz {status=206} {type=#34application/octet-stream#34}/{hostname_or_folder}.tar.bz2 {status=206} {type=#34application/octet-stream#34}/{hostname_or_folder}.tgz {status=206} {type=#34application/octet-stream#34}/{hostname_or_folder}.7z {status=206} {type=#34application/octet-stream#34}/../{hostname_or_folder}.zip {status=206} {type=#34application/octet-stream#34}/../{hostname_or_folder}.rar {status=206} {type=#34application/octet-stream#34}/../{hostname_or_folder}.tar.gz {status=206} {type=#34application/octet-stream#34}/../{hostname_or_folder}.tar.bz2 {status=206} {type=#34application/octet-stream#34}/../{hostname_or_folder}.tgz {status=206} {type=#34application/octet-stream#34}/../{hostname_or_folder}.7z {status=206} {type=#34application/octet-stream#34}/../{hostname_or_folder}.log {status=206} {type=#34application/octet-stream#34}/../{hostname_or_folder}.sh {status=206} {type=#34application/octet-stream#34}/temp.zip {status=206} {type=#34application/octet-stream#34}/temp.rar {status=206} {type=#34application/octet-stream#34}/temp.tar.gz {status=206} {type=#34application/octet-stream#34}/temp.tgz {status=206} {type=#34application/octet-stream#34}/temp.tar.bz2 {status=206} {type=#34application/octet-stream#34}/package.zip {status=206} {type=#34application/octet-stream#34}/package.rar {status=206} {type=#34application/octet-stream#34}/package.tar.gz {status=206} {type=#34application/octet-stream#34}/package.tgz {status=206} {type=#34application/octet-stream#34}/package.tar.bz2 {status=206} {type=#34application/octet-stream#34}/tmp.zip {status=206} {type=#34application/octet-stream#34}/tmp.rar {status=206} {type=#34application/octet-stream#34}/tmp.tar.gz {status=206} {type=#34application/octet-stream#34}/tmp.tgz {status=206} {type=#34application/octet-stream#34}/tmp.tar.bz2 {status=206} {type=#34application/octet-stream#34}/test.zip {status=206} {type=#34application/octet-stream#34}/test.rar {status=206} {type=#34application/octet-stream#34}/test.tar.gz {status=206} {type=#34application/octet-stream#34}/test.tgz {status=206} {type=#34application/octet-stream#34}/test.tar.bz2 {status=206} {type=#34application/octet-stream#34}/backup.zip {status=206} {type=#34application/octet-stream#34}/backup.rar {status=206} {type=#34application/octet-stream#34}/backup.tar.gz {status=206} {type=#34application/octet-stream#34}/backup.tgz {status=206} {type=#34application/octet-stream#34}/back.tar.bz2 {status=206} {type=#34application/octet-stream#34}/db.zip {status=206} {type=#34application/octet-stream#34}/db.rar {status=206} {type=#34application/octet-stream#34}/db.tar.gz {status=206} {type=#34application/octet-stream#34}/db.tgz {status=206} {type=#34application/octet-stream#34}/db.tar.bz2 {status=206} {type=#34application/octet-stream#34}/db.log {status=206} {type=#34application/octet-stream#34}/db.inc {status=200} {type_no=#34html#34}/db.sqlite {status=206} {type=#34application/octet-stream#34}/db.sql.gz {status=206} {type=#34application/octet-stream#34}/dump.sql.gz {status=206} {type=#34application/octet-stream#34}/database.sql.gz {status=206} {type=#34application/octet-stream#34}/backup.sql.gz {status=206} {type=#34application/octet-stream#34}/data.zip {status=206} {type=#34application/octet-stream#34}/data.rar {status=206} {type=#34application/octet-stream#34}/data.tar.gz {status=206} {type=#34application/octet-stream#34}/data.tgz {status=206} {type=#34application/octet-stream#34}/data.tar.bz2 {status=206} {type=#34application/octet-stream#34}/database.zip {status=206} {type=#34application/octet-stream#34}/database.rar {status=206} {type=#34application/octet-stream#34}/database.tar.gz {status=206} {type=#34application/octet-stream#34}/database.tgz {status=206} {type=#34application/octet-stream#34}/database.tar.bz2 {status=206} {type=#34application/octet-stream#34}/ftp.zip {status=206} {type=#34application/octet-stream#34}/ftp.rar {status=206} {type=#34application/octet-stream#34}/ftp.tar.gz {status=206} {type=#34application/octet-stream#34}/ftp.tgz {status=206} {type=#34application/octet-stream#34}/ftp.tar.bz2 {status=206} {type=#34application/octet-stream#34}/log.txt {status=200} {type=#34text/plain#34}/log.tar.gz {status=206} {type=#34application/octet-stream#34}/log.rar {status=206} {type=#34application/octet-stream#34}/log.zip {status=206} {type=#34application/octet-stream#34}/log.tgz {status=206} {type=#34application/octet-stream#34}/log.tar.bz2 {status=206} {type=#34application/octet-stream#34}/log.7z {status=206} {type=#34application/octet-stream#34}/logs.txt {status=200} {type=#34text/plain#34}/logs.tar.gz {status=206} {type=#34application/octet-stream#34}/logs.rar {status=206} {type=#34application/octet-stream#34}/logs.zip {status=206} {type=#34application/octet-stream#34}/logs.tgz {status=206} {type=#34application/octet-stream#34}/logs.tar.bz2 {status=206} {type=#34application/octet-stream#34}/logs.7z {status=206} {type=#34application/octet-stream#34}/web.zip {status=206} {type=#34application/octet-stream#34}/web.rar {status=206} {type=#34application/octet-stream#34}/web.tar.gz {status=206} {type=#34application/octet-stream#34}/web.tgz {status=206} {type=#34application/octet-stream#34}/web.tar.bz2 {status=206} {type=#34application/octet-stream#34}/www.log {status=206} {type=#34application/octet-stream#34}/www.zip {status=206} {type=#34application/octet-stream#34}/www.rar {status=206} {type=#34application/octet-stream#34}/www.tar.gz {status=206} {type=#34application/octet-stream#34}/www.tgz {status=206} {type=#34application/octet-stream#34}/www.tar.bz2 {status=206} {type=#34application/octet-stream#34}/wwwroot.zip {status=206} {type=#34application/octet-stream#34}/wwwroot.rar {status=206} {type=#34application/octet-stream#34}/wwwroot.tar.gz {status=206} {type=#34application/octet-stream#34}/wwwroot.tgz {status=206} {type=#34application/octet-stream#34}/wwwroot.tar.bz2 {status=206} {type=#34application/octet-stream#34}/output.zip {status=206} {type=#34application/octet-stream#34}/output.rar {status=206} {type=#34application/octet-stream#34}/output.tar.gz {status=206} {type=#34application/octet-stream#34}/output.tgz {status=206} {type=#34application/octet-stream#34}/output.tar.bz2 {status=206} {type=#34application/octet-stream#34}/admin.zip {status=206} {type=#34application/octet-stream#34}/admin.rar {status=206} {type=#34application/octet-stream#34}/admin.tar.gz {status=206} {type=#34application/octet-stream#34}/admin.tgz {status=206} {type=#34application/octet-stream#34}/admin.tar.bz2 {status=206} {type=#34application/octet-stream#34}/upload.zip {status=206} {type=#34application/octet-stream#34}/upload.rar {status=206} {type=#34application/octet-stream#34}/upload.tar.gz {status=206} {type=#34application/octet-stream#34}/upload.tgz {status=206} {type=#34application/octet-stream#34}/upload.tar.bz2 {status=206} {type=#34application/octet-stream#34}/website.zip {status=206} {type=#34application/octet-stream#34}/website.rar {status=206} {type=#34application/octet-stream#34}/website.tar.gz {status=206} {type=#34application/octet-stream#34}/website.tgz {status=206} {type=#34application/octet-stream#34}/website.tar.bz2 {status=206} {type=#34application/octet-stream#34}/package.zip {status=206} {type=#34application/octet-stream#34}/package.rar {status=206} {type=#34application/octet-stream#34}/package.tar.gz {status=206} {type=#34application/octet-stream#34}/package.tgz {status=206} {type=#34application/octet-stream#34}/package.tar.bz2 {status=206} {type=#34application/octet-stream#34}/sql.log {status=206} {type=#34application/octet-stream#34}/sql.zip {status=206} {type=#34application/octet-stream#34}/sql.rar {status=206} {type=#34application/octet-stream#34}/sql.tar.gz {status=206} {type=#34application/octet-stream#34}/sql.tgz {status=206} {type=#34application/octet-stream#34}/sql.tar.bz2 {status=206} {type=#34application/octet-stream#34}/sql.7z {status=206} {type=#34application/octet-stream#34}/sql.inc {status=200} {type_no=#34html#34}/data.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/qq.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/tencent.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/database.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/db.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/test.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/admin.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/backup.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/user.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/sql.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/index.zip {status=206} {type=#34application/octet-stream#34}/index.7z {status=206} {type=#34application/octet-stream#34}/index.bak {status=206} {type=#34application/octet-stream#34}/index.rar {status=206} {type=#34application/octet-stream#34}/index.tar.tz {status=206} {type=#34application/octet-stream#34}/index.tar.bz2 {status=206} {type=#34application/octet-stream#34}/index.tar.gz {status=206} {type=#34application/octet-stream#34}/{hostname_or_folder}.log {status=206} {type=#34application/octet-stream#34}/logs/{hostname_or_folder}.log {status=206} {type=#34application/octet-stream#34}/dump.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/{sub}.sql {status=206} {type=#34application/octet-stream#34} {tag=#34CREATE TABLE#34}/old.zip {status=206} {type=#34application/octet-stream#34}/old.rar {status=206} {type=#34application/octet-stream#34}/old.tar.gz {status=206} {type=#34application/octet-stream#34}/old.tar.bz2 {status=206} {type=#34application/octet-stream#34}/old.tgz {status=206} {type=#34application/octet-stream#34}/old.7z {status=206} {type=#34application/octet-stream#34}/1.tar.gz {status=206} {type=#34application/octet-stream#34}/a.tar.gz {status=206} {type=#34application/octet-stream#34}/x.tar.gz {status=206} {type=#34application/octet-stream#34}/o.tar.gz {status=206} {type=#34application/octet-stream#34}/conf/conf.zip {status=206} {type=#34application/octet-stream#34}/conf.tar.gz {status=206} {type=#34application/octet-stream#34}/qq.pac {status=206} {type=#34application/octet-stream#34}/tencent.pac {status=206} {type=#34application/octet-stream#34}/server.cfg {status=206} {type=#34application/octet-stream#34}/deploy.tar.gz {status=206} {type=#34application/octet-stream#34}/build.tar.gz {status=206} {type=#34application/octet-stream#34}/install.tar.gz {status=206} {type=#34application/octet-stream#34}/secu-tcs-agent-mon-safe.sh {status=206}/password.tar.gz {status=206} {type=#34application/octet-stream#34}/site.tar.gz {status=206} {type=#34application/octet-stream#34}/tenpay.tar.gz {status=206} {type=#34application/octet-stream#34}/rsync_log.sh {status=206} {type=#34application/octet-stream#34}/rsync.sh {status=206} {type=#34application/octet-stream#34}/webroot.zip {status=206} {type=#34application/octet-stream#34}/tools.tar.gz {status=206} {type=#34application/octet-stream#34}/users.tar.gz {status=206} {type=#34application/octet-stream#34}/webserver.tar.gz {status=206} {type=#34application/octet-stream#34}/htdocs.tar.gz {status=206} {type=#34application/octet-stream#34}

推荐工具

https://github.com/maurosoria/dirsearch

修复方案

删除备份文件即可

隐藏目录泄漏

常见的隐藏目录泄漏有三种 svn、git 以及 DS_Store，svn 和 git 是代码管理系统，在上线代码时，同步代码的过程中会把目录 .git 和 .svn 给同步上去，导致通过远程即可访问该目录下的内容，而 DS_Store 是 mac 系统下自动生成的文件，每个目录下都有，记录了目录下文件变动的历史。

svn

Subversion，简称 SVN，是一个开放源代码的版本控制系统，相对于的 RCS、CVS，采用了分支管理系统，它的设计目标就是取代 CVS。互联网上越来越多的控制服务从 CVS 转移到 Subversion。

svn 更新至 1.7+ .svn/entries 目录就不包含文件目录列表了。检测 为探测网站目录下是否有 .svn/entries 这个文件，内容如图

工具推荐

https://github.com/admintony/svnExploit

修复方案

1、上线前删除该目录

2、在服务器上配置禁止该目录访问，常见配置如下

Apache:

ltDirectory ~ #34\.svn#34gt Order allow,deny Deny from all lt/Directorygt

Nginx:

location ~ ^(.)\/\.svn\/ { return 404 }

git

在运行 git init 初始化代码库的时候，会在当前目录下面产生一个 .git 的隐藏目录，用来记录代码的变更记录等等。在发布代码的时候，而 .git 这个目录没有删除，直接发布了。使用这个文件，可以用来恢复源代码。

攻击者利用该漏洞下载 .git 文件夹中的所有内容。如果文件夹中存在敏感信息(数据库账号密码、源码等)，通过白盒的审计等方式就可能直接获得控制服务器的权限和机会！

漏洞发现

1、可以先观察一下站点是否有醒目地指出 Git，如果有的话，那就说明站点很大可能是存在这个问题的

2、如果站点没有醒目的提示的话，可以利用 dirsearch 这类扫描工具，如果存在 ./git 泄露的问题的话，会被扫描出来的

3、最直观的方式，就是直接通过网页访问 .git 目录，如果能访问就说明存在

当确认存在这个漏洞之后，就可以通过工具来下载 git 泄露的全部源码

工具推荐

https://github.com/0xHJK/dumpall

.DS_Store

.DS_Store 是 Mac 下 Finder 用来保存如何展示 文件/文件夹 的数据文件，每个文件夹下对应一个。和 windows 相比，等同于 desktop.ini 和 Thumbs.db 两个文件。

如果开发/设计人员将 .DS_Store 上传部署到线上环境，可能造成文件目录结构泄漏，特别是备份文件、源代码文件。

比如我本地系统

尝试用工具解析

能看到我本地目录下的一些目录信息。

工具推荐

https://github.com/gehaxelt/Python-dsstore

https://github.com/lijiejie/ds_store_exp

今天白癜风网小编分享的这部分内容，最终危害取取决于泄漏的文件，比如可以远程连接的数据库账号密码和地址，那么就存在直接的危害，导致数据库被接管，如果泄漏的是网站源码，则可能存在漏洞被通过代码审计的方式审计出来，如果都是些静态资源，那么危害几乎可以忽略，所以学需要具体问题具体对待。

来源信安之路

敏感文件渗透 敏感文件入门教程