敏感目錄

Linux敏感目錄，網站存在包含漏洞，權限容許的條件下，寫個批處理腳本。或者直接 放在burp裏面批量跑！

/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
/apache/php/php.ini
/bin/php.ini
/etc/anacrontab
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/fstab
/etc/host.conf
/etc/httpd/conf.d/httpd.conf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
/etc/httpd/htdocs/index.php
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/etc/httpd/php.ini
/etc/init.d/httpd
/etc/init.d/mysql
/etc/ld.so.conf
/etc/motd
/etc/my.cnf
/etc/mysql/my.cnf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/passwd
/etc/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/cgi/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php5/cgi/php.ini
/etc/phpmyadmin/config.inc.php
/etc/resolv.conf
/etc/shadow
/etc/ssh/sshd_config
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/ssh/ssh_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub
/etc/sysconfig/network
/etc/sysconfig/network
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/home/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
/NetServer/bin/stable/apache/php.ini
/opt/www/conf/httpd.conf
/opt/www/htdocs/index.html
/opt/www/htdocs/index.php
/opt/xampp/etc/php.ini
/PHP/php.ini
/php/php.ini
/php4/php.ini
/php5/php.ini
/root/.atftp_history
/root/.bashrc
/root/.bash_history
/root/.mysql_history
/root/.nano_history
/root/.php_history
/root/.profile
/root/.ssh/authorized_keys
/root/.ssh/identity
/root/.ssh/identity.pub
/root/.ssh/id_dsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/anaconda-ks.cfg
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_logerror_log.old
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/php.ini
/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/php.ini
/usr/local/httpd/conf/httpd.conf
/usr/local/httpd2.2/htdocs/index.html
/usr/local/httpd2.2/htdocs/index.php
/usr/local/lib/php.ini
/usr/local/mysql/bin/mysql
/usr/local/mysql/my.cnf
/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php4/php.ini
/usr/local/php5/etc/php.ini
/usr/local/php5/lib/php.ini
/usr/local/php5/php5.ini
/usr/local/share/examples/php/php.ini
/usr/local/share/examples/php4/php.ini
/usr/local/tomcat5527/bin/version.sh
/usr/local/Zend/etc/php.ini
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
/var/apache2/config.inc
/var/httpd/conf/httpd.conf
/var/httpd/conf/php.ini
/var/httpd/conf/php.ini
/var/httpd/htdocs/index.html
/var/httpd/htdocs/index.php
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/httpd.conf
/var/local/www/conf/php.ini
/var/log/access.log
/var/log/access_log
/var/log/apache/access.log
/var/log/apache/access_log
/var/log/apache/error.log
/var/log/apache/error_log
/var/log/apache2/access.log
/var/log/apache2/access_log
/var/log/apache2/error.log
/var/log/apache2/error_log
/var/log/error.log
/var/log/error_log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql.log
/var/log/mysqlderror.log
/var/mail/root
/var/mysql.log
/var/spool/cron/crontabs/root
/var/spool/mail/root
/var/www/conf/httpd.conf
/var/www/htdocs/index.html
/var/www/htdocs/index.php
/var/www/index.html
/var/www/index.php
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error_log
/web/conf/php.ini
/www/conf/httpd.conf
/www/htdocs/index.html
/www/htdocs/index.php
/www/php/php.ini
/www/php4/php.ini
/www/php5/php.ini
/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
root/.ssh/authorized_keys
root/.ssh/identity
root/.ssh/identity.pub
root/.ssh/id_dsa
root/.ssh/id_dsa.pub
root/.ssh/id_rsa
root/.ssh/id_rsa.pub

 

 

 

(( windows提權中敏感目錄和敏感註冊表的利用 ))

 

敏感目錄 目錄權限 提權用途

 

C:\Program Files\ 默認用戶組users對該目錄擁有查看權 能夠查看服務器安裝的應用軟件

C:\Documents and Settings\All Users\「開始」菜單\程序 Everyone擁有查看權限 存放快捷方式，能夠下載文件，屬性查看安裝路徑

C:\Documents and Settings\All Users\Documents Everyone徹底控制權限 上傳執行cmd及exp

C:\windows\system32\inetsrv\ Everyone徹底控制權限 上傳執行cmd及exp

C:\windows\my.iniC:\Program Files\MySQL\MySQL Server 5.0\my.ini 默認用戶組users擁有查看權限 安裝mysql時會將root密碼寫入該文件

C:\windows\system32\ 默認用戶組users擁有查看權限 Shift後門通常是在該文件夾，能夠下載後門破解密碼

C:\Documents and Settings\All Users\「開始」菜單\程序\啓動 Everyone擁有查看權限 能夠嘗試向該目錄寫入vbs或bat，服務器重啓後運行。

C:\RECYCLER\D:\RECYCLER\ Everyone徹底控制權限 回收站目錄。經常使用於執行cmd及exp

C:\Program Files\Microsoft SQL Server\ 默認用戶組users對該目錄擁有查看權限 收集mssql相關信息，有時候該目錄也存在可執行權限

C:\Program Files\MySQL\ 默認用戶組users對該目錄擁有查看權限 找到MYSQL目錄中user.MYD裏的root密碼

C:\oraclexe\ 默認用戶組users對該目錄擁有查看權限 能夠嘗試利用Oracle的默認帳戶提權

C:\WINDOWS\system32\config 默認用戶組users對該目錄擁有查看權限 嘗試下載sam文件進行破解提權

C:\Program Files\Geme6 FTP Server\Remote Admi

 

n\Remote.ini 默認用戶組users對該目錄擁有查看權限 Remote.ini文件中存放着G6FTP的密碼

c:\Program Files\RhinoSoft.com\Serv-U\c:\Program Files\Serv-U\ 默認用戶組users對該目錄擁有查看權限 ServUDaemon.ini 中存儲了虛擬主機網站路徑和密碼

c:\windows\system32\inetsrv\MetaBase.xml 默認用戶組users對該目錄擁有查看權限 IIS配置文件

C:tomcat5.0\conf\resin.conf 默認用戶組users對該目錄擁有查看權限 Tomat存放密碼的位置

C:\ZKEYS\Setup.ini 默認用戶組users對該目錄擁有查看權限 ZKEYS虛擬主機存放密碼的位置

 

 

 

 

 

(( 提權中的敏感註冊表位置 ))

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib\Tcp Mssql端口

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server DenyTSConnections 遠程終端 值爲0 即爲開啓

HKEY_LOCAL_MACHINE\SOFTWARE\MySQL AB\ mssql的註冊表位置

HKEY_LOCAL_MACHINE\SOFTWARE\HZHOST\CONFIG\ 華衆主機註冊表配置位置

HKEY_LOCAL_MACHINE\SOFTWARE\Cat Soft\Serv-U\Domains\1\UserList\ serv-u的用戶及密碼（su加密）位置

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\ WinStations\RDP-Tcp 在該註冊表位置PortNumber的值即位3389端口值

HKEY_CURRENT_USER\Software\PremiumSoft\Navicat\Servers mysql管理工具Navicat的註冊表位置，提權運用請谷歌

HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters Radmin的配置文件，提權中常將其導出進行進行覆蓋提權

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSFtpsvc\Parameters\Virtual Roots\ IIS註冊表全版本泄漏用戶路徑和FTP用戶名漏洞

HKEY_LOCAL_MACHINE\software\hzhost\config\Settings\mastersvrpass 華衆主機在註冊表中保存的mssql、mysql等密碼

HKEY_LOCAL_MACHINE\SYSTEM\LIWEIWENSOFT\INSTALLFREEADMIN\11 星外主機mssql的sa帳號密碼，雙MD5加密

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSFtpsvc\Parameters\Virtual Roots\ControlSet002 星外ftp的註冊表位置，固然也包括ControlSet00一、ControlSet003