敏感目录

Linux敏感目录，网站存在包含漏洞，权限容许的条件下，写个批处理脚本。或者直接 放在burp里面批量跑！

/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
/apache/php/php.ini
/bin/php.ini
/etc/anacrontab
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/fstab
/etc/host.conf
/etc/httpd/conf.d/httpd.conf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
/etc/httpd/htdocs/index.php
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/etc/httpd/php.ini
/etc/init.d/httpd
/etc/init.d/mysql
/etc/ld.so.conf
/etc/motd
/etc/my.cnf
/etc/mysql/my.cnf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/passwd
/etc/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/cgi/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php5/cgi/php.ini
/etc/phpmyadmin/config.inc.php
/etc/resolv.conf
/etc/shadow
/etc/ssh/sshd_config
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/ssh/ssh_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub
/etc/sysconfig/network
/etc/sysconfig/network
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/home/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
/NetServer/bin/stable/apache/php.ini
/opt/www/conf/httpd.conf
/opt/www/htdocs/index.html
/opt/www/htdocs/index.php
/opt/xampp/etc/php.ini
/PHP/php.ini
/php/php.ini
/php4/php.ini
/php5/php.ini
/root/.atftp_history
/root/.bashrc
/root/.bash_history
/root/.mysql_history
/root/.nano_history
/root/.php_history
/root/.profile
/root/.ssh/authorized_keys
/root/.ssh/identity
/root/.ssh/identity.pub
/root/.ssh/id_dsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/anaconda-ks.cfg
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_logerror_log.old
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/php.ini
/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/php.ini
/usr/local/httpd/conf/httpd.conf
/usr/local/httpd2.2/htdocs/index.html
/usr/local/httpd2.2/htdocs/index.php
/usr/local/lib/php.ini
/usr/local/mysql/bin/mysql
/usr/local/mysql/my.cnf
/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php4/php.ini
/usr/local/php5/etc/php.ini
/usr/local/php5/lib/php.ini
/usr/local/php5/php5.ini
/usr/local/share/examples/php/php.ini
/usr/local/share/examples/php4/php.ini
/usr/local/tomcat5527/bin/version.sh
/usr/local/Zend/etc/php.ini
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
/var/apache2/config.inc
/var/httpd/conf/httpd.conf
/var/httpd/conf/php.ini
/var/httpd/conf/php.ini
/var/httpd/htdocs/index.html
/var/httpd/htdocs/index.php
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/httpd.conf
/var/local/www/conf/php.ini
/var/log/access.log
/var/log/access_log
/var/log/apache/access.log
/var/log/apache/access_log
/var/log/apache/error.log
/var/log/apache/error_log
/var/log/apache2/access.log
/var/log/apache2/access_log
/var/log/apache2/error.log
/var/log/apache2/error_log
/var/log/error.log
/var/log/error_log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql.log
/var/log/mysqlderror.log
/var/mail/root
/var/mysql.log
/var/spool/cron/crontabs/root
/var/spool/mail/root
/var/www/conf/httpd.conf
/var/www/htdocs/index.html
/var/www/htdocs/index.php
/var/www/index.html
/var/www/index.php
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error_log
/web/conf/php.ini
/www/conf/httpd.conf
/www/htdocs/index.html
/www/htdocs/index.php
/www/php/php.ini
/www/php4/php.ini
/www/php5/php.ini
/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
root/.ssh/authorized_keys
root/.ssh/identity
root/.ssh/identity.pub
root/.ssh/id_dsa
root/.ssh/id_dsa.pub
root/.ssh/id_rsa
root/.ssh/id_rsa.pub

 

 

 

(( windows提权中敏感目录和敏感注册表的利用 ))

 

敏感目录 目录权限 提权用途

 

C:\Program Files\ 默认用户组users对该目录拥有查看权 能够查看服务器安装的应用软件

C:\Documents and Settings\All Users\「开始」菜单\程序 Everyone拥有查看权限 存放快捷方式，能够下载文件，属性查看安装路径

C:\Documents and Settings\All Users\Documents Everyone彻底控制权限 上传执行cmd及exp

C:\windows\system32\inetsrv\ Everyone彻底控制权限 上传执行cmd及exp

C:\windows\my.iniC:\Program Files\MySQL\MySQL Server 5.0\my.ini 默认用户组users拥有查看权限 安装mysql时会将root密码写入该文件

C:\windows\system32\ 默认用户组users拥有查看权限 Shift后门通常是在该文件夹，能够下载后门破解密码

C:\Documents and Settings\All Users\「开始」菜单\程序\启动 Everyone拥有查看权限 能够尝试向该目录写入vbs或bat，服务器重启后运行。

C:\RECYCLER\D:\RECYCLER\ Everyone彻底控制权限 回收站目录。经常使用于执行cmd及exp

C:\Program Files\Microsoft SQL Server\ 默认用户组users对该目录拥有查看权限 收集mssql相关信息，有时候该目录也存在可执行权限

C:\Program Files\MySQL\ 默认用户组users对该目录拥有查看权限 找到MYSQL目录中user.MYD里的root密码

C:\oraclexe\ 默认用户组users对该目录拥有查看权限 能够尝试利用Oracle的默认帐户提权

C:\WINDOWS\system32\config 默认用户组users对该目录拥有查看权限 尝试下载sam文件进行破解提权

C:\Program Files\Geme6 FTP Server\Remote Admi

 

n\Remote.ini 默认用户组users对该目录拥有查看权限 Remote.ini文件中存放着G6FTP的密码

c:\Program Files\RhinoSoft.com\Serv-U\c:\Program Files\Serv-U\ 默认用户组users对该目录拥有查看权限 ServUDaemon.ini 中存储了虚拟主机网站路径和密码

c:\windows\system32\inetsrv\MetaBase.xml 默认用户组users对该目录拥有查看权限 IIS配置文件

C:tomcat5.0\conf\resin.conf 默认用户组users对该目录拥有查看权限 Tomat存放密码的位置

C:\ZKEYS\Setup.ini 默认用户组users对该目录拥有查看权限 ZKEYS虚拟主机存放密码的位置

 

 

 

 

 

(( 提权中的敏感注册表位置 ))

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib\Tcp Mssql端口

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server DenyTSConnections 远程终端 值为0 即为开启

HKEY_LOCAL_MACHINE\SOFTWARE\MySQL AB\ mssql的注册表位置

HKEY_LOCAL_MACHINE\SOFTWARE\HZHOST\CONFIG\ 华众主机注册表配置位置

HKEY_LOCAL_MACHINE\SOFTWARE\Cat Soft\Serv-U\Domains\1\UserList\ serv-u的用户及密码（su加密）位置

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\ WinStations\RDP-Tcp 在该注册表位置PortNumber的值即位3389端口值

HKEY_CURRENT_USER\Software\PremiumSoft\Navicat\Servers mysql管理工具Navicat的注册表位置，提权运用请谷歌

HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters Radmin的配置文件，提权中常将其导出进行进行覆盖提权

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSFtpsvc\Parameters\Virtual Roots\ IIS注册表全版本泄漏用户路径和FTP用户名漏洞

HKEY_LOCAL_MACHINE\software\hzhost\config\Settings\mastersvrpass 华众主机在注册表中保存的mssql、mysql等密码

HKEY_LOCAL_MACHINE\SYSTEM\LIWEIWENSOFT\INSTALLFREEADMIN\11 星外主机mssql的sa帐号密码，双MD5加密

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSFtpsvc\Parameters\Virtual Roots\ControlSet002 星外ftp的注册表位置，固然也包括ControlSet00一、ControlSet003