大家好,感谢邀请,今天来为大家分享一下怎么清除网站源码分享的问题,以及和网页源代码怎么删除vip复制的一些困惑,大家要是还不太明白的话,也没有关系,因为接下来将为大家分享,希望可以帮助到大家,解决大家的问题,下面就开始吧!
敏感文件通常指携带敏感信息的文件,最为常见的就是数据库的配置文件、网站源码备份、数据库备份等,管理员为了方便下载,将源码备份放置在web目录,然后下载至本地备份,下载完之后忘记删除,从而导致漏洞的出现。
配置文件泄漏
最为典型的就是spring框架的配置文件泄漏,常见路径:
&34;\n/actuator/env&format:/path{tag=&34;}{status=HTTP_STATUS}{type=&34;}{type_no=&34;}\n34;/&34;ELF&34;html&34;html&34;html&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;html&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;text/plain&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;text/plain&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;html&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;CREATETABLE&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;application/octet-stream&34;\\.svn”>\nOrderallow,deny\nDenyfromall\n</Directory>
Nginx:
location~^(.*)\\/\\.svn\\/{\nreturn404;\n}\n\n
git
在运行gitinit初始化代码库的时候,会在当前目录下面产生一个.git的隐藏目录,用来记录代码的变更记录等等。在发布代码的时候,而.git这个目录没有删除,直接发布了。使用这个文件,可以用来恢复源代码。
攻击者利用该漏洞下载.git文件夹中的所有内容。如果文件夹中存在敏感信息(数据库账号密码、源码等),通过白盒的审计等方式就可能直接获得控制服务器的权限和机会!
漏洞发现
1、可以先观察一下站点是否有醒目地指出Git,如果有的话,那就说明站点很大可能是存在这个问题的
2、如果站点没有醒目的提示的话,可以利用dirsearch这类扫描工具,如果存在./git泄露的问题的话,会被扫描出来的
3、最直观的方式,就是直接通过网页访问.git目录,如果能访问就说明存在
当确认存在这个漏洞之后,就可以通过工具来下载git泄露的全部源码
工具推荐
https://github.com/0xHJK/dumpall
.DS_Store
.DS_Store是Mac下Finder用来保存如何展示文件/文件夹的数据文件,每个文件夹下对应一个。和windows相比,等同于desktop.ini和Thumbs.db两个文件。
如果开发/设计人员将.DS_Store上传部署到线上环境,可能造成文件目录结构泄漏,特别是备份文件、源代码文件。
比如我本地系统:
尝试用工具解析:
能看到我本地目录下的一些目录信息。
工具推荐
https://github.com/gehaxelt/Python-dsstore
https://github.com/lijiejie/ds_store_exp
总结
今天分享的这部分内容,最终危害取取决于泄漏的文件,比如可以远程连接的数据库账号密码和地址,那么就存在直接的危害,导致数据库被接管,如果泄漏的是网站源码,则可能存在漏洞被通过代码审计的方式审计出来,如果都是些静态资源,那么危害几乎可以忽略,所以学需要具体问题具体对待。
来源:信安之路
如果你还想了解更多这方面的信息,记得收藏关注本站。