linux渗透与安全第二节 - 读取配置文件
国际上最通用的Linux虚拟主机搭建方式是这样的:
Linux操作系统+Apache网站容器+PHP脚+MySQL数据库
一个服务器上的网站配置信息显然都储存在Apache的配置文件中。通常Apache会安装在Linux的这个目录下:/usr/local,其Apache的conf配置文件也会在Apache的目录下,当然,也有的Apache配置文件会单独拿出来,放到例如/etc/httpd/conf/httpd.conf这样的地方。今天我就拿两则cent os系统来说明一下读取配置文件的相关内容。既然前面老大Mr.Cool做了一篇Linux文章了,为了配合其连续性,我最终还是把作者名改成。
第一则是一个电脑学校自己搭建的虚拟主机。Apache没有安装在/usr/local这个目录下,实际上管理员还对Apache做了userdir的权 限设定,也就是说虽然是Linux+Apache的主机,但是无法直接读取虚拟主机目录以外的文件夹内容。好在exec和system还能用。
这样的话我就用ls命令列目录。
/usr目录翻遍没有找到Apache的踪迹。web的目录是/server
那么我就用ls列/server的目录,最后确定在这里:
ls /server/program
回显:
apache
apr
apr-util
curl
freetype2
gd2
ImageMagick
jpeg6
libxml2
mysql
php
proftpd
subversion
zlib
复制代码
是Apache目录,读取conf里面的配置文件:
cat /server/program/apache/conf/extra/httpd-vhosts.conf
复制代码
得到回显如下(出于隐私保护的原则已隐藏处理):
# Virtual Hosts
#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.2/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
NameVirtualHost *:80
<VirtualHost *:80>
Options Includes None
DocumentRoot "/server/www/cnnb315"
ServerName www.cnnb315.com
ErrorLog "logs/cnnb315-1.com-error_log"
CustomLog "logs/cnnb315-1.com-access_log" common
php_admin_value open_basedir "/server/www/cnnb315:/tmp"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
DocumentRoot "/server/www/cnnb315"
ServerName cnnb315.com
ErrorLog "logs/cnnb315-1.com-error_log"
CustomLog "logs/cnnb315-1.com-access_log" common
php_admin_value open_basedir "/server/www/cnnb315:/tmp"
</VirtualHost>
###### xiaofeicn.com Start ######
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xiaofeicn.com
DocumentRoot /server/www/xiaofeicn
ServerName xiaofeicn.com
php_admin_value open_basedir "/server/www/xiaofeicn/:/tmp/"
ErrorDocument 404 /404.php
## RewriteEngine on
## RewriteRule ^(.*)/list-([0-9]+)-([0-9]+)\.html$ $1/list.php?forum_id=$2&page=$3
## RewriteRule ^(.*)/detail-([0-9]+)-([0-9]+)\.html$ $1/detail.php?thread_id=$2&page=$3
ErrorLog logs/xiaofeicn.com-error_log
CustomLog logs/xiaofeicn.com-access_log common
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xiaofeicn.com
DocumentRoot /server/www/xiaofeicn
ServerName www.xiaofeicn.com
php_admin_value open_basedir "/server/www/xiaofeicn/:/tmp/"
ErrorDocument 404 /404.php
## RewriteEngine on
## RewriteRule ^(.*)/list-([0-9]+)-([0-9]+)\.html$ $1/list.php?forum_id=$2&page=$3
## RewriteRule ^(.*)/detail-([0-9]+)-([0-9]+)\.html$ $1/detail.php?thread_id=$2&page=$3
ErrorLog logs/xiaofeicn-1.com-error_log
CustomLog logs/xiaofeicn-1.com-access_log common
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/file
ServerName file.xiaofeicn.com
php_admin_value open_basedir "/server/www/file/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xiaofeicn/bbs
ServerName bbs.xiaofeicn.com
php_admin_value open_basedir "/server/www/xiaofeicn/bbs/:/tmp/"
RewriteEngine on
RewriteRule ^(.*)/list-([0-9]+)-([0-9]+)\.html$ $1/list.php?forum_id=$2&page=$3
RewriteRule ^(.*)/detail-([0-9]+)-([0-9]+)\.html$ $1/detail.php?thread_id=$2&page=$3
ErrorDocument 404 /404.php
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xiaofeicn/blog
ServerName blog.xiaofeicn.com
RewriteEngine on
RewriteRule /([0-9a-zA-Z]+)([\-0-9a-zA-Z]*)([0-9a-zA-Z]+)([\/]?)$ /blog/index.php?enname=$1$2$3 [PT]
php_admin_value open_basedir "/server/www/xiaofeicn/blog/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xiaofeicn/pw
ServerName pw.xiaofeicn.com
php_admin_value open_basedir "/server/www/xiaofeicn/pw/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xiaofeicn/sh
ServerName sh.xiaofeicn.com
php_admin_value open_basedir "/server/www/xiaofeicn/sh/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/haocanmou
ServerName haocanmou.com
ErrorLog logs/haocanmou.com-error_log
CustomLog logs/haocanmou.com-access_log common
php_admin_value open_basedir "/server/www/haocanmou/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/haocanmou
ServerName www.haocanmou.com
ErrorLog logs/haocanmou-1.com-error_log
CustomLog logs/haocanmou-1.com-access_log common
php_admin_value open_basedir "/server/www/haocanmou/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/bwjy
ServerName bwjy.com
php_admin_value open_basedir "/server/www/bwjy/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/bwjy
ServerName www.bwjy.com
php_admin_value open_basedir "/server/www/bwjy/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xiaofeicn.com
DocumentRoot /server/www/haorenq
ServerName haorenq.com
php_admin_value open_basedir "/server/www/haorenq/:/tmp/"
ErrorDocument 404 /404.php
<Directory "/server/www/haorenq">
AllowOverride All
Options -Indexes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
ErrorLog logs/haorenq-1.com-error_log
CustomLog logs/haorenq-1.com-access_log common
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xiaofeicn.com
DocumentRoot /server/www/haorenq
ServerName www.haorenq.com
php_admin_value open_basedir "/server/www/haorenq/:/tmp/"
ErrorDocument 404 /404.php
<Directory "/server/www/haorenq">
AllowOverride All
Options -Indexes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
ErrorLog logs/haorenq-1.com-error_log
CustomLog logs/haorenq-1.com-access_log common
</VirtualHost>
<VirtualHost *:80>
ServerName haorenquan.com
RewriteEngine on
RewriteRule ^(.*)$ http://www.haorenq.com$1 [R=301,L]
</VirtualHost>
<VirtualHost *:80>
ServerName www.haorenquan.com
RewriteEngine on
RewriteRule ^(.*)$ http://www.haorenq.com$1 [R=301,L]
</VirtualHost>
###### xiaofeicn.com End ######
###### xm start ######
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xm/91lamp_file
ServerName file.91lamp.com
ErrorLog logs/file.91lamp-1.com-error_log
CustomLog logs/file.91lamp-1.com-access_log common
php_admin_value open_basedir "/server/www/xm/91lamp_file/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xm/xingmo_net/cons
ServerName cons.xingmo.net
ErrorLog logs/xingmo-1.net-error_log
CustomLog logs/xingmo-1.net-access_log common
php_admin_value open_basedir "/server/www/xm/xingmo_net/cons/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xm/beijingphp
ServerName beijingphp.com
ErrorLog logs/beijingphp-1.com-error_log
CustomLog logs/beijingphp-1.com-access_log common
php_admin_value open_basedir "/server/www/xm/beijingphp/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xm/beijingphp
ServerName www.beijingphp.com
ErrorLog logs/beijingphp-1.com-error_log
CustomLog logs/beijingphp-1.com-access_log common
php_admin_value open_basedir "/server/www/xm/beijingphp/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xm/xingmo_com
ServerName xingmo.com
ErrorLog logs/xingmo.com-error_log
CustomLog logs/xingmo.com-access_log common
php_admin_value open_basedir "/server/www/xm/xingmo_com/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xm/xingmo_com
ServerName www.xingmo.com
ErrorLog logs/xingmo.com-error_log
CustomLog logs/xingmo.com-access_log common
php_admin_value open_basedir "/server/www/xm/xingmo_com/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xm/xingmo_zhuozhou
ServerName zhuozhou.xingmo.com
ErrorLog logs/xingmo.com-error_log
CustomLog logs/xingmo.com-access_log common
php_admin_value open_basedir "/server/www/xm/xingmo_zhuozhou/:/tmp/"
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xm/xingmo_com/bbs
ServerName bbs.xingmo.com
ErrorLog logs/xingmo.com-error_log
CustomLog logs/xingmo.com-access_log common
php_admin_value open_basedir "/server/www/xm/xingmo_com/bbs/:/tmp/"
RewriteEngine on
RewriteRule ^(.*)/list-([0-9]+)-([0-9]+)\.html$ $1/list.php?forum_id=$2&page=$3
RewriteRule ^(.*)/detail-([0-9]+)-([0-9]+)\.html$ $1/detail.php?thread_id=$2&page=$3
ErrorDocument 404 /404.php
</VirtualHost>
<VirtualHost *:80>
Options Includes None
ServerAdmin admin@xingmo.com
DocumentRoot /server/www/xm/xingmo_com/blog
ServerName blog.xingmo.com
ErrorLog logs/xingmo.com-error_log
CustomLog logs/xingmo.com-access_log common
php_admin_value open_basedir "/server/www/xm/xingmo_com/blog/:/tmp/"
</VirtualHost>
###### xm end ######
复制代码
为什么要看这个配置呢?
首先,既然是虚拟主机,那就先要搞明白服务器上都有什么网站吧,目录在哪里。实话说,这个服务器的管理员水平不赖,URLrewrite都配置上了 - -
好吧,人不能夸,一夸尾巴容易翘天上去,他的web目录设置的,相当乱。。。
其次,管理员设置了目录权限,无法直接访问其他目录,那么就用system或者exec来执行command line命令,例如ls,再例如。。。
cp -a /xxxx /xxxxxx
复制代码
直接把webshell拷贝到目标网站的目录里。。。好邪恶。。。
好了,第二个是广岛大学研究所的一个服务器
这个大学的服务器依然是花了我不少时间去研究。。。研究所的目的难道就是让别人花老多时间去研究么。。。
服务器上PHP有执行command line的权限,也有直接读取其他目录文件的权限,独立服务器,权限比较宽松。这个大学的服务器上面,我搜索遍了,并没有找到Apache目录。显然我也没有找到配置文件。
原因是,我先入为主的认为Apache的配置文件应该在Apache目录下,没有找到Apache目录,自然找不到Apache的配置文件
其实这是错误的想法,Apache的配置文件未必就在Apache的目录下,真正的conf配置目录被单独安置在:/etc/httpd这个文件夹里面。 VirtualHost的配置大同小异,我就不贴了。当然了,Apache的log也在这个httpd文件夹下,看着别人还在扫目录,而我已经进来 了。。。。
91.198.57.14 - - [06/Apr/2011:02:19:58 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 226
91.198.57.14 - - [06/Apr/2011:02:19:59 +0900] "GET /PMA/scripts/setup.php HTTP/1.1" 404 219
91.198.57.14 - - [06/Apr/2011:02:19:59 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 404 219
91.198.57.14 - - [06/Apr/2011:02:19:59 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226
91.198.57.14 - - [06/Apr/2011:02:19:59 +0900] "GET /mysql/scripts/setup.php HTTP/1.1" 404 221
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /scripts/setup.php HTTP/1.1" 404 215
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /web/scripts/setup.php HTTP/1.1" 404 219
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /sql/scripts/setup.php HTTP/1.1" 401 401
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /db/scripts/setup.php HTTP/1.1" 404 218
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /admin/scripts/setup.php HTTP/1.1" 404 221
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /phpmyadmin/scripts/setup.php HTTP/1.1" 404 226
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /php/scripts/setup.php HTTP/1.1" 404 219
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /PMA/scripts/setup.php HTTP/1.1" 404 219
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /pma/scripts/setup.php HTTP/1.1" 404 219
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226
91.198.57.14 - - [06/Apr/2011:02:20:00 +0900] "POST /mysql/scripts/setup.php HTTP/1.1" 404 221
德国的黑客好可爱。。。
本文没有什么特别的高深技术,无非是一点点个人经历的总结
转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/1357.html