Linux under the Common Small command of the right to mention

Some novice friends after getting a webshell, if you see the server is Linux or UNIX operating system directly give up right, think that Linux or Unix power is difficult, not everyone can do, in fact, the power under Linux is not as difficult as many people imagine, you really try to do, You may find that it is not difficult to mention power under Linux, especially when it is easy to pick up the right methods. Power under Linux I know the simpler way is done at the command line, many of the novice fork may not have touched some of the common commands under Linux, today, dangerous walk to introduce some of the Linux under the power of the process of Common Linux command, As I have just learned a few Linux commands, the introduction of the wrong or incomplete also ask you to correct and understanding.

For everyone, the simplest and most effective way to extract power under Linux is through a local overflow vulnerability. Find the right exploit program run under the command line and complete the right.

Since most of the power under Linux is carried out at the command line, it is the first place to take the power to get a command. The first thing we get is a webshell, like Phpspy. While many Webshell provide the ability to execute commands under Linux, there are often only a few commands that do not require interaction, so we first have to get a window that can execute interactive commands, using the method of bouncing the shell locally. Phpspy comes with this feature, called "Back Connect".

To rebound back to the shell, you need a computer with a public network LP (of course, only the intranet IP computer did the port mapping can), and then on the computer you want to bounce back first use NC to listen to the port to bounce back, if you want to bounce back the port is 12345, execute NC-VV-|-p 12345来 listening on port 12345.

And then back to the Phpspy in the "Back Connec", in the "Your IP" after the automatic identification in addition to your current computer public IP, if you want to rebound to other computers, please enter the IP to rebound computer, I here to rebound to this machine, there is no need to modify, "you Port" Is that you want to rebound on the computer is listening on the port, the default is 12345, know why I am on this machine listening to 12345 port, it is here do not need to modify the "Your port", of course, you can also listen to the local 123456 port, and then the "Your port" Also modified to the corresponding 123456 port on the line. Click the "Start" button to bounce, after a while the local listening window to see similar information to show that the rebound was successful, and got a window to execute interactive commands. The effect of the next command is almost identical to the command performed in the Ubuntu terminal, so I'm going to use the usual power-up commands in the Ubuntu 10.10 terminal to show you.

Commands that have permission to execute in the command window of a lower-privileged shell that bounce back are:

1, uname

Outputs a set of system information. If the option is not followed, the-s option is considered to be attached only. The parameters that are often followed are the-a, in my Ubuntu

After executing the uname-a command in Terminal 10.10, the first Linux representation is based on the Linux kernel, and 2.6.35-28 is the specific kernel version number. This kernel version number is important because the kernel version number is the most important reference for finding an overflow exploit if the overflow vulnerability is used, and the exploit program for this version number is sought based on the current kernel version number.

2. pwd

Get the current directory, before using the Webshell upload the vulnerability and use the program to execute the PWD command to obtain the current directory, the exploit program directly uploaded to the current directory, in the implementation of the exploit program can eliminate the trouble of entering the directory. The/home/test is displayed after the PWD command is executed, indicating that the current directory is/home/test/.

In addition, by Webshell such as Phpspy "back Connect" rebound shell default current directory is the Webshell directory.

3, Ifconfig

Displays network configuration information, such as which network cards are displayed, the configuration information for each NIC (IP address, MAC address, subnet mask), and so on, and the common parameter-A is displayed after the ifconfig-a command is executed. From the information can be known, the current system has a network card ETHO,IP address is 192.168.19.138, the subnet mask is 255.255.255.0.

4, Netstat

Displays the current network connection status, which is the same as the netstat command under the Windows system, with similar functionality.

After performing the netstat, a lot of network connection information is displayed.

5, PS

PS is used to report the execution status of the instructions, you can match the kill command at any time to interrupt, delete unnecessary programs. The commonly used parameters are a,u,x

A displays all programs under the current terminal, including those of other users.

U Displays the status of the program in a user-oriented format.

X shows all programs and does not differentiate them by terminal.

After performing the PS aux command display, show the program process ID,CPU occupancy rate and so on details, if you want to end a process

order, only need to use the command kill-9 PID can end, wherein the PID is the implementation of the PS aux command display of the program PID, of course, the premise is to have the corresponding permissions.

6. GCC

Many of the exploits of Linux are written in C, we get a lot of time is the source code of the C language of the exploit program, to want executable program, need to edit the source code, this time to use the famous GCC. In some cases, it is possible for compatibility reasons to need to compile the exploit on the Linux host to which the power is to be raised, and GCC is also required. GCC (GNU Compiler Collection,gnu Compiler Set) is a set of programming language compilers developed by GNU. It is a set of free software issued under the GPL and LGPL licenses, a key part of the GNU program, and a standard compiler for the free Unix-like and Mac OS X operating systems of Apple computers. GCC Original

Called the Gnuc language compiler, because it was only able to handle the C language, GCC quickly expanded, became able to handle C + +, and later became able to handle Fortran, Pascal, Objective-c, Java, and Ada and other languages.

In most cases, you will be able to use the compiled overflow exploit program on your local Linux system directly onto the Linux host to which you want to power it, and it is not necessary to compile an overflow exploit on the host to which you want to power it. Because GCC is particularly powerful, special features, usage is also very much, to say the whole words estimated to a thick book of space, here is not possible to introduce each, only introduce the power of Linux commonly used in two aspects:

(1) gcc-v

To view the installed GCC version, we aim to confirm that the system has GCC installed by executing the GCC-V command, if the version number that displays the installed GCC is installed, if the prompt cannot be found, the GCC is not installed. Ubuntu 10.10 has GCC installed by default.

(2) Another important function is to compile the source code of the exploit program into an executable program. Assuming that the overflow exploit program source code file is exp.c, through Websbell the exp.c upload to the right of the Linux host under the current directory, in the Bounce back command window to execute GCC-O EXP EXP.C, the EXP.C is programmed into an executable program exp, where the-o parameter is followed by the name of the executable program that compiles the build, here is exp, and the other parameter exp.c is the file name of the overflow exploit program source code to compile, here is exp.c. If there are no error prompts after executing the command, the compilation succeeds. Execute the command LS, find the executable file exp has been generated.

Next enter the./exp to run the exploit program exp, if the overflow success will show, note the following #, a bit of knowledge of Linux know that # corresponds to the root permission, see # to indicate that the right to succeed, then you can run a variety of commands with root privileges.

After the root permission through the overflow vulnerability, can execute more commands, many do not have permission to execute before the command can now be executed. At this time can execute some commands to obtain some sensitive information or to leave the Backdoor cleanup log and other operations, to facilitate better control of the successful server.

1, Cat. Bash_history

View the commands that the user has executed, that is, the commands that the root user has executed. Since many of the management operations under Linux are done at the command line, the administrator who normally executes the command with the root user may get a lot of sensitive information by looking at the commands entered by the administrator.

2, CAT/ETC/PASSWD Cat/etc/shadow

After executing the Cat/etc/passwd,cat/etc/shadow command respectively to get the contents of passwd and Shadow, save the contents of two files to local use John hanging dictionary to try to crack the root user's password, specifically how to break can query the relevant information. Cat/etc/shadow can only be performed with root privileges.

3, chmod

If you want to download a file on the server to local, after you have successfully obtained root permission, my method is to execute the CP command to copy the file to be downloaded to the Web directory of the Web site, but the copy of the past files can only be accessed by the root user, the download directly from the browser will prompt no permission. This is the time to use the chmod command. The role of the chmod command is to change the permissions of a file or directory. If the file to be downloaded is Shadow1, execute the command chmod 777./SHADOW1 can be downloaded directly with the browser, no more permissions issues.

Of course, after the root permission can do a lot of things, such as the installation of the back door, to find ways to get root user password, and so on, but I will not, and the title of this article "Linux under the common Small command" relationship is not big, here is not introduced. In the actual process of the right to use the command may be far more than this, I introduced the big roadside is the most commonly used. Since I have almost no understanding of Linux, there is the wrong place to ask you understand.

After we meet the Linux host, do not dare to try to mention power, bold attempt, often will have surprises and harvest.

Linux under the Common Small command of the right to mention