返回列表 发帖

[讨论]linux提权中的问题....

[讨论]linux提权中的问题....
信息来源:邪恶八进制信息安全团队(www.eviloctal.com
议题作者:消失再消失
首先拿到了一个webshell..
php站 linux 系统
旁注到shell...... 目的是跨目录去入侵目标站.
权限卡的很死,
除了/home/hosting_users
不可写之外其他目录可写.[mysql] 无浏览权限.....
找过一些敏感信息比如mysql密码之类的 找不到.
我菜鸟一个,对linux没有研究过,不懂提权.
baidu了下
有说上传.c文件本地提权,测试不成功...
找pass之类的文件.无法找到.
因为很有的目录设置的是无浏览权限..
系统信息如下
System Linux w64-051.cafe24.com 2.6.20.2 #1 SMP Wed Mar 14 18:55:46 KST 2007 x86_64
Build Date Dec 22 2006 18:26:41

Configure Command './configure' '--with-mysql=/usr/local/mysql' '--with-apache=../apache_1.3.37' '--enable-track-vars' '--with-gd=../gd-2.0.33' '--with-jpeg-dir=/usr/local/lib' '--with-freetype-dir=/usr/local/lib' '--with-png-dir=/usr/local/lib' '--with-zlib-dir=/usr/local/lib' '--with-zlib' '--enable-gd-native-ttf' '--with-config-file-path=/usr/local/lib' '--with-gif-dir=/usr/local/lib' '--enable-memory-limit' '--enable-freetype-4bit-antialias-hack' '--with-gdbm' '--enable-exif' '--with-iconv=/usr/local/lib' '--with-db' '--enable-mbstring=all' '--enable-bcmath' '--enable-ftp' '--with-gettext' '--with-openssl=/usr/local/openssl' '--with-mcrypt=/usr/local/mcrypt' '--with-dom'
Server API Apache
Virtual Directory Support disabled
Configuration File (php.ini) Path /usr/local/Zend/etc/php.ini
PHP API 20020918
PHP Extension 20020429
Zend Extension 20050606
Debug Build no
Zend Memory Manager enabled
Thread Safety disabled
Registered PHP Streams php, http, ftp, https, ftps, compress.zlib

获得的php.ini 文件内容如下
[PHP]

;;;;;;;;;;;
; WARNING ;
;;;;;;;;;;;
; This is the default settings file for new PHP installations.
; By default, PHP installs itself with a configuration suitable for
; development purposes, and *NOT* for production purposes.
; For several security-oriented considerations that should be taken
; before going online with your site, please consult php.ini-recommended
; and http://php.net/manual/en/security.php.


;;;;;;;;;;;;;;;;;;;
; About this file ;
;;;;;;;;;;;;;;;;;;;
; This file controls many aspects of PHP's behavior. In order for PHP to
; read it, it must be named 'php.ini'. PHP looks for it in the current
; working directory, in the path designated by the environment variable
; PHPRC, and in the path that was defined in compile time (in that order).
; Under Windows, the compile-time path is the Windows directory. The
; path in which the php.ini file is looked for can be overridden using
; the -c argument in command line mode.
;
; The syntax of the file is extremely simple. Whitespace and Lines
; beginning with a semicolon are silently ignored (as you probably guessed).
; Section headers (e.g. [Foo]) are also silently ignored, even though
; they might mean something in the future.
;
; Directives are specified using the following syntax:
; directive = value
; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
;
; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
; (e.g. E_ALL & ~E_NOTICE), or a quoted string ("foo").
;
; Expressions in the INI file are limited to bitwise operators and parentheses:
; |    bitwise OR
; &    bitwise AND
; ~    bitwise NOT
; !    boolean NOT
;
; Boolean flags can be turned on using the values 1, On, True or Yes.
; They can be turned off using the values 0, Off, False or No.
;
; An empty string can be denoted by simply not writing anything after the equal
; sign, or by using the None keyword:
;
; foo =     ; sets foo to an empty string
; foo = none  ; sets foo to an empty string
; foo = "none" ; sets foo to the string 'none'
;
; If you use constants in your value, and these constants belong to a
; dynamically loaded extension (either a PHP extension or a Zend extension),
; you may only use these constants *after* the line that loads the extension.
;
; All the values in the php.ini-dist file correspond to the builtin
; defaults (that is, if no php.ini is used, or if you delete these lines,
; the builtin defaults will be identical).


;;;;;;;;;;;;;;;;;;;;
; Language Options ;
;;;;;;;;;;;;;;;;;;;;

; Enable the PHP scripting language engine under Apache.
engine = On

; Allow the <? tag. Otherwise, only <?php and <script> tags are recognized.
short_open_tag = On

; Allow ASP-style <% %> tags.
asp_tags = Off

; The number of significant digits displayed in floating point numbers.
precision  = 14

; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
y2k_compliance = Off

; Output buffering allows you to send header lines (including cookies) even
; after you send body content, at the price of slowing PHP&#39;s output layer a
; bit. You can enable output buffering during runtime by calling the output
; buffering functions. You can also enable output buffering for all files by
; setting this directive to On. If you wish to limit the size of the buffer
; to a certain size - you can use a maximum number of bytes instead of &#39;On&#39;, as
; a value for this directive (e.g., output_buffering=4096).
output_buffering = Off

; You can redirect all of the output of your scripts to a function. For
; example, if you set output_handler to "ob_gzhandler", output will be
; transparently compressed for browsers that support gzip or deflate encoding.
; Setting an output handler automatically turns on output buffering.
output_handler =

; Transparent output compression using the zlib library
; Valid values for this option are &#39;off&#39;, &#39;on&#39;, or a specific buffer size
; to be used for compression (default is 4KB)
zlib.output_compression = Off

; Implicit flush tells PHP to tell the output layer to flush itself
; automatically after every output block. This is equivalent to calling the
; PHP function flush() after each and every call to print() or echo() and each
; and every HTML block. Turning this option on has serious performance
; implications and is generally recommended for debugging purposes only.
implicit_flush = Off

; Whether to enable the ability to force arguments to be passed by reference
; at function call time. This method is deprecated and is likely to be
; unsupported in future versions of PHP/Zend. The encouraged method of
; specifying which arguments should be passed by reference is in the function
; declaration. You&#39;re encouraged to try and turn this option Off and make
; sure your scripts work properly with it in order to ensure they will work
; with future versions of the language (you will receive a warning each time
; you use this feature, and the argument will be passed by value instead of by
; reference).
allow_call_time_pass_reference = On


;
; Safe Mode
;
safe_mode = Off

; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.
safe_mode_gid = Off

; When safe_mode is on, UID/GID checks are bypassed when
; including files from this directory and its subdirectories.
; (directory must also be in include_path or full path must
; be used when including)
safe_mode_include_dir =               

; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.
safe_mode_exec_dir =

; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.
;
;open_basedir =

; Setting certain environment variables may be a potential security breach.
; This directive contains a comma-delimited list of prefixes. In Safe Mode,
; the user may only alter environment variables whose names begin with the
; prefixes supplied here. By default, users will only be able to set
; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR).
;
; Note: If this directive is empty, PHP will let the user modify ANY
; environment variable!
safe_mode_allowed_env_vars = PHP_

; This directive contains a comma-delimited list of environment variables that
; the end user won&#39;t be able to change using putenv(). These variables will be
; protected even if safe_mode_allowed_env_vars is set to allow to change them.
safe_mode_protected_env_vars = LD_LIBRARY_PATH

; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions = mysql_pconnect

; Colors for Syntax Highlighting mode. Anything that&#39;s acceptable in
; <font color="??????"> would work.
highlight.string = #CC0000
highlight.comment = #FF9900
highlight.keyword = #006600
highlight.bg   = #FFFFFF
highlight.default = #0000CC
highlight.html  = #000000


;
; Misc
;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = On


;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;

max_execution_time = 30   ; Maximum execution time of each script, in seconds
memory_limit = 40M   ; Maximum amount of memory a script may consume (8MB)


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error handling and logging ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; error_reporting is a bit-field. Or each number up to get desired error
; reporting level
; E_ALL       - All errors and warnings
; E_ERROR      - fatal run-time errors
; E_WARNING     - run-time warnings (non-fatal errors)
; E_PARSE      - compile-time parse errors
; E_NOTICE     - run-time notices (these are warnings which often result
;           from a bug in your code, but it&#39;s possible that it was
;           intentional (e.g., using an uninitialized variable and
;           relying on the fact it&#39;s automatically initialized to an
;           empty string)
; E_CORE_ERROR   - fatal errors that occur during PHP&#39;s initial startup
; E_CORE_WARNING  - warnings (non-fatal errors) that occur during PHP&#39;s
;           initial startup
; E_COMPILE_ERROR  - fatal compile-time errors
; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
; E_USER_ERROR   - user-generated error message
; E_USER_WARNING  - user-generated warning message
; E_USER_NOTICE   - user-generated notice message
;
; Examples:
;
;  - Show all errors, except for notices
;
;error_reporting = E_ALL & ~E_NOTICE
;
;  - Show only errors
;
;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR
;
;  - Show all errors except for notices
;
error_reporting = E_ALL & ~E_NOTICE

; Print out errors (as a part of the output). For production web sites,
; you&#39;re strongly encouraged to turn this feature off, and use error logging
; instead (see below). Keeping display_errors enabled on a production web site
; may reveal security information to end users, such as file paths on your Web
; server, your database schema or other information.
display_errors = On

; Even when display_errors is on, errors that occur during PHP&#39;s startup
; sequence are not displayed. It&#39;s strongly recommended to keep
; display_startup_errors off, except for when debugging.
display_startup_errors = Off

; Log errors into a log file (server-specific log, stderr, or error_log (below))
; As stated above, you&#39;re strongly advised to use error logging in place of
; error displaying on production web sites.
log_errors = Off

; Store the last error/warning message in $php_errormsg (boolean).
track_errors = Off

; Disable the inclusion of HTML tags in error messages.
;html_errors = Off

; String to output before an error message.
;error_prepend_string = "<font color=ff0000>"

; String to output after an error message.
;error_append_string = "</font>"

; Log errors to specified file.
;error_log = /usr/local/apache/logs/php_log

; Log errors to syslog (Event Log on NT, not valid in Windows 95).
;error_log = syslog

; Warn if the + operator is used with strings.
warn_plus_overloading = Off


;;;;;;;;;;;;;;;;;
; Data Handling ;
;;;;;;;;;;;;;;;;;
;
; Note - track_vars is ALWAYS enabled as of PHP 4.0.3

; The separator used in PHP generated URLs to separate arguments.
; Default is "&".
;arg_separator.output = "&"

; List of separator(s) used by PHP to parse input URLs into variables.
; Default is "&".
; NOTE: Every character in this directive is considered as separator!
;arg_separator.input = ";&"

; This directive describes the order in which PHP registers GET, POST, Cookie,
; Environment and Built-in variables (G, P, C, E & S respectively, often
; referred to as EGPCS or GPC). Registration is done from left to right, newer
; values override older values.
variables_order = "EGPCS"

; Whether or not to register the EGPCS variables as global variables. You may
; want to turn this off if you don&#39;t want to clutter your scripts&#39; global scope
; with user data. This makes most sense when coupled with track_vars - in which
; case you can access all of the GPC variables through the $HTTP_*_VARS[],
; variables.
;
; You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
register_globals = Off

; This directive tells PHP whether to declare the argv&argc variables (that
; would contain the GET information). If you don&#39;t use these variables, you
; should turn it off for increased performance.
register_argc_argv = On

; Maximum size of POST data that PHP will accept.
post_max_size = 11M

; This directive is deprecated. Use variables_order instead.
gpc_order = "GPC"

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off  

; Use Sybase-style magic quotes (escape &#39; with &#39;&#39; instead of \&#39;).
magic_quotes_sybase = Off

; Automatically add files before or after any PHP document.
auto_prepend_file =
auto_append_file =

; As of 4.0b4, PHP always outputs a character encoding by default in
; the Content-type: header. To disable sending of the charset, simply
; set it to be empty.
;
; PHP&#39;s built-in default is text/html
default_mimetype = "text/html"
;default_charset = "iso-8859-1"


;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;

; UNIX: "/path1:/path2"
;include_path = ".:/php/includes"
;
; Windows: "\path1;\path2"
;include_path = ".;c:\php\includes"

; The root of the PHP pages, used only if nonempty.
doc_root =

; The directory under which PHP opens the script using /~usernamem used only
; if nonempty.
user_dir =

; Directory in which the loadable extensions (modules) reside.
extension_dir = ./

; Whether or not to enable the dl() function. The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
; disabled on them.
enable_dl = On


;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;

; Whether to allow HTTP file uploads.
file_uploads = On

; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
;upload_tmp_dir =

; Maximum allowed size for uploaded files.
upload_max_filesize = 10M


;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = Off

; Define the anonymous ftp password (your email address)
;from="john@doe.com"


;;;;;;;;;;;;;;;;;;;;;;
; Dynamic Extensions ;
;;;;;;;;;;;;;;;;;;;;;;
;
; If you wish to have an extension loaded automatically, use the following
; syntax:
;
;  extension=modulename.extension
;
; For example, on Windows:
;
;  extension=msql.dll
;
; ... or under UNIX:
;
;  extension=msql.so
;
; Note that it should be the name of the module only; no directory information
; needs to go here. Specify the location of the extension with the
; extension_dir directive above.

#Turck Loader
extension="/usr/local/lib/php/extensions/no-debug-non-zts-20020429/TurckLoader.so"

;Windows Extensions
;Note that MySQL and ODBC support is now built in, so no dll is needed for it.
;
;extension=php_bz2.dll
;extension=php_ctype.dll
;extension=php_cpdf.dll
;extension=php_curl.dll
;extension=php_cybercash.dll
;extension=php_db.dll
;extension=php_dba.dll
;extension=php_dbase.dll
;extension=php_dbx.dll
;extension=php_domxml.dll
;extension=php_dotnet.dll
;extension=php_exif.dll
;extension=php_fbsql.dll
;extension=php_fdf.dll
;extension=php_filepro.dll
;extension=php_gd.dll
;extension=php_gettext.dll
;extension=php_hyperwave.dll
;extension=php_iconv.dll
;extension=php_ifx.dll
;extension=php_iisfunc.dll
;extension=php_imap.dll
;extension=php_ingres.dll
;extension=php_interbase.dll
;extension=php_java.dll
;extension=php_ldap.dll
;extension=php_mbstring.dll
;extension=php_mcrypt.dll
;extension=php_mhash.dll
;extension=php_ming.dll
;extension=php_mssql.dll
;extension=php_oci8.dll
;extension=php_openssl.dll
;extension=php_oracle.dll
;extension=php_pdf.dll
;extension=php_pgsql.dll
;extension=php_printer.dll
;extension=php_sablot.dll
;extension=php_shmop.dll
;extension=php_snmp.dll
;extension=php_sockets.dll
;extension=php_sybase_ct.dll
;extension=php_xslt.dll
;extension=php_yaz.dll
;extension=php_zlib.dll


;;;;;;;;;;;;;;;;;;;
; Module Settings ;
;;;;;;;;;;;;;;;;;;;

[Syslog]
; Whether or not to define the various syslog variables (e.g. $LOG_PID,
; $LOG_CRON, etc.). Turning it off is a good idea performance-wise. In
; runtime, you can define these variables by calling define_syslog_variables().
define_syslog_variables = Off

[mail function]
; For Win32 only.
SMTP = localhost

; For Win32 only.
sendmail_from = me@localhost.com

; For Unix only. You may supply arguments as well (default: &#39;sendmail -t -i&#39;).
sendmail_path = /var/qmail/bin/qmail-inject

[Logging]
; These configuration directives are used by the example logging mechanism.
; See examples/README.logging for more explanation.
;logging.method = db
;logging.directory = /path/to/log/directory

[Java]
;java.class.path = .\php_java.jar
;java.home = c:\jdk
;java.library = c:\jdk\jre\bin\hotspot\jvm.dll
;java.library.path = .\

[SQL]
sql.safe_mode = Off

[ODBC]
;odbc.default_db  = Not yet implemented
;odbc.default_user = Not yet implemented
;odbc.default_pw  = Not yet implemented

; Allow or prevent persistent links.
odbc.allow_persistent = On

; Check that a connection is still valid before reuse.
odbc.check_persistent = On

; Maximum number of persistent links. -1 means no limit.
odbc.max_persistent = -1

; Maximum number of links (persistent + non-persistent). -1 means no limit.
odbc.max_links = -1

; Handling of LONG fields. Returns number of bytes to variables. 0 means
; passthru.
odbc.defaultlrl = 4096

; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
; of uodbc.defaultlrl and uodbc.defaultbinmode
odbc.defaultbinmode = 1

[MySQL]
; Allow or prevent persistent links.
mysql.allow_persistent = On

; Maximum number of persistent links. -1 means no limit.
mysql.max_persistent = -1

; Maximum number of links (persistent + non-persistent). -1 means no limit.
mysql.max_links = -1

; Default port number for mysql_connect(). If unset, mysql_connect() will use
; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
; compile-time value defined MYSQL_PORT (in that order). Win32 will only look
; at MYSQL_PORT.
mysql.default_port =

; Default socket name for local MySQL connects. If empty, uses the built-in
; MySQL defaults.
mysql.default_socket =

; Default host for mysql_connect() (doesn&#39;t apply in safe mode).
mysql.default_host =

; Default user for mysql_connect() (doesn&#39;t apply in safe mode).
mysql.default_user =

; Default password for mysql_connect() (doesn&#39;t apply in safe mode).
; Note that this is generally a *bad* idea to store passwords in this file.
; *Any* user with PHP access can run &#39;echo cfg_get_var("mysql.default_password")
; and reveal this password! And of course, any users with read access to this
; file will be able to reveal the password as well.
mysql.default_password =

[mSQL]
; Allow or prevent persistent links.
msql.allow_persistent = On

; Maximum number of persistent links. -1 means no limit.
msql.max_persistent = -1

; Maximum number of links (persistent+non persistent). -1 means no limit.
msql.max_links = -1

[PostgresSQL]
; Allow or prevent persistent links.
pgsql.allow_persistent = On

; Maximum number of persistent links. -1 means no limit.
pgsql.max_persistent = -1

; Maximum number of links (persistent+non persistent). -1 means no limit.
pgsql.max_links = -1

[Sybase]
; Allow or prevent persistent links.
sybase.allow_persistent = On

; Maximum number of persistent links. -1 means no limit.
sybase.max_persistent = -1

; Maximum number of links (persistent + non-persistent). -1 means no limit.
sybase.max_links = -1

;sybase.interface_file = "/usr/sybase/interfaces"

; Minimum error severity to display.
sybase.min_error_severity = 10

; Minimum message severity to display.
sybase.min_message_severity = 10

; Compatability mode with old versions of PHP 3.0.
; If on, this will cause PHP to automatically assign types to results according
; to their Sybase type, instead of treating them all as strings. This
; compatability mode will probably not stay around forever, so try applying
; whatever necessary changes to your code, and turn it off.
sybase.compatability_mode = Off

[Sybase-CT]
; Allow or prevent persistent links.
sybct.allow_persistent = On

; Maximum number of persistent links. -1 means no limit.
sybct.max_persistent = -1

; Maximum number of links (persistent + non-persistent). -1 means no limit.
sybct.max_links = -1

; Minimum server message severity to display.
sybct.min_server_severity = 10

; Minimum client message severity to display.
sybct.min_client_severity = 10

[bcmath]
; Number of decimal digits for all bcmath functions.
bcmath.scale = 0

[browscap]
;browscap = extra/browscap.ini

[Informix]
; Default host for ifx_connect() (doesn&#39;t apply in safe mode).
ifx.default_host =

; Default user for ifx_connect() (doesn&#39;t apply in safe mode).
ifx.default_user =

; Default password for ifx_connect() (doesn&#39;t apply in safe mode).
ifx.default_password =

; Allow or prevent persistent links.
ifx.allow_persistent = On

; Maximum number of persistent links. -1 means no limit.
ifx.max_persistent = -1

; Maximum number of links (persistent + non-persistent). -1 means no limit.
ifx.max_links = -1

; If on, select statements return the contents of a text blob instead of its id.
ifx.textasvarchar = 0

; If on, select statements return the contents of a byte blob instead of its id.
ifx.byteasvarchar = 0

; Trailing blanks are stripped from fixed-length char columns. May help the
; life of Informix SE users.
ifx.charasvarchar = 0

; If on, the contents of text and byte blobs are dumped to a file instead of
; keeping them in memory.
ifx.blobinfile = 0

; NULL&#39;s are returned as empty strings, unless this is set to 1. In that case,
; NULL&#39;s are returned as string &#39;NULL&#39;.
ifx.nullformat = 0

[Session]
; Handler used to store/retrieve data.
session.save_handler = files

; Argument passed to save_handler. In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP&#39;s session functions.
session.save_path = /tmp

; Whether to use cookies.
session.use_cookies = 1


; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; The path for which the cookie is valid.
session.cookie_path = /

; The domain for which the cookie is valid.
session.cookie_domain =

; Handler used to serialize data. php is the standard serializer of PHP.
session.serialize_handler = php

; Percentual probability that the &#39;garbage collection&#39; process is started
; on every session initialization.
session.gc_probability = 1

; After this number of seconds, stored data will be seen as &#39;garbage&#39; and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440

; Check HTTP Referer to invalidate externally stored URLs containing ids.
session.referer_check =

; How many bytes to read from the file.
session.entropy_length = 0

; Specified here to create the session id.
session.entropy_file =

;session.entropy_length = 16

;session.entropy_file = /dev/urandom

; Set to {nocache,private,public} to determine HTTP caching aspects.
session.cache_limiter = nocache

; Document expires after n minutes.
session.cache_expire = 180

; use transient sid support if enabled by compiling with --enable-trans-sid.
session.use_trans_sid = 1

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

[MSSQL]
; Allow or prevent persistent links.
mssql.allow_persistent = On

; Maximum number of persistent links. -1 means no limit.
mssql.max_persistent = -1

; Maximum number of links (persistent+non persistent). -1 means no limit.
mssql.max_links = -1

; Minimum error severity to display.
mssql.min_error_severity = 10

; Minimum message severity to display.
mssql.min_message_severity = 10

; Compatability mode with old versions of PHP 3.0.
mssql.compatability_mode = Off

; Valid range 0 - 2147483647. Default = 4096.
;mssql.textlimit = 4096

; Valid range 0 - 2147483647. Default = 4096.
;mssql.textsize = 4096

; Limits the number of records in each batch. 0 = all records in one batch.
;mssql.batchsize = 0

[Assertion]
; Assert(expr); active by default.
;assert.active = On

; Issue a PHP warning for each failed assertion.
;assert.warning = On

; Don&#39;t bail out by default.
;assert.bail = Off

; User-function to be called if an assertion fails.
;assert.callback = 0

; Eval the expression with current error_reporting(). Set to true if you want
; error_reporting(0) around the eval().
;assert.quiet_eval = 0

[Ingres II]
; Allow or prevent persistent links.
ingres.allow_persistent = On

; Maximum number of persistent links. -1 means no limit.
ingres.max_persistent = -1

; Maximum number of links, including persistents. -1 means no limit.
ingres.max_links = -1

; Default database (format: [node_id::]dbname[/srv_class]).
ingres.default_database =

; Default user.
ingres.default_user =

; Default password.
ingres.default_password =

[Verisign Payflow Pro]
; Default Payflow Pro server.
pfpro.defaulthost = "test-payflow.verisign.com"

; Default port to connect to.
pfpro.defaultport = 443

; Default timeout in seconds.
pfpro.defaulttimeout = 30

; Default proxy IP address (if required).
;pfpro.proxyaddress =

; Default proxy port.
;pfpro.proxyport =

; Default proxy logon.
;pfpro.proxylogon =

; Default proxy password.
;pfpro.proxypassword =

[Sockets]
; Use the system read() function instead of the php_read() wrapper.
sockets.use_system_read = On

我最进也在学linux,放着几个linux服务期webshell提不了权Inking's Blog http://www.inkings.cn
帖子64 精华0 积分3162 阅读权限100 在线时间116 小时 注册时间2007-5-26 最后登录2008-7-15 查看详细资料引用 报告 回复 TOP 赚更多的钱

wzt
荣誉会员

TOP

2.6.20这么新的内核。。。

帖子19 精华2 积分3263 阅读权限100 性别男 在线时间33 小时 注册时间2006-10-18 最后登录2008-7-13 查看个人网站
查看详细资料引用 报告 回复 TOP 赚更多的钱

ggdd
晶莹剔透§烈日灼然

TOP

初了内核就是社会,目前没什么好的方法,你看下有没有装PHPMYADMIN
帖子3 精华0 积分13 阅读权限40 性别男 在线时间0 小时 注册时间2007-5-1 最后登录2008-6-18 查看详细资料引用 报告 回复 TOP

lzis
晶莹剔透§烈日灼然

TOP

LINUX下的php.ini怎么内容有c: ? LINUX下有字符代码盘符的?
提权?直接OPEN SSL吧.22端口有没有开.没有开.怎么提.提到也登陆不到。
还有.你所说的只是跨站.不是提权.跨不到.就想法子提SSL...也相当于WINDOWS提3389的权.一样了。再三说到,本人是个小菜,如假包换的小菜.如遇睾丸三蛋以上的男人恶意评论纯属恶意炒作,。没素质-只因我是流氓 没技术-只因我没文化

帖子80 精华0 积分40 阅读权限40 性别男 来自Tw 在线时间62 小时 注册时间2007-7-5 最后登录2008-4-26 查看个人网站
查看详细资料引用 报告 回复 TOP 良辰择日,预测咨询,公司改名,权威易经

消失再消失
荣誉会员

TOP

引用:
引用第4楼lzis于2007-08-23 18:06发表的 :
LINUX下的php.ini怎么内容有c: ? LINUX下有字符代码盘符的?
提权?直接OPEN SSL吧.22端口有没有开.没有开.怎么提.提到也登陆不到。
还有.你所说的只是跨站.不是提权.跨不到.就想法子提SSL...也相当于WINDOWS提3389的权.一样了。
跨站?????
是跨目录 也就是旁注... 不是跨站
至于linux下的 php.ini 为什么会有C: 这个我就不知道 因为我还没怎么研究linux
22 开了的
另外 linux 提权有人说直接本地溢出 但是这个版本很新 溢出不了
要么就是翻配置文件找密码了.....
如果这两种方法都提不到
还有别的办法么 ? 主要是讨论这个的谁用了我的名字...我还得在我名字后加1才行....
帖子110 精华2 积分3310 阅读权限100 性别男 在线时间191 小时 注册时间2007-4-19 最后登录2008-7-18 查看详细资料引用 报告 回复 TOP 让女孩一夜变的更有女人味

阿〓☆〓狼
晶莹剔透§烈日灼然

TOP

22开了就可以试试linux远程管理工具:putty--HQY连接看看。
不过,感觉linux对用户权限划分的很清楚的,当安装PHP后,会有一个相应的用户在系统中生成的,就算你成功提权了,即使拿到了管理员权限,那也只是一个php的root权限~~~

感觉linux提权比较难,可能我太菜了!不过还在学习~~手中还有几个linux的shell没法提权

帖子16 精华0 积分40 阅读权限40 性别男 在线时间36 小时 注册时间2007-5-25 最后登录2007-11-12 查看详细资料引用 报告 回复 TOP 让女孩一夜变的更有女人味

我非我
荣誉会员

TOP

引用:
引用第2楼wzt于2007-08-20 17:56发表的 :
2.6.20这么新的内核。。。
不光是内核新的问题
Linux w64-051.cafe24.com 2.6.20.2 #1 SMP Wed Mar 14 18:55:46 KST 2007 x86_64
关键还是64位的内核。http://www.phpweblog.net/GaRY/

帖子150 精华6 积分5639 阅读权限100 性别男 在线时间189 小时 注册时间2005-2-4 最后登录2008-1-31 查看详细资料引用 报告 回复 TOP

lzis
晶莹剔透§烈日灼然

TOP

引用:
引用第5楼消失再消失于2007-08-24 07:46发表的 :

跨站?????
是跨目录 也就是旁注... 不是跨站
至于linux下的 php.ini 为什么会有C: 这个我就不知道 因为我还没怎么研究linux
22 开了的
.......
抱歉本人术语差..我说指的跨站就是跨目录!
对了你看看APACHE分配给那站的是啥权限呢?
大体看看PHP文件.有没有记录MYSQL帐号与密码文件等等..
我觉得如果你得到MYSQL.帐号密码...可以试试用putty登陆SSL看看.是否密码也一样..
没有技术含量的回答,抱歉.只能帮到这么多.LINUX提权是不简单的。运用社工才是王道!再三说到,本人是个小菜,如假包换的小菜.如遇睾丸三蛋以上的男人恶意评论纯属恶意炒作,。没素质-只因我是流氓 没技术-只因我没文化

帖子80 精华0 积分40 阅读权限40 性别男 来自Tw 在线时间62 小时 注册时间2007-7-5 最后登录2008-4-26 查看个人网站
查看详细资料引用 报告 回复 TOP

消失再消失
荣誉会员

TOP

这个shell打算放弃了 
 因为版本高 不容易溢出 
 mysql密码之类的几乎翻遍了 
不过还好已经拿到目标站了
直接找的程序bug谁用了我的名字...我还得在我名字后加1才行....
帖子110 精华2 积分3310 阅读权限100 性别男 在线时间191 小时 注册时间2007-4-19 最后登录2008-7-18 查看详细资料引用 报告 回复 TOP

消失再消失
荣誉会员

TOP

感谢各位参与讨论
不过还是希望能通过这个shell 来突破提权谁用了我的名字...我还得在我名字后加1才行....
帖子110 精华2 积分3310 阅读权限100 性别男 在线时间191 小时 注册时间2007-4-19 最后登录2008-7-18 查看详细资料引用 报告 回复 TOP

asm
运维管理组

TOP

引用:
引用第8楼lzis于2007-08-24 22:41发表的 :

抱歉本人术语差..我说指的跨站就是跨目录!
对了你看看APACHE分配给那站的是啥权限呢?
大体看看PHP文件.有没有记录MYSQL帐号与密码文件等等..
我觉得如果你得到MYSQL.帐号密码...可以试试用putty登陆SSL看看.是否密码也一样..
.......
mysql即使是root权限也大不到哪里去.
现在linux 提权基本靠内核.由于是开源的,localexp比较多.真正不能提的机器还比较少./.
以前还有些setuid 程序。
有些以root权限运行的程序也可以,像webmin之类的管理软件,就出过任意文件浏览的漏洞游戏吧  http://www.game8.cc/MyBlog    http://www.asm32.cn
帖子1598 精华30 积分8742 阅读权限150 性别男 在线时间954 小时 注册时间2006-9-21 最后登录2008-7-20 查看详细资料引用 报告 回复 TOP

asm
运维管理组

TOP

引用:
引用第11楼ddy2003于2007-10-25 15:32发表的 :
没权限发贴 借个位置提个问题
遭遇一个Linux+apache+PHP的服务器 PHP有注射点 WEB跟数据库分离
加&#39;得到如下错误提示:
Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /var/www/html/XXX/XXX/XXXX/XXX.php on line 135

.......
站内pm给我,帮给你搞.游戏吧  http://www.game8.cc/MyBlog    http://www.asm32.cn
帖子1598 精华30 积分8742 阅读权限150 性别男 在线时间954 小时 注册时间2006-9-21 最后登录2008-7-20 查看详细资料引用 报告 回复 TOP

xi4oyu
荣誉会员

TOP

看看这个http://www.milw0rm.com/exploits/4460

To asm :我这边没个发短信的权限 在红狼那边PM你了
帖子67 精华0 积分3362 阅读权限100 性别男 在线时间180 小时 注册时间2006-6-19 最后登录2008-7-18 查看详细资料引用 报告 回复 TOP

asm
运维管理组

TOP

引用:
引用第14楼xi4oyu于2007-10-26 09:16发表的 :
看看这个http://www.milw0rm.com/exploits/4460

To asm :我这边没个发短信的权限 在红狼那边PM你了
收到了啊。那个localexp上次恢复硬盘数据的时候搞坏了。小雨叔再给1次好咩。

上午还有台2.6.9的机器,明明patch了,telnet不上.真郁闷.好象是动态dns?游戏吧  http://www.game8.cc/MyBlog    http://www.asm32.cn
帖子1598 精华30 积分8742 阅读权限150 性别男 在线时间954 小时 注册时间2006-9-21 最后登录2008-7-20 查看详细资料引用 报告 回复 TOP

xi4oyu
荣誉会员

TOP

表喊偶叔,偶还年轻。嘿嘿,域名也不看下,慢慢找吧。。。
帖子67 精华0 积分3362 阅读权限100 性别男 在线时间180 小时 注册时间2006-6-19 最后登录2008-7-18 查看详细资料引用 报告 回复 TOP

独孤加倍
荣誉会员

TOP

大哥,能不能写点关键地方啊?别人说啥就是啥啊???

帖子269 精华6 积分3683 阅读权限100 性别男 来自吉林 在线时间53 小时 注册时间2005-3-18 最后登录2008-7-18 查看个人网站
查看详细资料引用 报告 回复 TOP

nixilin
晶莹剔透§烈日灼然

TOP

我手头的一台linux,uname -r的结果是 2.4.21-32.ELsmp
红帽子的  可否提权拿root?

帖子87 精华0 积分298 阅读权限40 性别男 在线时间26 小时 注册时间2006-4-22 最后登录2008-7-14 查看详细资料引用 报告 回复 TOP

adsal
晶莹剔透§烈日灼然

TOP

返回列表