RCE ByPass

This article is written in Chinese and English, and the content is exactly the same. To view the Chinese version, please scroll down.

本篇文章采用中文和英文两种语言编写,内容完全相同。如需查看中文版请下滑。

Linux

Filter spaces

Filtering spaces is the most common behavior, and the most common way to bypass it under Linux is to use the environment variable $IFS to bypass the spaces. If you directly use the echo command to print this variable, you won’t see anything. You can base64 encode the output to see it.

But if it is just this, the command cannot be executed correctly, because the command cannot be read correctly under Linux, and a separator is needed to separate the $IFS and the content to be output. You can use braces {} to wrap $IFS to split. It should be noted that the IFS variable is valid in bash, but invalid in zsh and dash.

There is another way to represent it under linux is $IFS\$9, $9 represents the ninth parameter in the current system shell process, usually a null character.

Filter cat

This refers to filtering all output functions, such as head, tail, and so on.

The first method can use special symbols to separate keywords and keep the keywords in their original meaning, such as \,''.

The second method can use variable splicing, which is somewhat similar to variable coverage. It is to split the filtered keywords and store them in the variable names that will not be filtered.

1
a=c;b=at;c=fl;d=ag.php;$a$b $c$d;

The third method is to use wildcards. Under Linux, ? means any character, and * means any character string. The file blacklist can be bypassed through wildcards.

The fourth method is to borrow an existing character string and use a character string in an existing file to intercept a specific character through substr to bypass it.

Filter directory separator

For example, the file is in the root directory, but / is filtered, which cannot indicate the relative position of the file. You can bypass it by switching directories and executing multiple commands with cd.

Windows

Use symbols to bypass

In Windows, ", ^, () do not affect the execution of commands.

Variable stitching bypass

The method of referencing variables in Windows is %variableName%.

Intercept string

There are also operations in intercepting strings in Windows

1
2
3
4
5
6
7
%a:~0% //Retrieve all the characters in the value of a. At this time, whoami is executed normally

%a:~0,6% //Retrieve the value of a, starting from the 0th position, and take 6 values. At this time, because whoami has a total of 6 characters, the whoami is executed normally after taking it out

%a:~0,5% //Take 5 values, whoam does not have this command

%a:~0,4% //Take 4 values, whoa does not have this command

Through this operation, characters in many system variables in Windows can be intercepted. For example, there are spaces in the CommonProgramFiles variable, which can be used to bypass.

Command splicing

There are operators & and | connecting commands in Windows. The former will execute the second command regardless of the success of the first command, while the latter will only execute the second command. For && and ||, the former can only be executed if both commands succeed, and the latter can execute the second command only when the first command fails.

前言

记录一下Windows/Linux平台下的RCE中一些绕过技巧

Linux

过滤空格

过滤空格算是最普遍的行为了,在Linux下最常用的绕过方法是使用环境变量$IFS来绕过空格。如果直接使用echo命令来打印这个变量的话,是什么也看不到的,可以将输出base64编码一下,就能看到了。

但如果仅仅是这样也是不能正确的执行命令的,因为在Linux下无法正确的读取命令,需要分隔符来分割$IFS和要输出的内容。可以使用大括号{}$IFS包裹住,来进行分割。需要注意的是,IFS变量在bash下有效,在zsh,dash中均无效。

还有一种在linux下的表示方法是$IFS\$9$9表示当前系统shell进程中第九个参数,通常是一个空字符。

过滤cat

这里代指的是过滤了一切输出函数,比如head,tail等等。

第一种方法可以使用特殊符号分割关键词,并使关键词保持本意,例如\,''

第二种方法可以使用变量拼接,有点类似于变量覆盖。就是将被过滤的关键词拆分,并存储在不会被过滤的变量名中。

1
a=c;b=at;c=fl;d=ag.php;$a$b $c$d;

第三种方法是使用通配符,在Linux下,?表示任意一个字符,*表示任意一个字符串。可以通过通配符实现对文件黑名单的绕过。

第四种方法是借用已有的字符串,借助已经存在的文件中的字符串,通过substr截取出某个具体字符来进行绕过。

过滤目录分隔符

比如文件在根目录下,但是过滤了\,无法表示文件的相对位置,可以通过不停的cd切换目录执行多条命令来绕过。

Windows

利用符号绕过

在Windows中"^()并不会影响命令的执行。

变量拼接绕过

在Windows中引用变量的方法是%variableName%

截取字符串

Windows中也有截取字符串中的操作

1
2
3
4
5
6
7
%a:~0% //取出a的值中的所有字符 此时正常执行whoami 

%a:~0,6% //取出a的值,从第0个位置开始,取6个值 此时因为whoami总共就6个字符,所以取出后正常执行whoami

%a:~0,5% //取5个值,whoam无此命令

%a:~0,4% //取4个值,whoa无此命令

通过这个操作可以截取Windows中许多系统变量中的字符,比如CommonProgramFiles变量中就存在空格,可以用来绕过。

命令拼接

Windows中存在连接命令的操作符&,前者无论第一条命令成功与否都会执行第二条命令,而后者只会执行第二条命令。对于&&||,前者必须两条命令都成功才能执行,后者只有在第一个命令失败的时候,才能执行第二条命令。