DaXin Space

DaXin Space

5rKh6ZSZIOi/meaYr+S4gOS4qkJhc2U2NCDkvaDmmK/lr7nnmoQ=
github

Usage of $IFS in Shell and Web Attacks for Beginners

Today, while analyzing packet search materials, I accidentally came across an article on Freebuf that mentioned ${IFS}.
Attached is the link:
https://www.freebuf.com/articles/web/286513.html

It was an area of knowledge that I was unfamiliar with, so I did some research and recorded my understanding.

$IFS is a set variable in shell scripts. When the shell processes "command substitution" and "parameter substitution," the shell uses the value of IFS, which is by default space, tab, and newline, to break down the input variables, process special characters, and then reassemble and assign the value to the variable.

If you directly echo "cd${IFS}/home", the value inside %{IFS} should be \n.

image
However, when $IFS is enclosed in double quotes, $IFS becomes ineffective. For example, create a shell file and write the following content:
Input

IFS='-'
string2="1--2--3--4"
echo $string2
echo "$string2"

Output:

1  2  3  4
1--2--3--4

Based on the hacking operation mentioned in the link, I attempted to execute the following directly on the server:

/bin/sh${IFS}-c${IFS}'cd${IFS}/home/target;ls${IFS}-l'

Commands written in this format can be executed and obtain the command's execution result. If this type of command appears in a URL, and there is a directory traversal vulnerability in the web server, and the IPS or WAF does not include a check for ${IFS} when detecting the URL, it is highly likely that the attacker will succeed. At that time, the attacker may extract the passwd file, perform nc reverse connection, and other operations.

If I have any new learning experiences in the future, I will add them.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.