Today, while analyzing packet search materials, I accidentally came across an article on Freebuf that mentioned ${IFS}.
Attached is the link:
https://www.freebuf.com/articles/web/286513.html
It was an area of knowledge that I was unfamiliar with, so I did some research and recorded my understanding.
$IFS is a set variable in shell scripts. When the shell processes "command substitution" and "parameter substitution," the shell uses the value of IFS, which is by default space, tab, and newline, to break down the input variables, process special characters, and then reassemble and assign the value to the variable.
If you directly echo "cd${IFS}/home", the value inside %{IFS} should be \n.
However, when $IFS is enclosed in double quotes, $IFS becomes ineffective. For example, create a shell file and write the following content:
Input
IFS='-'
string2="1--2--3--4"
echo $string2
echo "$string2"
Output:
1 2 3 4
1--2--3--4
Based on the hacking operation mentioned in the link, I attempted to execute the following directly on the server:
/bin/sh${IFS}-c${IFS}'cd${IFS}/home/target;ls${IFS}-l'
Commands written in this format can be executed and obtain the command's execution result. If this type of command appears in a URL, and there is a directory traversal vulnerability in the web server, and the IPS or WAF does not include a check for ${IFS} when detecting the URL, it is highly likely that the attacker will succeed. At that time, the attacker may extract the passwd file, perform nc reverse connection, and other operations.
If I have any new learning experiences in the future, I will add them.