How to bypass open_basedir restrictions on operating files via PHP

This article shares with you three methods and related techniques for PHP to bypass open_basedir restrictions on operating files. Interested friends can learn from it.

0x00 Preliminary knowledge

About open_basedir

open_basedir is a configuration option in php.ini

It can Limit the scope of user access to files to the specified area.

Assume open_basedir=/home/wwwroot/home/web1/:/tmp/, then users who access the server through web1 will not be able to obtain information on the server except / Files outside the two directories home/wwwroot/home/web1/ and /tmp/.

Note that the limit specified with open_basedir is actually a prefix, not a directory name.

For example: If "open_basedir = /dir/user", then the directories "/dir/user" and "/dir/user1" are accessible. So if you want to restrict access to only a specified directory, end the pathname with a slash.

About symbolic links

Symbolic links are also called soft links. They are a special type of file. This file contains the path name of another file (absolute path or relative path). path).

The path can be any file or directory, and can link files in different file systems. When reading or writing a symbol file, the system will automatically convert the operation into an operation on the source file. However, when deleting a linked file, the system only deletes the linked file, not the source file itself.

0x01 Command execution function

Since the setting of open_basedir is invalid for command execution functions such as system, we can use the command execution function to access restricted directories .

We first create a directory

/home/puret/test/

and create a new 1.txt in the directory with the content abc

nano 1.txt

Create a directory in this directory and name it b

mkdir b

And create a 1.php file in this directory with the content

<?php
  echo file_get_contents("../1.txt");
?>

and set our open_basedir

# in php.ini ##open_basedir = /home/puret/test/b/

We try to execute 1.php to see if open_basedir will restrict our access

The execution effect is as shown in the figure

#Obviously we cannot directly read directory files other than those specified by open_basedir.

Next we use the system function to try to bypass the restrictions of open_basedir to delete 1.txt

Edit 1.php to

<?php
 system("rm -rf ../1.txt");
?>

Let’s first take a look at the file situation before executing 1.php

After executing 1.php

Successfully bypassed open_basedir to delete files through the command execution function.

Since command execution functions are generally restricted to disable_function, we need to find other ways to bypass the restrictions.

0x02 symlink() function

Let’s first understand the symlink function

bool symlink ( string $target , string $link )

The symlink function will establish a symbolic link named link pointing to the target. Of course, under normal circumstances, this target is limited to open_basedir.

Since the early symlink did not support windows, my test environment was placed on Linux.

The PHP version tested is 5.3.0. Please test other versions by yourself.

In the Linux environment, we can complete some logical bypasses through symlink, which allows us to operate files across directories.

We first edit the content of 1.php in /var/www/html/1.php as

<?php
  mkdir("c");
  chdir("c");
  mkdir("d");
  chdir("d");
  chdir("..");
  chdir("..");
  symlink("c/d","tmplink");
  symlink("tmplink/../../1.txt","exploit");
  unlink("tmplink");
  mkdir("tmplink");
  echo file_put_contents("http://127.0.0.1/exploit");
?>

Then Create a new 1.txt file in /var/www/ with the content

"abc"

and then set up our open_basedir

open_basedir = /var/www/html/

Edit a php script in the html directory to check the execution of open_basedir

<?php
   file_get_contents("../1.txt");
?>

Take a look.

As expected, the file cannot be accessed.

We execute the script we just wrote, 1.php

You can see that the content of the file 1.txt has been successfully read and escaped. Overcoming the restrictions of open_basedir

The key to the problem lies in

symlink("tmplink/../../1.txt","exploit");

At this time, tmplink is still a symbolic link file, and the path it points to is c/d, so the path pointed by the exploit becomes

c/d/../ ../1.txt

Since this path is within the range of open_basedir, the exploit was successfully created.

After that, we delete the tmplink symbolic link file and create a new folder with the same name as tmplink. At this time, the path pointed by the exploit is

tmplink/../../

由于这时候tmplink变成了一个真实存在的文件夹所以tmplink/../../变成了1.txt所在的目录即/var/www/

然后再通过访问符号链接文件exploit即可直接读取到1.txt的文件内容

当然，针对symlink()只需要将它放入disable_function即可解决问题，所以我们需要寻求更多的方法。

0x03 glob伪协议

glob是php自5.3.0版本起开始生效的一个用来筛选目录的伪协议，由于它在筛选目录时是不受open_basedir的制约的，所以我们可以利用它来绕过限制，我们新建一个目录在/var/www/下命名为test

并且在/var/www/html/下新建t.php内容为

<?php
  $a = "glob:///var/www/test/*.txt";
  if ( $b = opendir($a) ) {
    while ( ($file = readdir($b)) !== false ) {
      echo "filename:".$file."\n";
    }
    closedir($b);
  }
?>

执行结果如图：

成功躲过open_basedir的限制读取到了文件。

以上就是本文的全部内容，希望对大家的学习有所帮助，更多相关内容请关注PHP中文网！

相关推荐：

关于ThinkPHP中Common/common.php文件常用函数的功能分析

PHP 中TP5 Request的请求对象

PHP的Cannot use object of type stdClass as array in错误的解决办法

The above is the detailed content of How to bypass open_basedir restrictions on operating files via PHP. For more information, please follow other related articles on the PHP Chinese website!