Home > Article > Backend Development > How to bypass open_basedir restrictions on operating files via PHP
This article shares with you three methods and related techniques for PHP to bypass open_basedir restrictions on operating files. Interested friends can learn from it.
0x00 Preliminary knowledge
About open_basedir
open_basedir is a configuration option in php.ini
It can Limit the scope of user access to files to the specified area.
Assume open_basedir=/home/wwwroot/home/web1/:/tmp/, then users who access the server through web1 will not be able to obtain information on the server except / Files outside the two directories home/wwwroot/home/web1/ and /tmp/.
Note that the limit specified with open_basedir is actually a prefix, not a directory name.
For example: If "open_basedir = /dir/user", then the directories "/dir/user" and "/dir/user1" are accessible. So if you want to restrict access to only a specified directory, end the pathname with a slash.
About symbolic links
Symbolic links are also called soft links. They are a special type of file. This file contains the path name of another file (absolute path or relative path). path).
The path can be any file or directory, and can link files in different file systems. When reading or writing a symbol file, the system will automatically convert the operation into an operation on the source file. However, when deleting a linked file, the system only deletes the linked file, not the source file itself.
0x01 Command execution function
Since the setting of open_basedir is invalid for command execution functions such as system, we can use the command execution function to access restricted directories .
We first create a directory
/home/puret/test/
and create a new 1.txt in the directory with the content abc
nano 1.txt
Create a directory in this directory and name it b
mkdir b
And create a 1.php file in this directory with the content
<?php echo file_get_contents("../1.txt"); ?>
and set our open_basedir
# in php.ini ##open_basedir = /home/puret/test/b/We try to execute 1.php to see if open_basedir will restrict our access
<?php system("rm -rf ../1.txt"); ?>Let’s first take a look at the file situation before executing 1.php After executing 1.php Successfully bypassed open_basedir to delete files through the command execution function.
Since command execution functions are generally restricted to disable_function, we need to find other ways to bypass the restrictions.
0x02 symlink() function
Let’s first understand the symlink functionbool symlink ( string $target , string $link )The symlink function will establish a symbolic link named link pointing to the target. Of course, under normal circumstances, this target is limited to open_basedir.
Since the early symlink did not support windows, my test environment was placed on Linux.
<?php mkdir("c"); chdir("c"); mkdir("d"); chdir("d"); chdir(".."); chdir(".."); symlink("c/d","tmplink"); symlink("tmplink/../../1.txt","exploit"); unlink("tmplink"); mkdir("tmplink"); echo file_put_contents("http://127.0.0.1/exploit"); ?>Then Create a new 1.txt file in /var/www/ with the content
"abc"and then set up our open_basedir
open_basedir = /var/www/html/Edit a php script in the html directory to check the execution of open_basedir
<?php file_get_contents("../1.txt"); ?>Take a look. As expected, the file cannot be accessed.
symlink("tmplink/../../1.txt","exploit");At this time, tmplink is still a symbolic link file, and the path it points to is c/d, so the path pointed by the exploit becomes
c/d/../ ../1.txtSince this path is within the range of open_basedir, the exploit was successfully created.
tmplink/../../
由于这时候tmplink变成了一个真实存在的文件夹所以tmplink/../../变成了1.txt所在的目录即/var/www/
然后再通过访问符号链接文件exploit即可直接读取到1.txt的文件内容
当然,针对symlink()只需要将它放入disable_function即可解决问题,所以我们需要寻求更多的方法。
0x03 glob伪协议
glob是php自5.3.0版本起开始生效的一个用来筛选目录的伪协议,由于它在筛选目录时是不受open_basedir的制约的,所以我们可以利用它来绕过限制,我们新建一个目录在/var/www/下命名为test
并且在/var/www/html/下新建t.php内容为
<?php $a = "glob:///var/www/test/*.txt"; if ( $b = opendir($a) ) { while ( ($file = readdir($b)) !== false ) { echo "filename:".$file."\n"; } closedir($b); } ?>
执行结果如图:
成功躲过open_basedir的限制读取到了文件。
以上就是本文的全部内容,希望对大家的学习有所帮助,更多相关内容请关注PHP中文网!
相关推荐:
关于ThinkPHP中Common/common.php文件常用函数的功能分析
PHP的Cannot use object of type stdClass as array in错误的解决办法
The above is the detailed content of How to bypass open_basedir restrictions on operating files via PHP. For more information, please follow other related articles on the PHP Chinese website!