Cross-Site WebShell solution under Nginx

Nginx is used for large websites, but there is also a major problem, that is, cross-domain issues. Let's take a look at how to modify the php tutorial source code to solve cross-domain problems. Let's look at the method below.

Google search has two widely-spread methods, the most perfect of which is to directly modify the php source code and authenticate the opened directory (the first information found was the code provided by anxsoft.com ).

Because you need to change the php source program and re-compile php. When using fpm for installation, php files will be modified during patching. Therefore, you need to modify the php source program after completing the fpm patch.

Tar zxvf php-5.2.14.tar.gz
Gzip-cd php-5.2.14-fpm-0.5.14.diff.gz | patch-d php-5.2.14-p1
Cd php-5.2.14/

Vi main/fopen_wrappers.c

Find the php_check_open_basedir_ex method and insert the following code between char * end; and pathbuf = estrdup (pg (open_basedir:

 

Char path_copy [maxpathlen];
Int path_len;
Path_len = strlen (path );
If (path_len> = maxpathlen ){
Errno = eperm;
Return-1;
}
If (path_len> 0 & path [path_len-1] = php_dir_separator ){
Memcpy (path_copy, path, path_len + 1 );
While (path_len> 1 & path_copy [path_len-1] = php_dir_separator) path_len --;
Path_copy [path_len] = '';
Path = (const char *) & path_copy;
}

Char * env_doc_root;
If (pg (doc_root )){
Env_doc_root = estrdup (pg (doc_root ));
} Else {
Env_doc_root = sapi_getenv ("document_root", sizeof ("document_root")-1 tsrmls_cc );
}
If (env_doc_root ){
Int res_root = php_check_specific_open_basedir (env_doc_root, path tsrmls_cc );
Efree (env_doc_root );
If (res_root = 0 ){
Return 0;
}
If (res_root =-2 ){
Errno = eperm;
Return-1;
}
}

Then compile and install php.

And open_basedir configuration of php. ini
Open_basedir = "/tmp/:/var/tmp /"

This completely solves the problem of webshell cross-site directory access.