Warning: file_exists(): open_basedir restriction in effect. File(/var/lib/mysql/mysql.sock) is not within the allowed path(s): (/home/solarport1781051155/:/tmp/:/usr/share/) in /home/solarport1781051155/solarport.178-105-115-5.myboltip.com/public_html/index.php on line 134
Tenant Isolation & Impersonation Test

Tenant Isolation & Impersonation Test

SAPI: litespeed · PHP: 8.4.22 · Host: solarport.178-105-115-5.myboltip.com · DOC_ROOT: /home/solarport1781051155/solarport.178-105-115-5.myboltip.com/public_html · Tenant: solarport1781051155

Target other tenant:  [plant /tmp secret]  [plant into /home/bobi/tmp]  [clean]

1) open_basedir

CheckValueResultNote
open_basedir/home/solarport1781051155/:/tmp/:/usr/share/PASSrestriction set
read /etc/passwddeniedPASSblocked
list /etcdeniedPASSblocked
list / (root)deniedPASSblocked
list /home (tenant enumeration)deniedPASSblocked
read /etc/shadowdeniedPASSblocked (DAC/basedir)

2) /tmp cross-tenant leak

CheckValueResultNote
this tenant tmp file/tmp/pentest_public_html_c82f5fc598f596dbe891b1572858e064.txtPASSexists
other tenants /tmp markersnonePASSno foreign pentest_* visible
/tmp/sess_* leaknonePASSno foreign sess_* readable
/tmp/mysql.sock exists?noPASSnot present
/tmp/.s.PGSQL.5432 exists?noPASSnot present
/var/lib/mysql/mysql.sock exists?noPASSnot present

3) suEXEC / process identity

CheckValueResultNote
PHP process usersolarport1781051155 (uid=? gid=? real_uid=?)PASSlooks per-user
Process groupsPASSmust NOT be in "apache" group (would allow reading other FPM sockets)
Expected owner from DOC_ROOTsolarport1781051155PASSmatches
Newly-written file ownerwrite failedFAILcannot write DOC_ROOT

4) Cross-tenant impersonation (target: bobi)

ProbeResultStatusNote
stat /home/bobideniedPASSblocked
list /home/bobideniedPASSblocked
list /home/bobi/public_htmldeniedPASSblocked
read /home/bobi/.bashrcdeniedPASSblocked
read /home/bobi/.bash_historydeniedPASSblocked
read /home/bobi/.ssh/authorized_keysdeniedPASSblocked
read /home/bobi/.ssh/id_rsadeniedPASSblocked
list /home/bobi/tmp/sessionsdeniedPASSblocked
write to /home/bobi/tmp/deniedPASSblocked
common config files (wp-config/.env/etc.)none readablePASSblocked

5) open_basedir bypass tricks

TrickResultStatusNote
symlink to /etc/passwdblockedPASSblocked
symlink /tmp -> /home/bobi/.bashrcblockedPASSblocked
glob:// /etc/*BYPASS (1 entries)FAILBYPASS
phar:// write testn/aPASSblocked
chdir + ../ escapeblockedPASSblocked
realpath() outside basedirnullPASSblocked

6) disable_functions & command execution

FunctionStateStatusNote
execdisabledPASS
shell_execdisabledPASS
systemdisabledPASS
passthrudisabledPASS
proc_opendisabledPASS
popendisabledPASS
pcntl_execdisabledPASS
mailENABLEDPASS
imap_opendisabledPASS
dldisabledPASS
putenvENABLEDPASS
posix_killdisabledPASS
posix_setuiddisabledPASS
posix_seteuiddisabledPASS
actual `id` outputbacktick: EXC:Call to undefined function shell_exec()FAILCOMMAND EXEC POSSIBLE

7) /proc enumeration

CheckValueStatusNote
list /procdeniedPASSblocked
read /proc/self/statusdeniedPASSblocked
read /proc/<PID>/environ or cmdline of other PIDsnonePASSblocked

8) Privilege escalation / FPM socket impersonation

ProbeResultStatusNote
posix_setuid(0)disabledPASSexpected to fail
posix_seteuid(0)disabledPASSexpected to fail
list /run *.sockdenied/nonePASSblocked
connect to foreign FPM socketn/aPASSblocked

raw php config

SettingValue
open_basedir/home/solarport1781051155/:/tmp/:/usr/share/
disable_functionspcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,exec,passthru,shell_exec,system,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,popen,dl,show_source,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
upload_tmp_dir/home/solarport1781051155/tmp
sys_temp_dir
session.save_path/home/solarport1781051155/tmp/sessions
sendmail_path/usr/sbin/sendmail -t -i

Tip: deploy this same file to /home/bobi/... and visit both vhosts. Use ?action=plant on tenant A, then visit tenant B with ?other=solarport1781051155 — section 4 should show all PASS.